Passwordless sign-in for Azure Virtual Desktop

Hello everyone!

Lets start working passwordless with Azure Virtual Desktop. Some of the configurations are in public preview, but its working perfectly in my setup. Working without passwords is giving the company more security and a better experience for the users.

Prerequisites

  • Azure Subscription
  • Azure Virtual Desktop environment in Azure
  • Microsoft Entra Hybrid joined (Microsoft Entra only is also possible, but is not discussed in this blog)
  • Entra Connect configured for Microsoft Entra Hybrid joined
  • Owner or Contributor role on the subscription
  • Domain admin on Active Directory
  • Passwordless sign-in policy active for the users
  • Supported client for passwordless sign-on. Click this link to check.
  • Windows 10/11 device enrolled in Microsoft Entra (Hybrid) (for a better experience)

Passwordless sign-in for AVD overview

Using no passwords for sign-in methods is a safe way to make your company more secure. User accounts are always a target in this world, so setting up passwordless methods like the sign in with Windows Hello for Business or using a FIDO2 token is the best way to start using Azure Virtual Desktop in the safest way. Users have a more convenient way of signing in and do not need to change passwords every three months. Microsoft advices to use passwordless sign-ins and never let your password expire. Turning off the password option at the logon screen is already possible in Windows 11. 

Configuring SSO for Azure Virtual Desktop

  1. We need to create a Kerberos Server object first, because we want to give the users the best SSO experience. Go to a machine that has access to the domain. I will perform this action on the domain controller for test purposes. Run the following script to install the powershell module.
# First, ensure TLS 1.2 for PowerShell gallery access.
[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12

# Install the AzureADHybridAuthenticationManagement PowerShell module.
Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobber
  1. The next step is to run the script that creates the Kerberos Server object. The script examples are visible on this Microsoft page. I will have to choose script example 4, because I’m on the domain controller with a domain admin account and using Modern Authentication.
# Specify the on-premises Active Directory domain. A new Azure AD
# Kerberos Server object will be created in this Active Directory domain.
$domain = $env:USERDNSDOMAIN

# Enter a UPN of an Azure Active Directory global administrator
$userPrincipalName = "administrator@contoso.onmicrosoft.com"

# Create the new Azure AD Kerberos Server object in Active Directory
# and then publish it to Azure Active Directory.
# Open an interactive sign-in prompt with given username to access the Azure AD.
Set-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName
  1. If the script has run without any issues you can perform a check of the Kerberos Server object with the following script. Then you get the following output and it is also visible in Active Directory.
# When prompted to provide domain credentials use the userprincipalname format for the username instead of domain\username
Get-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName -DomainCredential (get-credential)
  1. Now we need to adjust our hostpool in Azure Virtual Desktop to make the authentication work. Go to the Azure Virtual Desktop backplane in Azure to open the hostpool settings. Go to RDP Properties to change the settings at the Connection information tab. Here you can select: Connections will use Microsoft Entra authentication to provide single sign-on

Passwordless experience on the client

Now we are going to check what the users see when they sign-in with the client for AVD. In this scenario I used the Azure Virtual Desktop (preview) Microsoft Store client. This client is designed for Azure Virtual Desktop and supports the passwordless experience. The user has logged on with a PIN code on the machine to authenticate with the AVD session host. So Windows Hello for Business must be configured on the device. 

  1. As the user wants to connect the first time with this feature, the client will ask you to authenticate and then wants verify if the following machine is allowed to sign you in. This is only the first time when the user signs in. After this is done the user gets the SSO experience without the password check. This feature is still in preview, so this may change in the future. 
  1. Now you see the session is being connected and logged on without any extra prompts. This method is now tested with Windows Hello for Busines but will also work for FIDO2 tokens

Final Thoughts

Configuring this feature for Azure Virtual Desktop was not too hard, but needs a lot of configurations done at forehand. It will give users a better experience when working with DaaS solutions and it will be safer for companies to use no passwords at all. We want to see a world with no passwords at all, but a lot of applications do not support this method yet. So removing all passwords for your devices or desktops in the cloud is still not being applied at most companies today. Hopefully this will change in the future. Feel free to comment on this post if you have any questions.

Resources

Author

  • Mischa Sachse is one of the founders of the Cloud Experts Community. Would you like to join in the fun? Make sure to contact him via the mail button below or find out more about him on his personal website.

    View all posts

Leave a Reply

Your email address will not be published. Required fields are marked *