SSO for AVD

  1. Changing SSO will change the Resource in Conditional Access from Windows 365 \ Windows Virtual Desktop to Windows Cloud Login so make sure you exclude or include this new resource where available
  2. Change the Session Lock Behaviour Configure the session lock behavior for Azure Virtual Desktop | Azure Docs as this start to disconnect users when you enable SSO
  3. Add AVD users the right RBAC Role
    When using Entra Joined Azure Virtual Desktop Sessionhosts, you will need to assign a RBAC role to the user group which will login to the sessionhosts. The RBAC role of Virtual Machine User Login, located at the resource group which holds the sessionhost virtual machines. In this post: Azure | Deploy Azure Virtual Desktop – GetToTheCloud I explained that the user group that needs to access the Azure Virtual Desktop require the Virtual Machine User Login RBAC role.

If Hybrid – Passwordless security key sign-in to on-premises resources – Microsoft Entra ID | Microsoft Learn

# Specify the on-premises Active Directory domain. A new Microsoft Entra ID
# Kerberos Server object will be created in this Active Directory domain.
$domain = $env:USERDNSDOMAIN

# Enter a UPN of a Hybrid Identity Administrator
$userPrincipalName = "[email protected]"

# Create the new Microsoft Entra ID Kerberos Server object in Active Directory
# and then publish it to Azure Active Directory.
# Open an interactive sign-in prompt with given username to access the Microsoft Entra ID.
Set-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName

Script

<#
.SYNOPSIS
Enable AVD Single Sign-On (SSO) configuration in Microsoft Entra ID Tenant.
 
.DESCRIPTION
This PowerShell script is used to enable AVD Single Sign-On (SSO) configuration in
Microsoft Entra ID Tenant.
It uses the Microsoft Graph Module to interact with the Microsoft Entra ID Tenant.
 
The script will enable the following:
- Microsoft Remote Desktop
- Windows Cloud Login
 
The script will output the following:
- Service Principal Name
- Remote Desktop Protocol Enabled
- Target Device Groups
 
The script starts by defining the required variables for the Microsoft Entra ID Group.
 
Then the script begins by importing the necessary modules: Microsoft.Graph.Authentication and Microsoft.Graph.Applications.
These modules provide the cmdlets that the script uses to interact with the Microsoft Graph API.
 
Next, the script defines the required scopes for the Microsoft Graph API.
These scopes are permissions that the script needs to perform its operations.
The Connect-MgGraph command is then used to connect to the Microsoft Graph API with these scopes.
 
The script then defines a list of application names. These are the names of the applications that the script will
configure SSO settings for. The script creates an empty ArrayList to store the service principals for these applications.
 
The script then loops over the application names. For each application name, it uses the Get-MgServicePrincipal command
to get the service principal for the application. The service principal is an identity that is used by a service or
application to log in and access resources. The service principal is then added to the ArrayList.
 
Next, the script loops over the service principals in the ArrayList. For each service principal, it gets the ID and outputs
the display name. It then checks if the Remote Desktop Protocol is enabled for the service principal. If it is not, it uses
the Update-MgServicePrincipalRemoteDesktopSecurityConfiguration command to enable it.
 
The script then creates a new TargetDeviceGroup object and sets its ID and display name.
It uses the New-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup command to create a new
target device group for the service principal.
 
Finally, the script validates the changes by getting the current remote desktop security configuration and the
target device groups for the service principal. It outputs the status of the Remote Desktop Protocol and the display names
of the target device groups.
 
.NOTES
Author: Stefan Beckmann
Date: January 09, 2024
https://www.beckmann.ch/blog/2023/11/29/sso-for-azure-virtual-desktop-with-ad-users/?lang=en
https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-single-sign-on#create-a-kerberos-server-object
Version: 1.0
 
.LINK
GitHub Repository: https://github.com/alphasteff
 
.EXAMPLE
.\Enable-AvdSSO.ps1
 
#>
 
# Define the target device group, values need to be added
$groupName = 'AVD Devices'
$groupId = '3a32d3ce-edfe-43d7-b6ff-75afaf10f165'
 
### DO NOT MODIFY BELOW THIS LINE ###
 
Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Applications
 
$RequiredScopes = @(
    'Application-RemoteDesktopConfig.ReadWrite.All',
    'Application.ReadWrite.All'
)
 
Connect-MgGraph -Scopes $RequiredScopes
 
$applicationIds = @(
    'a4a365df-50f1-4397-bc59-1a1564b8bb9c', # Microsoft Remote Desktop
    '270efc09-cd0d-444b-a71f-39af4910ec45'  # Windows Cloud Login
)
 
$applicationList = [System.Collections.ArrayList]@()
ForEach ($applicationId in $applicationIds) {
    $sp = Get-MgServicePrincipal -Filter "AppId eq `'$applicationId`'"
    $null = $applicationList.Add($sp)
}
 
ForEach ($application in $applicationList) {
    $servicePrincipalId = $application.Id
    Write-Output ("Service Principal Name: " + $application.DisplayName)
 
    If ((Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $servicePrincipalId) -ne $true) {
        $null = Update-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $servicePrincipalId -IsRemoteDesktopProtocolEnabled
    }
 
    $tdg = New-Object -TypeName Microsoft.Graph.PowerShell.Models.MicrosoftGraphTargetDeviceGroup
    $tdg.Id = $groupId
    $tdg.DisplayName = $groupName
 
    $null = New-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $servicePrincipalId -BodyParameter $tdg
 
    $validateConfiguration = Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $servicePrincipalId
    $validateDeviceGroup = Get-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $servicePrincipalId
 
    Write-Output ("Remote Desktop Protocol Enabled: " + $validateConfiguration.isRemoteDesktopProtocolEnabled)
    Write-Output ("Target Device Groups: " + ($validateDeviceGroup.DisplayName | Out-String))
}

Enable

AVD SSO Sign in Loop

Recently, while implementing single sign-on (SSO) for Azure Virtual Desktop using Microsoft Entra ID authentication, our team encountered an unexpected hurdle: an authentication loop. In this post, I’ll share our experience and the solution we found.

Further investigation revealed that the issue stemmed from Active Directory user accounts being direct or indirect members of certain protected Active Directory groups.

These groups include:

  • Account Operators
  • Administrator
  • Administrators
  • Backup Operators
  • Domain Admins
  • Domain Controllers
  • Enterprise Admins
  • Krbtgt
  • Print Operators
  • Read-only Domain Controllers
  • Replicator
  • Schema Admins
  • Server Operators

These groups are protected for security reasons, and membership in them can interfere with certain authentication processes, leading to issues like the authentication loop we encountered.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Powered by WordPress | Made with ❤ by Themely