Great video. Thank you, if I may make a suggestion, the blue banners, top left and bottom right can be removed. They obscure the view and quality of your video, especially the top left one.
Great Video, unfortunately like some of the other comments ADFS is a step in the wrong direction strategically for most clients I work with, I think they will stick with Azure AD Auth and simply have the WVD users enter the creds one extra time until SSO with Azure AD is available.
Kris, I don’t make the decisions, I just make the videos 🤪 I do know that there are a lot of customers who still have a lot of traditional resources like ADFS that this will benefit…and I also agree that this should be one option…and the other is AzureAD native SSO…go to the WVD TechCommunity Blog and give the product group your feedback, They WANT to hear from YOU!
yeah we have zero ADFS here, so this is a non-starter. But, 99% of the time our users will be using the RDC from their AD-joined laptop, and they can use it to launch apps without getting prompted for credentials. Perhaps due to allowing delegated default credentials for TERMSRV/* via GPO, or some other reason. When using the HTML5 client, users can rely on the web browser's cached credentials in our case so it's not quite seamless but most of the time a password does not need to be entered when launching an app.
@@AzureAcademy +1 for me too, I really hate introducing ADFS unless it's absolutely necessary for something like hardware token based auth. Leveraging AD Connect for Seamless SSO on WVD really should have been something MS should have rolled out as soon as ARM based WVD premiered
Great Video Dean! However I'm still waiting for the Windows Client to be completely SSO, with this I mean that the Windows App will sign in on for example a managed device with Microsoft Endpoint Manager (Intune) This would make the user experience seamless, as the user will automatically be signed into the app and receive the apps / desktops they have rights on.
Great video as always but I do find it funny that during the section about ADFS WVD Relaying-Party Trust that you blurred out the passwords on the right side of the screen but not on the left side. Understandable that this is primarily done in a lab environment but if you're going to blur out the password, you might want to make sure it's blurred out everywhere ;)
Hi There, could you please confirm that the DC,CA,ADFS etc needs to be on Azure sitting on the same network as the VMs? What about if you have all on prem?
Hi Dean. I have a customer that has everything setup so they can sign in to a Windows Desktop VM just fine with their on-premise AD account via Azure AD Connect, but it doesn't provide an SSO experience when the user tries to open any Office application (asked to login again). Will using ADFS solve this issue?
THis is awesome! Anyone knows why I end up with an ADFS pop up login windows at the moment of signing in the VM? Is there any specific configuration on the VM side? Looks like the smat card login isn't working so it revert to ADFS Signing login prompt...
Great Video Dean! Can we setup SSO for AVD(Session host, remote apps, apps from within Session host) without ADFS? I mean via Password hash sync or Pass through authentication method.
In this scenario your users would be created in your active directory and synced to azure ad right? Meaning you'd need an exchange server for the management. I guess this is a little limiting for the small guys that have a minimalistic setup.
correct AzureAD Connect will sync your AD users into AzureAD...but NO, you do not need an Exchange server for anything in WVD or this solution. You only need what I showed in the video. AD Domain Azure AD Connect AD CA AD FS
Hi Dean. Once again, excellent video. Thank you! Unrelated question, if I may. Will you be doing any videos on WVD governance? Like CA policy? We have a business case where we want to set up a CA which enables or disables device redirection depending on personal/private endpoint! :)
Thanks Dharak, Sure, What are all the things you think of when you say WVD Governance? You also mention CA policies. I am assuming that you mean Conditional Access Policy...and not Certificate Authority Policy 🤔 The Conditional Access policies do not work that way. CA grants or denys access to the WVD service, it does not control what you are allowed to do in WVD. The enable or disable of redirection happens at the host pool level, which means that there is 1 setting for each pool.
Thank you for your reply Dean. Apologies for not making the question clear. Yes I am talking about conditional access policy. The end goal for us is to set up some kind of policy which would disable the usb redirection when AVD sessionhost is accessed from a personal laptop but will keep the usb redirection enabled when the AVD session host is accessed via a company managed device. 😊 Is this even possible? Thank you.
