Share via

Azure Virtual Desktop Entra ID SSO using FS Logix with Azure Files

Jackson Harris 0 Reputation points
2025-02-18T06:06:51.68+00:00

Hello,

I have a bit of a challenge with finding the right configuration for Azure Virtual Desktop. I have two things that need to apply to our configuration. I 100% need the hosts to use Entra ID SSO for authentication and I 90% likely need to use FSLogix for profile management (but I can be convinced of another option if there is one). The main goal with using FSLogix (besides it being what Microsoft recommends so heavily with this system) is to be able to have all users in the same pool of hosts and use scaling plans for most of our hosts to be offline until online hosts start filling up and thus have a more dynamic management of all of the hosts in the one pool, and a central means of managing file storage and user profiles, while also managing costs of uptime better.

The problem I'm finding is that Entra ID SSO requires the hosts be Entra ID domain joined or Entra ID hybrid domain joined, which doesn't seem to have any means of working in the same way using Entra ID and Entra domain services. Yet I also can't seem to find a way to use FSLogix with Entra ID authenticated hosts even with some combination of Azure Files and Entra domain services which I thought was supposed to supplement these on-prem akin needs in a cloud environment. The best middle ground I can find which would work with all of these is by having a full traditional Active Directory Domain Controller instead of Entra Domain Services which would be another server and piece to manage.

With Azure Virtual Desktop promoting all of the Entra ID cloud oriented features while also pushing FSLogix, specifically with Azure Files being the highest priority option for profile management of that cloud oriented platform, I just assumed there was a way to use them both together.

Is this something that's coming soon or am I missing something about either of these systems.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,366 questions
Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,677 questions
FSLogix
FSLogix
A set of solutions that enhance, enable, and simplify non-persistent Windows computing environments and may also be used to create more portable computing sessions when using physical devices.
513 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nikhil Duserla 4,440 Reputation points Microsoft Vendor
    2025-02-19T11:31:31.33+00:00

    Hi @Jackson Harris,

    Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

    Using a traditional Active Directory Domain Controller (AD DC) can provide a more comprehensive solution for scenarios that require features not fully supported by Azure Active Directory Domain Services (Azure AD DS). Azure Virtual Desktop supports hybrid identities through Microsoft Entra ID, including identities that are federated by using AD FS. You can manage these user identities in AD DS and sync them to Microsoft Entra ID by using Microsoft Entra Connect. You can also use Microsoft Entra ID to manage these identities and sync them to AD DS.

    Microsoft Entra Connect or Microsoft Entra Connect cloud sync synchronize your on-premises identity information to the cloud. As part of the synchronization process, on-premises user and domain information is synchronized to Microsoft Entra ID.

    When accessing Azure Virtual Desktop resources, there are three separate authentication phases:

    • Cloud service authentication: Authenticating to the Azure Virtual Desktop service, which includes subscribing to resources and authenticating to the Gateway, is with Microsoft Entra ID.
    • Remote session authentication: Authenticating to the remote VM. There are multiple ways to authenticate to the remote session, including the recommended single sign-on (SSO).
    • In-session authentication: Authenticating to applications and web sites within the remote session.

    SSO allows the connection to skip the session host credential prompt and automatically sign the user in to Windows through Microsoft Entra authentication. For session hosts that are Microsoft Entra joined, or Microsoft Entra hybrid joined, it's recommended to enable SSO using Microsoft Entra authentication.

    How to set up a FSLogix profile container with Azure Files when your session host virtual machines (VMs) are joined to an Active Directory Domain Services (AD DS)-https://learn.microsoft.com/en-us/fslogix/how-to-configure-profile-container-azure-files-active-directory?tabs=adds

    Install FSLogix Applications- https://learn.microsoft.com/en-us/fslogix/how-to-install-fslogix

    If you have any further queries, do let us know.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.