Use Seamless SSO in AADDS environments.
At the moment, having seamless SSO in Azure Active Directory Domain Services doesn't work. Logically, this feature should be automatic...
At the moment, you can join a machine to AADDS domain, and log in to it with Azure AD credentials. But users still need to sign in manually to Office.com, office apps, etc.
This is extremely important in a AADDS Windows Virtual Desktop scenario (where Microsoft Office is hosted as RemoteApps). To access Office, users will need to log in to WVD, then AGAIN into the remoteapp host itself, and AGAIN into the Microsoft Office apps - all with the same credentials.
Thomas Mjelde commented
The reason this is important is that some companies want to set up a small WVD environment with old applications that they can't get as a SaaS solution.
We typically spin up small environments to support these old applications, and they include application servers, sql servers, fileservers etc.
Windows Servers can't be joined to Azure AD directly, and you therefore need to join the AAD DS domain instead.
Now your WVD machine which is running Windows 10 Multi User is also joined to AAD DS to allow the users who log in to actually have SSSO to the internal resources.
Problem now is that Office 365's apps such as Onedrive, Outlook, Teams etc do not have SSSO.
Would be a great addition if we could enable SSSO both to internal resources as well as O365 resources.
Mark Lunn commented
HI Mike Stephens the reason our Azure WVDs are joined to AADDS is because we are using FSLogix and Azure File Shares which needs AADDS to work.
Mark Lunn commented
Would be great to get SSO working with AADDS as we currently have WVD in Azure with AADDS, but without any sort of SSO possible, and this also makes sharing files beyond the VMs difficult.
Totally agree. We have implemented Citrix cloud for a client who has no on-prem infrastructure. They don't want to manage a traditional AD hosted in Azure (and as another poster mentions this would require 4 X servers for AD (x2), AAD Connect and a hybrid Exchange). We need the management framework of the domain. Our setup means that new virtual desktops are provisioned on demand and so AAD join is not feasible. Please fix/make available seamless SSO.
Justin Graham commented
We have exactly the same situation and requirement as OP, as we are using WVD. I am surprised this woudn't be a standard inclusion when using the complete Microsoft integrated ecosystem.
HOBNOB Tech Admin commented
I know its a long time since I posted this idea, but having seen Mike's comment, I thought I'd add some
more information on the scenario...
In short, all our users are already cloud-only, preventing us from using AD Connect. AADDS is the next option. More background information:...
The tenant I manage is for a small charity, where the organisation's physical
hardware is very minimal, due to practical and financial reasons. There is no on-prem infrastructure, and we have a couple of devices that are intune/aad-joined. So, ALL of our users are cloud-only users.
(99% of the time, people are accessing our 365/web apps on their own devices, from home/out on visits - they are effectively all lone-workers).
So if we then want to provide any traditional/LOB windows apps and have any sort of technical or data control over them, RemoteApps seems like the obvious choice. (To stop data being held on the users personal device)
Of course SSO is very much possible with WVD when using your own DC and Azure AD Connect, but it's not supported in AADDS. And, because we have no existing on-prem domain, etc. and all our users are existing, cloud-only, this renders AD Connect useless: (According to Azure AD Connect documentation) see https://www.google.com/url?sa=t&source=web&rct=j&url=https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-existing-tenant%23create-a-new-on-premises-active-directory-from-data-in-azure-ad&ved=2ahUKEwjAl9enzcvnAhXUtHEKHVlYBowQpYkCKAIwAHoECAYQCg&usg=AOvVaw3XwBnua9B81z5YflP3JA8r&cshid=1581496578902 It doesnt seem possible for Azure-AD join the VMs either.
So we have ended up with AADDS and WVD in Azure, but without any sort of SSO possible, and this also makes sharing files beyond the VMs difficult.
Hope this helps you understand a bit more.
Patrick Brodeur commented
Exact same situation here. AAD DS would be really better if we could be able to do seamless SSO with Office 365. I just realized that yesterday that it does not seems to be possible. We can't have VMs in WVD as Azure AD Joined, and we can't make it work with SSO in AAD DS. The best would be to have 2 DC, and AD Connect, but at that point that would also mean an Exchange Hybrid server to manage Exchange properties of mailbox users. That means 4 more VMs, and having to maintain AAD Connect and an Exchange Hybrid server just for SSO. I hope Identity group at Microsoft will find a solution soon for this, that would be very good.
Nick Muller commented
Mike, what you described indeed seems like the simplest solution, so I'm also really interested in why the WVD team choose another route. If this is not possible in WVD everybody that wants to deliver a good experience for their users needs to go with a dedicated AD DC VM (set). And honestly, I don't really want to manage those VMs, if possible.
Jon Young commented
We also have a similar need for this, currently as described the authentication falls back to using username and password authentication.
We have an environment that is hosted On-Premises using a Citrix published desktop, connected via S2S VPN to Azure. SSO to Office365 is not possible currently.
It's not possible (security considerations) to move the applications hosted on the Citrix desktop.
Mike Stephens commented
Very interesting. Why are virtual machines being joined to the AAD DS domain? I understand the WVD infrastructure needs to join a domain (RDP is still RDP) but it would seem that the pool of VMs offered by WVD would be Azure AD joined. That would give SSO to Office and other azure applications.
I'll leave this at Need-Feedback because I am keen at learning more about the scenario. We may eventually need to move the suggestion over to WVD category as there's not much Azure AD DS can do in this case, and Azure AD join would be a simple solution (so it seems) that provides a great customer experience.
Senior Program Manager
IAM Core | Domain Services