,

Azure Virtual Desktop Sign-in without access to ADFS

Azure Virtual Desktop supports Azure AD Join and the option to enable Single Sign-On, when starting a remote session to a desktop or application. This would usually require access to ADFS when your users domain is federated with ADFS.

But did you know this works without AVD having access to ADFS?

Azure Virtual Desktop without AD FS connectivity

The Case

AVD is installed in a separate segment in Azure, or for some reason didn’t have an open route to ADFS. Which was also indicated when browsing to IdpInitiatedSignon.aspx (https://adfsurl/adfs/ls/idpinitiatedsignon.aspx) and receive a page not found error. While other networks, including inbound from the Internet will have successful response from ADFS/IdpInitiatedSignon.

But still we could sign-in to our AVD environment using Azure AD Credentials, and this seemed quite mind boggling to me, how could we authenticate a federated user into AVD without ADFS?

Explanation

When you access the webclient (https://client.wvd.microsoft.com/arm/webclient) or using the Remote Desktop App for AVD/W365 we authenticate with modern authentication and store an access token locally. The webclient stores the tokens in your browsers cache, and the application has its own cache to store the token.

And here lays the explanation to how AVD can sign-in without access to ADFS. It doesn’t need to authenticate with ADFS, when it can use your locally cached access token and authenticate to Azure AD. AVD will then receive new tokens, available for Edge to SSO into Microsoft 365 and other services.

It is quite clever, but still require us to enable SSO in the AVD Host Pools RDP Properties by adding ‘enablerdsaadauth:i:1’ to the Advanced tab.

RDP Properties for SSO

Leave a Reply

Ehlo!

I am Roy Apalnes, a Microsoft Cloud Evangelist working av Sopra Steria. Main focus in Microsoft Security and Endpoint Management, with a bigger picture in mind.

Featured Posts