This is not possible in the same host pool. The USB redirection settings are controlled in the host pools RDP properties. If you want different configurations you need multiple host pools. This could be fine if you’re using FS Logix for profiles and then have IP restrictions on the internal host pools that allow USB redirection and external pools that do not allow it
I see. This makes sense. Kind of a work around but doable. Thanks a lot Dean. 😊 Looking forward to more videos. Can't wait to take my exam this month end. Thank you for all you do 😊
If i understand correcltry SSO makes things more convient and doesn't ask for user passwords. However, I have found that an password reset in AD or a password expiration policy that forces a user to change the password breaks SSO and forces users to enter in their password for certain apps. For example, Teams. Is this expected? Thanks! PS. Sometimes i find that an email along with the password is needed to be entered after password resets or first time set ups. Is there a true way to not prompt the user for anything when the app supports SSO?
Yes…and…No 😵💫 the password change will take time to go through all the different systems. and they would not be able to log in until everything is back in sync. Also, are you using AzureAD Self-Service Password Reset?
Hi Dean, I followed all your tutorials, but when I tried to create the ADFS SSO certificate, I saw that my ADFS didn't create the service account "adfssvc$" or "aadcsvc$."
👍👍 Single sign-on with azure A.D. Domain Services is not possible because of the limitations that your accounts have in AADDS. You have no domain or enterprise admin rights so will need to wait for a different implementation of single sign-on
Just tested yesterday and today. Nice job to play with ADFS / AD Connect / WVD I recommend to create a certificate with Let's Encrypt for ADFS Server PS : your AD CA Docs link is 404 😉
Hi Dean. Am I right in saying that the SQL database For ADFS has to be traditional SQL installed on windows VMS and can't utilize azure SQL / managed instance?
It depends on hours you allocate permissions. If a user ID given permissions directly then is removed from Active Directory then in the application you may get a broken SID. I always suggest adding permissions to groups
+Patience Williams no…but kinda, if the user is remove from active directory then they cannot log in so you are secure however you could have a lingering broken ID object So I would remove it to clean it up to have an up-to-date in
In our enterprise we login to cert portal to install certificate manually, wondering how by client is able to reach cert portal which is https without certificate installed, is it done by public certificate of the browser?
As I showed you can push certs with GPOs. So I would do this for the corporate certs and let everyone use the cert portal for things they want to request
So, if I understood you correctly, in the add Roles and Features wizard Select All and ->Enter ->Enter ->Enter ->Enter. Thank you for this tutorial. I will be referring to it many times. As the new "IT Guy" of a 4 year old company and roughly 200 employees I am beginning their transition of all their computers being on a Workgroup to a Domain. Me: Step 1 - Create DC Step 2 - Join PC's to DC Step (-2.5) Upgrade 97 computers running Win10-Home to Pro. #$@&!
Wow…sounds like Azure AD Join and Microsoft Endpoint Manager may be a help there to automate things Automation is the way to do the work of a whole IT department by yourself
In its current form…NO, not that I know of. This is because of the nature of azure A.D. domain services, you are not a domain enterprise admin so you cannot set up your own certificate Authority.
No worries, just want to be sure I am answering the question you are asking ☺️ Let’s try this and you tell me if it makes sense. Vá para sua assinatura, em seguida, na lâmina à esquerda vá para baixo até encontrar uso e cota. Encontre o tamanho da máquina virtual que você está interessado e veja quantos vCPUs você tem disponíveis. Se você precisar de mais, há um botão para solicitar um aumento.
Hi Dean it looks like your last two links are not working. ►ADFS Web App Proxu Guide: docs.microsoft.com/en-us/prev...) ►AD CA Docs: docs.microsoft.com/en-us/prev...)
Hey Markus, Thanks for catching that... the links are updated ►ADFS Web App Proxy Guide: tinyurl.com/AzureAcademy-ADFSWeb ►AD CA Docs: tinyurl.com/AzureAcademy-ADCerts
I understand Steven...this solution is for a particular audience and use case. If that isn't you...thats cool. Give your feedback to the team at the WVD TechCommunity...They WANT to hear from YOU!
