In this post, we’ll look at suppressing single sign-on (SSO) consent prompts for Azure Virtual Desktop (AVD) and Windows 365. These consent prompts can be very disruptive as they interrupt the smooth sign-in flow. I first came across the option to suppress SSO consent prompts while testing Windows 365 Link devices. If your organization is considering purchasing Windows 365 Link devices, suppressing SSO consent prompts is highly recommended, as the Windows 365 Link connection experience currently does not support interacting with the SSO consent prompt.
Note
By default, when single sign-on (SSO) is enabled, users are prompted to allow the remote desktop connection when connecting to a new AVD session host or Windows 365 Cloud PC. Microsoft Entra remembers the consent for 30 days before prompting the end-users again.
Source: Suppress single sign-on consent prompts for Windows 365 Link
– So, join me as I delve into what it takes to permanently eliminate the SSO consent prompt 🤓
In this post, I’ll cover the following topics.
- Create a Dynamic Device Security Group
- Enable Entra Authentication for Remote Desktop Protocol (RDP)
- Suppress Single Sign-on (SSO) Consent Prompts
- Test and Verification
- Summary
Create a Dynamic Device Security Group
The first step is to create an Entra ID device security group. This group includes AVD session hosts and Windows 365 Cloud PCs to allow SSO without triggering a consent prompt. For this post, I chose to include only my Cloud PCs.
Tip
I recommend setting up a dynamic device security group that automatically includes your devices based on properties like device.enrollmentProfileName, device.displayName, or device.deviceModel.
Go to https://intune.microsoft.com
In the left pane, select Groups.
Create a new Entra ID device security group to include AVD session hosts, Windows 365 Cloud PCs, or both, depending on your requirements.
Define a Rule syntax under Dynamic membership rules and click Save.
Enable Entra Authentication for Remote Desktop Protocol (RDP)
After creating the Entra ID security group, the next step is to enable Microsoft Entra authentication for RDP tenant-wide. For more information, see Enable Microsoft Entra authentication for RDP
First, connect and authenticate against Microsoft Graph by running the following commands:
Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Applications
Connect-MgGraph -Scopes "Application.Read.All","Application-RemoteDesktopConfig.ReadWrite.All"
| Application Name | Application ID |
|---|---|
| Microsoft Remote Desktop | a4a365df-50f1-4397-bc59-1a1564b8bb9c |
| Windows Cloud Login | 270efc09-cd0d-444b-a71f-39af4910ec45 |
Next, obtain the above service principal’s object ID and store them in variables by running the following commands:
$MSRDspId = (Get-MgServicePrincipal -Filter "AppId eq 'a4a365df-50f1-4397-bc59-1a1564b8bb9c'").Id
$WCLspId = (Get-MgServicePrincipal -Filter "AppId eq '270efc09-cd0d-444b-a71f-39af4910ec45'").Id
Use the following commands to set the property isRemoteDesktopProtocolEnabled to True.
If ((Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $MSRDspId) -ne $true) {
Update-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $MSRDspId -IsRemoteDesktopProtocolEnabled
}
If ((Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $WCLspId) -ne $true) {
Update-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $WCLspId -IsRemoteDesktopProtocolEnabled
}
Verify that the property isRemoteDesktopProtocolEnabled is set to True by running the following commands:
Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $MSRDspId
Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $WCLspId
Tip
Keep your PowerShell session active – we’ll need it shortly! 🤓
Suppress Single Sign-on (SSO) Consent Prompts
After enabling Microsoft Entra authentication for RDP tenant-wide, it’s finally time to eliminate the SSO consent prompt. But first, we must revisit our Entra ID security group to take note of its Object ID and Group name for the next step.
Go to https://intune.microsoft.com
In the left pane, select Groups.
Select the newly created Entra ID security group containing devices for which you want to hide the SSO consent prompt. Note down the Object ID and Group Name highlighted in the screenshot below.
Using the same PowerShell session, create a targetDeviceGroup object by running the following commands and replacing <placeholders> with your values:
$tdg = New-Object -TypeName Microsoft.Graph.PowerShell.Models.MicrosoftGraphTargetDeviceGroup
$tdg.Id = "<Group object ID>"
$tdg.DisplayName = "<Group display name>"
Add the Entra ID device security group to the targetDeviceGroup object by running the following commands:
New-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $MSRDspId -BodyParameter $tdg
New-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $WCLspId -BodyParameter $tdg
Test and Verification
With the final piece of the puzzle in place, let’s test the configuration on a re-provisioned Windows 365 Cloud PC.
We can confirm that the sign-in flow is smoother and no longer includes the SSO consent prompt 🥳
Summary
In this blog post, you learned how to eliminate Single Sign-on (SSO) consent prompts for AVD session hosts and Windows 365 Cloud PCs. I guided you through each step, including creating a dynamic device security group, enabling Microsoft Entra authentication for RDP tenant-wide, and suppressing SSO consent prompts. By following these few steps, you can eliminate the bothersome SSO consent prompts and provide your end-users with a much smoother sign-in experience.
I hope you enjoyed this post and that you found it helpful. – To learn more about Azure Virtual Desktop (AVD) and Windows 365, please visit our Azure Virtual Desktop and Windows 365 categories.
That’s it, folks. Happy testing, and happy easter holidays!🐣
If you have any questions regarding this topic, please feel free to reach out to us.
