Merge pull request #286853 from dknappettmsft/davidbel-sso-fixes

AVD remote session lock tweaks

Author: prmerger-automator[bot]

articles/virtual-desktop/configure-session-lock-behavior.md

@@ -4,12 +4,12 @@ description: Learn how to configure session lock behavior for Azure Virtual Desk
 ms.topic: how-to
 author: dknappettmsft
 ms.author: daknappe
-ms.date: 09/02/2024
+ms.date: 09/17/2024
 ---
 
 # Configure the session lock behavior for Azure Virtual Desktop
 
-You can choose whether the session is disconnected or the remote lock screen shown when a remote session is locked, either by the user or by policy. When the session lock behavior is set to disconnect, a dialog is shown to let users know they were disconnected. Users can choose the **Reconnect** option from the dialog when they're ready to connect again.
+You can choose whether the session is disconnected or the remote lock screen is shown when a remote session is locked, either by the user or by policy. When the session lock behavior is set to disconnect, a dialog is shown to let users know they were disconnected. Users can choose the **Reconnect** option from the dialog when they're ready to connect again.
 
 When used with single sign-on using Microsoft Entra ID, disconnecting the session provides the following benefits:
 
@@ -23,7 +23,7 @@ When used with single sign-on using Microsoft Entra ID, disconnecting the sessio
 
 - You can require multifactor authentication to return to the session and prevent users from unlocking with a simple username and password.
 
-For scenarios that rely on legacy authentication, including NTLM, CredSSP, RDSTLS, TLS, and RDP basic authentication protocols, users are prompted to re-enter their credentials.
+For scenarios that rely on legacy authentication, including NTLM, CredSSP, RDSTLS, TLS, and RDP basic authentication protocols, users are prompted to re-enter their credentials when they reconnect or start a new connection.
 
 The default session lock behavior is different depending on whether you're using single sign-on with Microsoft Entra ID or legacy authentication. The following table shows the default configuration for each scenario:
 
@@ -128,9 +128,9 @@ To configure the session lock experience using Intune:
 
 To configure the session lock experience using Group Policy, follow these steps.
 
-1. The Group Policy settings are only available the operating systems listed in [Prerequisites](#prerequisites). To make them available on other versions of Windows Server, you need to copy the administrative template files `C:\Windows\PolicyDefinitions\terminalserver.admx` and `C:\Windows\PolicyDefinitions\en-US\terminalserver.adml` from a session host to the same location on your domain controllers or the [Group Policy Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store), depending on your environment. In the file path for `terminalserver.adml` replace `en-US` with the appropriate language code if you're using a different language.
+1. The Group Policy settings are only available on the operating systems listed in [Prerequisites](#prerequisites). To make them available on other versions of Windows Server, you need to copy the administrative template files `C:\Windows\PolicyDefinitions\terminalserver.admx` and `C:\Windows\PolicyDefinitions\en-US\terminalserver.adml` from a session host to the same location on your domain controllers or the [Group Policy Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store), depending on your environment. In the file path for `terminalserver.adml` replace `en-US` with the appropriate language code if you're using a different language.
 
-1. Open the **Group Policy Management** console on device you use to manage the Active Directory domain.
+1. Open the **Group Policy Management** console on the device you use to manage the Active Directory domain.
 
 1. Create or edit a policy that targets the computers providing a remote session you want to configure.
 
@@ -154,9 +154,9 @@ To configure the session lock experience using Group Policy, follow these steps.
 
       1. Double-click **Disconnect remote session on lock for legacy authentication** to open it.
 
-         - To disconnect the remote session when the session locks, select **Enabled** or **Not configured**.
+         - To disconnect the remote session when the session locks, select **Enabled**.
 
-         - To show the remote lock screen when the session locks, select **Disabled**.
+         - To show the remote lock screen when the session locks, select **Disabled** or **Not configured**.
 
       1. Select **OK**.
 
@@ -169,7 +169,3 @@ To configure the session lock experience using Group Policy, follow these steps.
 ## Related content
 
 - Learn how to [Configure single sign-on for Azure Virtual Desktop using Microsoft Entra ID](configure-single-sign-on.md).
-
-- Check out [In-session passwordless authentication](authentication.md#in-session-passwordless-authentication) to learn how to enable passwordless authentication.
-
-- For more information about Microsoft Entra Kerberos, see [Deep dive: How Microsoft Entra Kerberos works](https://techcommunity.microsoft.com/t5/itops-talk-blog/deep-dive-how-azure-ad-kerberos-works/ba-p/3070889)

articles/virtual-desktop/configure-single-sign-on.md

@@ -4,7 +4,7 @@ description: Learn how to configure single sign-on for an Azure Virtual Desktop
 ms.topic: how-to
 author: dknappettmsft
 ms.author: daknappe
-ms.date: 09/02/2024
+ms.date: 09/17/2024
 ---
 
 # Configure single sign-on for Azure Virtual Desktop using Microsoft Entra ID
@@ -17,7 +17,7 @@ To enable single sign-on using Microsoft Entra ID authentication, there are five
 
 1. Enable Microsoft Entra authentication for Remote Desktop Protocol (RDP).
 
-1. Configure the target device groups.
+1. Hide the consent prompt dialog.
 
 1. Create a *Kerberos Server object*, if Active Directory Domain Services is part of your environment. More information on the criteria is included in its section.
 
@@ -31,9 +31,9 @@ Before you enable single sign-on, review the following information for using it
 
 ### Session lock behavior
 
-When single sign-on using Microsoft Entra ID is enabled and the remote session is locked, either by the user or by policy, you can choose whether the session is disconnected or the remote lock screen shown. The default behavior is to disconnect the session when it locks.
+When single sign-on using Microsoft Entra ID is enabled and the remote session is locked, either by the user or by policy, you can choose whether the session is disconnected or the remote lock screen is shown. The default behavior is to disconnect the session when it locks.
 
-When the session lock behavior is set to disconnect, and a dialog is shown to let users know they were disconnected. Users can choose the **Reconnect** option from the dialog when they're ready to connect again. This behavior is done for security reasons and to ensure full support of passwordless authentication. Disconnecting the session provides the following benefits:
+When the session lock behavior is set to disconnect, a dialog is shown to let users know they were disconnected. Users can choose the **Reconnect** option from the dialog when they're ready to connect again. This behavior is done for security reasons and to ensure full support of passwordless authentication. Disconnecting the session provides the following benefits:
 
 - Consistent sign-in experience through Microsoft Entra ID when needed.
 
@@ -89,8 +89,6 @@ Before you can enable single sign-on, you must meet the following prerequisites:
 
    - [Android client](users/connect-android-chrome-os.md), version 10.0.16 or later.
 
-- To configure allowing Active Directory domain administrator account to connect when single sign-on is enabled, you need an account that is a member of the **Domain Admins** security group.
-
 ## Enable Microsoft Entra authentication for RDP
 
 You must first allow Microsoft Entra authentication for Windows in your Microsoft Entra tenant, which enables issuing RDP access tokens allowing users to sign in to your Azure Virtual Desktop session hosts. You set the `isRemoteDesktopProtocolEnabled` property to true on the service principal's `remoteDesktopSecurityConfiguration` object for the following Microsoft Entra applications: