Home » Blog » Discover the Power of AVD SSO: What You Must Know!

Discover the Power of AVD SSO: What You Must Know!

If you’re managing Azure Virtual Desktop (AVD) environments, you’ve probably noticed how frustrating it can be for users to sign in twice, once to the AVD client and again to the session host. This extra step isn’t just annoying; it can lead users to save credentials in insecure ways. The good news? You can eliminate that second login by enabling Single Sign-On (SSO) using Microsoft Entra and Windows 11.

In this blog post and the accompanying YouTube video, you’ll learn how to configure SSO for AVD step-by-step, following Microsoft’s official documentation. Whether you’re working with Hybrid Joined or Entra ID Joined session hosts, this guide will help you streamline the login experience and improve security across your environment.

Why Enable SSO in AVD?

SSO allows users to authenticate once and seamlessly access their AVD session without re-entering credentials. It improves user experience, reduces friction, and aligns with modern identity and access management practices. This is especially valuable in hybrid cloud setups where Windows AD and Entra ID coexist.

Creating a dynamic group for session hosts
Enabling Microsoft Entra Authentication for RDP
Hiding the consent prompt for trusted devices
Creating a Kerberos Server Object for hybrid environments
Reviewing and aligning Conditional Access Policies
Enabling SSO at the host pool level
Testing and verifying the setup

What You’ll Learn

The video walks through each configuration step with screen-recorded demos, including:

Creating a dynamic group for session hosts
Enabling Microsoft Entra Authentication for RDP
Hiding the consent prompt for trusted devices
Creating a Kerberos Server Object for hybrid environments
Reviewing and aligning Conditional Access Policies
Enabling SSO at the host pool level
Testing and verifying the setup

Requirements

To follow along, you’ll need:

Entra roles: Application Administrator or Cloud Application Administrator
Domain and Enterprise Admin rights (if using Windows AD)
Session hosts running Windows 11, Windows 10 Enterprise, or Windows Server 2022
Hosts must be Entra Joined or Hybrid Joined (Entra Domain Services is not supported)
Entra ID P1 or P2 licensing (recommended for dynamic groups and Conditional Access)

SSO is supported on the Windows App across Windows, macOS, iOS, and the web. The Remote Desktop Client is also supported but deprecated—so stick with the Windows App.