Wow, you nailed it and its good to follow. Must video for SSO. Thank you for sharing
Awesome, Glad you liked it! Please share with others
Great video. Thank you, if I may make a suggestion, the blue banners, top left and bottom right can be removed. They obscure the view and quality of your video, especially the top left one.
Thank you for your feedback. I try to be aware of things that get covered by the banners and move out of the way…would that be ok?
Good one. Definitely an interesting feature to test it out. Just a small correction. 14:47 "trust for our WBD SSO". Change it to WVD please.
Thanks…I will update ☺️
Great Video, unfortunately like some of the other comments ADFS is a step in the wrong direction strategically for most clients I work with, I think they will stick with Azure AD Auth and simply have the WVD users enter the creds one extra time until SSO with Azure AD is available.
Kris, I don’t make the decisions, I just make the videos 🤪
I do know that there are a lot of customers who still have a lot of traditional resources like ADFS that this will benefit…and I also agree that this should be one option…and the other is AzureAD native SSO…go to the WVD TechCommunity Blog and give the product group your feedback, They WANT to hear from YOU!
yeah we have zero ADFS here, so this is a non-starter. But, 99% of the time our users will be using the RDC from their AD-joined laptop, and they can use it to launch apps without getting prompted for credentials. Perhaps due to allowing delegated default credentials for TERMSRV/* via GPO, or some other reason. When using the HTML5 client, users can rely on the web browser's cached credentials in our case so it's not quite seamless but most of the time a password does not need to be entered when launching an app.
Agreed…but soon virtual desktop will support full Azure AD Join and that will change a lot of things
A video on webapp proxies with ADFS, would be great.
Thanks I will look into it
Upvote!
noted!
@@AzureAcademy +1 for me too, I really hate introducing ADFS unless it's absolutely necessary for something like hardware token based auth. Leveraging AD Connect for Seamless SSO on WVD really should have been something MS should have rolled out as soon as ARM based WVD premiered
If you are using a pure cloud model and aad ds vs ad ds will sso work without adfs? Like using VMs joined to AAD DS?
[initial comment redacted for security]
Great video! I'd love to be able to eliminate all the extra credential prompts when connecting to WVD!
That would that some rewriting of the commands and script…but yeah it would be better if it was
Great Video Dean! However I'm still waiting for the Windows Client to be completely SSO, with this I mean that the Windows App will sign in on for example a managed device with Microsoft Endpoint Manager (Intune) This would make the user experience seamless, as the user will automatically be signed into the app and receive the apps / desktops they have rights on.
I agree Take! I am waiting for the data we don't need domain controllers and can just use AzureAD for all of it...then SSO would be a check box 😎
Great video as always but I do find it funny that during the section about ADFS WVD Relaying-Party Trust that you blurred out the passwords on the right side of the screen but not on the left side. Understandable that this is primarily done in a lab environment but if you're going to blur out the password, you might want to make sure it's blurred out everywhere ;)
Yeah…that’s what happened at 3:30am after 5 days of working on this to “make it look easy”
Thank you mate! It is very useful video guide!
Thanks for watching!
Hi There, could you please confirm that the DC,CA,ADFS etc needs to be on Azure sitting on the same network as the VMs? What about if you have all on prem?
No, they just need to be in your domain. Those servers can be on prem or Azure.
Hi Dean. I have a customer that has everything setup so they can sign in to a Windows Desktop VM just fine with their on-premise AD account via Azure AD Connect, but it doesn't provide an SSO experience when the user tries to open any Office application (asked to login again). Will using ADFS solve this issue?
Yes. Azure AD connect does not give AVD SSO at this time…you must use ADFS
THis is awesome! Anyone knows why I end up with an ADFS pop up login windows at the moment of signing in the VM? Is there any specific configuration on the VM side? Looks like the smat card login isn't working so it revert to ADFS Signing login prompt...
What pop up are you getting? Can you give a screen shot?
Great Video Dean!
