Azure Virtual Desktop supports Azure AD Join and the option to enable Single Sign-On, when starting a remote session to a desktop or application. This would usually require access to ADFS when your users domain is federated with ADFS.
But did you know this works without AVD having access to ADFS?
The Case
AVD is installed in a separate segment in Azure, or for some reason didn’t have an open route to ADFS. Which was also indicated when browsing to IdpInitiatedSignon.aspx (https://adfsurl/adfs/ls/idpinitiatedsignon.aspx) and receive a page not found error. While other networks, including inbound from the Internet will have successful response from ADFS/IdpInitiatedSignon.
But still we could sign-in to our AVD environment using Azure AD Credentials, and this seemed quite mind boggling to me, how could we authenticate a federated user into AVD without ADFS?
Explanation
When you access the webclient (https://client.wvd.microsoft.com/arm/webclient) or using the Remote Desktop App for AVD/W365 we authenticate with modern authentication and store an access token locally. The webclient stores the tokens in your browsers cache, and the application has its own cache to store the token.
And here lays the explanation to how AVD can sign-in without access to ADFS. It doesn’t need to authenticate with ADFS, when it can use your locally cached access token and authenticate to Azure AD. AVD will then receive new tokens, available for Edge to SSO into Microsoft 365 and other services.
It is quite clever, but still require us to enable SSO in the AVD Host Pools RDP Properties by adding ‘enablerdsaadauth:i:1’ to the Advanced tab.
Leave a Reply
You must be logged in to post a comment.