How to Configure Windows 365 Azure AD Join Single Sign-on (SSO)

How to Configure Windows 365 Azure AD Join Single Sign-on (SSO)

In September 2022, Microsoft announced the public preview of single sign-on (SSO) and passwordless authentication for Azure Virtual Desktop. – Since then, many of us have been waiting for Windows 365 Azure AD Join SSO support.

The wait is finally over because Microsoft has recently announced that Windows 365 now supports creating Azure AD Joined Cloud PCs that use SSO for Cloud PC login!

Note
Windows 365 Hybrid Azure AD Join SSO support is still not supported! – See features in development

Why is SSO support that interesting, you might ask? It’s interesting because until now, the user must first sign in to the Windows 365 service and then to their personal Windows 365 Cloud PC either through the Web Portal, Remote Desktop App, or the new Windows 365 App. – And that’s not what I call a great end-user experience!

So, In this blog post, I will show you how to enable SSO for an existing provisioning policy in Microsoft Intune.

If you’re looking for Windows 365 Enterprise Cloud PC prerequisites and requirements and information about how to set it up, look no further:

Enable the Windows 365 SSO Option

First, let’s visit Microsoft Intune and turn on SSO for my current Windows 365 provisioning policy.

Go to https://endpoint.microsoft.com

In the left pane, click Devices | Windows 365 | Provisioning policies   
Create a new policy or select an existing policy in the list of provisioning policies. – For this post, I chose to modify my current provisioning policy.

Provisioning policy.

On the overview page, look for General and click Edit.

Provisioning policy.

Check Use single sign-on (preview) and click Next.

Enable SSO in the Windows 365 provisioning policy.

Review the configuration and click Update.

Enable SSO in the Windows 365 provisioning policy.

From Devices | Windows 365, click the All Cloud PCs tab.

If you’re provisioning a new Cloud PC, it will show in the list after approx. 20-30 minutes.
Otherwise, select an existing Cloud PC to reprovision. – For this post, I chose to reprovision an existing Cloud PC.

Important
If you change the network, single sign-on configuration or image in a provisioning policy, no change will occur for previously provisioned Cloud PCs. Newly provisioned Cloud PCs will honor the changes in your provisioning policy. To change the previously provisioned Cloud PCs to align with the changes, you must reprovision those Cloud PCs.

Source: Microsoft Docs

Reprovision the Cloud PC.

Click Reprovision.
If all goes well, the new reprovisioned Cloud PC should appear in the All Cloud PCs list after approx. 20-30 minutes.

Reprovision the Cloud PC.

Windows 365 SSO Experience (Web Portal)

Let’s sign in to the newly reprovisioned Windows 365 Cloud PC and verify that SSO is enabled.

Go to https://windows365.microsoft.com

Enter your account and click Next.

Windows 365 SSO Experience (Web Portal).

Enter your password and click Sign in.

Windows 365 SSO Experience (Web Portal).

Click Open in browser.

Windows 365 SSO Experience (Web Portal).

Click Connect.

Windows 365 SSO Experience (Web Portal).

Instead of the usual sign-in prompt for the Windows 365 Cloud PC, we now need to allow the remote device to access your account and sign you in. – This means that SSO is working!

Click Yes.

Windows 365 SSO Experience (Web Portal).

And we are signed in to the Windows 365 Cloud PC. – Pretty Awesome!

Windows 365 SSO Experience (Web Portal).

Windows 365 SSO Experience (Windows 365 App)

Next, let’s try and sign in to the Windows 365 Cloud PC using the new Windows 365 App.

Note
The Windows 365 App is only available from the Microsoft Store on Windows 11.

Open the Windows 365 App.

Windows 365 SSO Experience (Windows 365 App).

Enter your account and click Next.

Windows 365 SSO Experience (Windows 365 App).

Enter your password and click Sign in.

Windows 365 SSO Experience (Windows 365 App).

Click Connect.

Windows 365 SSO Experience (Windows 365 App).

We can confirm once again that SSO works! – We are now signed in without any extra sign-in prompt.

Windows 365 SSO Experience (Windows 365 App).

Summary

In this blog post, you learned how to enable the new SSO option for Windows 365 Cloud PCs, and we then verified the results on a reprovisioned Cloud PC.

No doubt Windows 365 Hybrid Azure AD Join SSO support will be very interesting for many Enterprise customers, so hopefully, we will see that feature very soon! – But with Windows 365 Azure AD Join (Bring Your Own Network), and if you have configured Azure AD Kerberos on-premises, you can actually leverage the new SSO option to access Kerberos-based resources and applications. See Identity and authentication

Personally, I think this is pretty awesome and one of the last pieces of the puzzle to provide the end user with the best possible sign-in experience on their personal Windows 365 Cloud PCs.

I hope you enjoyed this post and that you found it helpful. – If you want to learn more about Windows 365, please visit our Windows 365 category.

That’s it, folks. Happy testing, and merry Christmas!
If you have any questions regarding this topic, please feel free to reach out to us.

Table of Contents

Share this post
Search blog posts
Authors
Modern Workplace consultant and a Microsoft MVP in Enterprise Mobility.
Modern Workplace consultant and a Microsoft MVP in Windows and Devices for IT.

Infrastructure architect consultant with focus on Endpoint Management and Microsoft Sentinel.

Infrastructure architect with focus on Modern Workplace and Microsoft 365 security.

Passionate IT professional with 20+ experience in IT architecture, consulting, and design. 

Cloud & security specialist with focus on Microsoft backend products and cloud technologies.

Infrastructure architect with focus on design, implementation, migration and consolidation.

Infrastructure consultant with focus on cloud solutions in Office365 and Azure.

follow us in feedly
Categories

Follow on SoMe