Can we setup SSO for AVD(Session host, remote apps, apps from within Session host) without ADFS? I mean via Password hash sync or Pass through authentication method.
Thanks Navnath! As of today you MUST have ADFS to have SSO. The team is working on it through Azure AD Join and Azure AD Connect…but not yet
@@AzureAcademy Thanks Dean!
Anytime
Yes please. Create a video for ads proxies
sounds good
In this scenario your users would be created in your active directory and synced to azure ad right? Meaning you'd need an exchange server for the management.
I guess this is a little limiting for the small guys that have a minimalistic setup.
correct AzureAD Connect will sync your AD users into AzureAD...but NO, you do not need an Exchange server for anything in WVD or this solution.
You only need what I showed in the video.
AD Domain
Azure AD Connect
AD CA
AD FS
Hi Dean. Once again, excellent video. Thank you! Unrelated question, if I may. Will you be doing any videos on WVD governance? Like CA policy? We have a business case where we want to set up a CA which enables or disables device redirection depending on personal/private endpoint! :)
Thanks Dharak,
Sure, What are all the things you think of when you say WVD Governance?
You also mention CA policies.
I am assuming that you mean Conditional Access Policy...and not Certificate Authority Policy 🤔
The Conditional Access policies do not work that way.
CA grants or denys access to the WVD service, it does not control what you are allowed to do in WVD.
The enable or disable of redirection happens at the host pool level, which means that there is 1 setting for each pool.
Thank you for your reply Dean. Apologies for not making the question clear. Yes I am talking about conditional access policy. The end goal for us is to set up some kind of policy which would disable the usb redirection when AVD sessionhost is accessed from a personal laptop but will keep the usb redirection enabled when the AVD session host is accessed via a company managed device. 😊 Is this even possible? Thank you.
This is not possible in the same host pool.
The USB redirection settings are controlled in the host pools RDP properties.
If you want different configurations you need multiple host pools.
This could be fine if you’re using FS Logix for profiles and then have IP restrictions on the internal host pools that allow USB redirection and external pools that do not allow it
I see. This makes sense. Kind of a work around but doable. Thanks a lot Dean. 😊 Looking forward to more videos. Can't wait to take my exam this month end. Thank you for all you do 😊
👍👍
If i understand correcltry SSO makes things more convient and doesn't ask for user passwords. However, I have found that an password reset in AD or a password expiration policy that forces a user to change the password breaks SSO and forces users to enter in their password for certain apps. For example, Teams. Is this expected? Thanks! PS. Sometimes i find that an email along with the password is needed to be entered after password resets or first time set ups. Is there a true way to not prompt the user for anything when the app supports SSO?
Yes…and…No 😵💫 the password change will take time to go through all the different systems.
and they would not be able to log in until everything is back in sync.
Also, are you using AzureAD Self-Service Password Reset?
Hi Dean, I followed all your tutorials, but when I tried to create the ADFS SSO certificate, I saw that my ADFS didn't create the service account "adfssvc$" or "aadcsvc$."
…that’s not good…hm…have you tried this
👉 learn.microsoft.com/en-us/troubleshoot/windows-server/identity/adfs-2-service-fails-to-start
Great video Dean as usual 😊
Same remark than Dennis, about SSO into the WVD VMs, it will be great if it still works !
👍👍
Single sign-on with azure A.D. Domain Services is not possible because of the limitations that your accounts have in AADDS. You have no domain or enterprise admin rights so will need to wait for a different implementation of single sign-on
@@AzureAcademy Sure
👍👍
Just tested yesterday and today.
Nice job to play with ADFS / AD Connect / WVD
I recommend to create a certificate with Let's Encrypt for ADFS Server
PS : your AD CA Docs link is 404 😉
Cool…I will check the docs link as well, Thanks!
So for sso customer MUST implement adfs? Therea no way to make it work with good old adcommecr password hash no adfs?
not yet Ricardo...but things are improving all the time! Give the team your feedback at the WVD Techcommunity...they WANT to hear from YOU!
Hi Dean. Am I right in saying that the SQL database For ADFS has to be traditional SQL installed on windows VMS and can't utilize azure SQL / managed instance?
