Azure Virtual Secure Administration Workstation – Part 4 – Configuring Entra SSO

Azure Secure Admin Workstation posts:

• Part 1 – VDI Environment
  • Resource Group, Host pool, Workspace, Application Group, created an Entra Group with the ‘Desktop Virtualization User’ role and tie them all together.
• Part 2 – Firewalls and VNets
  • Vnets, Subnets, IPs AzureFirewalls, Routes, FW rules etc.
• Part 3 – Session hosts and access
  • Adding our SAW VM to the HostPool, connecting and authenticating
• Part 4 – Configuring Entra SSO
  • Solving authentication and session establishment issues
  • Getting Entra SSO working!
• Public GitHub project:
  • zoak-solutions/AzureVirtualSAW (github.com)

---

Context and References

• After deploying a session host, was able to connect with the local administrator created with the VM, but not the Entra users in the group created.
• Got things working after reading these docs and applying the following:
  • Enforce Microsoft Entra multifactor authentication for Azure Virtual Desktop using Conditional Access – Azure | Microsoft Learn
  • Configure single sign-on for Azure Virtual Desktop using Microsoft Entra authentication – Azure | Microsoft Learn

Troubleshooting and Errors

• After not being able to sign in with an Entra user, took a look at:

Error: Unable to connect right now

• Likely related to the AVD VM’s ability to talk to required Entra endpoints
  • An easy way to validate this is to add a temporary allow all outbound TLS