Use Seamless SSO in AADDS environments.
At the moment, having seamless SSO in Azure Active Directory Domain Services doesn't work. Logically, this feature should be automatic...
At the moment, you can join a machine to AADDS domain, and log in to it with Azure AD credentials. But users still need to sign in manually to Office.com, office apps, etc.
This is extremely important in a AADDS Windows Virtual Desktop scenario (where Microsoft Office is hosted as RemoteApps). To access Office, users will need to log in to WVD, then AGAIN into the remoteapp host itself, and AGAIN into the Microsoft Office apps - all with the same credentials.
Patrick Brodeur commented
Exact same situation here. AAD DS would be really better if we could be able to do seamless SSO with Office 365. I just realized that yesterday that it does not seems to be possible. We can't have VMs in WVD as Azure AD Joined, and we can't make it work with SSO in AAD DS. The best would be to have 2 DC, and AD Connect, but at that point that would also mean an Exchange Hybrid server to manage Exchange properties of mailbox users. That means 4 more VMs, and having to maintain AAD Connect and an Exchange Hybrid server just for SSO. I hope Identity group at Microsoft will find a solution soon for this, that would be very good.
Nick Muller commented
Mike, what you described indeed seems like the simplest solution, so I'm also really interested in why the WVD team choose another route. If this is not possible in WVD everybody that wants to deliver a good experience for their users needs to go with a dedicated AD DC VM (set). And honestly, I don't really want to manage those VMs, if possible.
Jon Young commented
We also have a similar need for this, currently as described the authentication falls back to using username and password authentication.
We have an environment that is hosted On-Premises using a Citrix published desktop, connected via S2S VPN to Azure. SSO to Office365 is not possible currently.
It's not possible (security considerations) to move the applications hosted on the Citrix desktop.
Mike Stephens commented
Very interesting. Why are virtual machines being joined to the AAD DS domain? I understand the WVD infrastructure needs to join a domain (RDP is still RDP) but it would seem that the pool of VMs offered by WVD would be Azure AD joined. That would give SSO to Office and other azure applications.
I'll leave this at Need-Feedback because I am keen at learning more about the scenario. We may eventually need to move the suggestion over to WVD category as there's not much Azure AD DS can do in this case, and Azure AD join would be a simple solution (so it seems) that provides a great customer experience.
Senior Program Manager
IAM Core | Domain Services