Correct, a DFS needs a local WID database or SQL database which can be local or on another server or SQL cluster.
Azure SQL is not supported
@@AzureAcademy Thanks for clarifying Dean. great videos by the way.
Thanks!
Was asked at an interview that on a single sign on, will it be an issue if a user is removed from active directory and not removed from application
It depends on hours you allocate permissions.
If a user ID given permissions directly then is removed from Active Directory then in the application you may get a broken SID. I always suggest adding permissions to groups
+Patience Williams, no not an issue. Once the user is deleted, the removal will be synced to Azure and they won’t be able to log in
+Patience Williams no…but kinda, if the user is remove from active directory then they cannot log in so you are secure however you could have a lingering broken ID object So I would remove it to clean it up to have an up-to-date in
Q. I have Multiple ADFS Server, In the Key Vault which Certificate needs to be Import. Please guide.
The cert that lets users get to your ADFS sign in page without a certificate error
In our enterprise we login to cert portal to install certificate manually, wondering how by client is able to reach cert portal which is https without certificate installed, is it done by public certificate of the browser?
As I showed you can push certs with GPOs. So I would do this for the corporate certs and let everyone use the cert portal for things they want to request
So, if I understood you correctly, in the add Roles and Features wizard Select All and ->Enter ->Enter ->Enter ->Enter.
Thank you for this tutorial. I will be referring to it many times. As the new "IT Guy" of a 4 year old company and roughly 200 employees I am beginning their transition of all their computers being on a Workgroup to a Domain.
Me: Step 1 - Create DC
Step 2 - Join PC's to DC
Step (-2.5) Upgrade 97 computers running Win10-Home to Pro. #$@&!
Wow…sounds like Azure AD Join and Microsoft Endpoint Manager may be a help there to automate things
Automation is the way to do the work of a whole IT department by yourself
Hello, does sso still works inside the wvd for the Office sign-in licence page and sign-in for example Teams?
Good question…teams…yes but I assume other things as well…just haven’t tested more
@@AzureAcademy and is the more info about the sso with AADS. Do you know anything that this feature is on the roadmap?
In its current form…NO, not that I know of. This is because of the nature of azure A.D. domain services, you are not a domain enterprise admin so you cannot set up your own certificate Authority.
what is 10.0.4.7 at 5:33? Do we need a separate VM to host ADFS?
That is the internal private IP address of my a DFS server you should use whatever your internal private IP address is.
hey man the azure is a not have a option off the nv of the configuration lf the vcpus can you help me?
Sorry I don’t understand…are you saying that you need more vCPUs in the VM sku you want to use, but you are not sure how to do that?
@@AzureAcademy yes, sorry for my horrible inglish im from brazil
No worries, just want to be sure I am answering the question you are asking ☺️
Let’s try this and you tell me if it makes sense.
Vá para sua assinatura, em seguida, na lâmina à esquerda vá para baixo até encontrar uso e cota.
Encontre o tamanho da máquina virtual que você está interessado e veja quantos vCPUs você tem disponíveis.
Se você precisar de mais, há um botão para solicitar um aumento.
@@AzureAcademy obrigado thanks man ;)
Sempre ☺️
Hi Dean it looks like your last two links are not working.
►ADFS Web App Proxu Guide: docs.microsoft.com/en-us/prev...)
►AD CA Docs: docs.microsoft.com/en-us/prev...)
Hey Markus, Thanks for catching that...
the links are updated
►ADFS Web App Proxy Guide: tinyurl.com/AzureAcademy-ADFSWeb
►AD CA Docs: tinyurl.com/AzureAcademy-ADCerts
I worked so hard to move from ADFS to AzureAD authentication…
I understand Steven...this solution is for a particular audience and use case. If that isn't you...thats cool. Give your feedback to the team at the WVD TechCommunity...They WANT to hear from YOU!
Interested
…and? 😳
Be more advanced and make ADFS with web app proxy. Is really needed
Agreed…however this video was long enough
Very useful…
Thanks
Amazing 👍
Thanks