Understanding Microsoft Azure AD SSO with non-persistent VDI (Instant Clones)

Рет қаралды 3,932

SW The Tech Journal

Күн бұрын

Пікірлер: 13

@ITSystemsAdmin 2 жыл бұрын

Great tip! Actually we just got these issues in a new VDI deployment with instant clone pools. Thanks.

@StephenWagner 2 жыл бұрын

Hope it helped! Thanks for the comment!

@LijpeDude Жыл бұрын

This is an excellent suggestion! We are running into this issue because we're in the midst of phasing out ADFS and migrating to PTA. Had a lot of issues with the non-persistent machines but this could be the solution! I've seen it before but I thought it only works for down-level Windows devices...thank you!

@StephenWagner Жыл бұрын

I'm glad you found my video! Hope it helped! And as always, I appreciate the feedback!

@LijpeDude Жыл бұрын

@@StephenWagner And it works like a charm on our VDI environment!

@davocampo1 6 ай бұрын

Stephen! Question for you - Is there a way to use SSO to sign people into their Work or School accounts in WIn11 automatically? We're trying to build a Win11 gold image to replace Win10. We are using FSLogix to backup profiles and have RoamIdentity turned on. The issue we're facing is its not roaming the work or school account and telling users to verify their account whenever they login to a new VDI session. I just turned RoamIdentity off and am trying to set up Azure AD SSO, but its not signing into work or school accounts automatically and when I log into a new VDI, it throws an error saying the TPM has malfunctioned. - I'm a new SysAdmin, so may have set something up incorrectly. Any help would be greatly appreciated.

@StephenWagner 6 ай бұрын

Hello, Yes, Azure SSO is specifically designed to provide a single sign on experience. If you are using SSO with hybrid domain joining and PRT, you need to turn off "Roam Identity". If you're using Seamless SSO with Azure, you can probably leave "Roam Identity" turned on. When you say that you're receiving prompts to log on, is this for Office Activation, Office sign-in, or is to to complete an MFA policy that your Azure tenant has enabled? In regards to your TPM errors, did you properly create your base without a TPM using ADK and WinPE (supported method)? Usually these errors are seen when that process isn't followed. Cheers

@ChrisLuton 2 жыл бұрын

Oh man I've been fighting this for 4 months with Microsoft and Citrix. Definitely going to try your suggestion for SSO on non-persistent legacy AD joined only! Please let me know if anything has changed on this recently Stephen! Thanks!

@StephenWagner 2 жыл бұрын

Hey Chris, happy you found the video, I also have an accompanying blog post as well. All this should still be relevant and should also work in your environment. Please report back and let me know if it worked! Cheers!

@ronfisher4751 Жыл бұрын

Nice video and just reiterates the nightmare that VDI has become with cloud integration. We are developing a complex stew of Horizon 8 Instant Win10 21H2 clones (testing with hybrid and non hybrid join) along with AAD SSO/MFA o365, Onedrive, fslogix, DEM. The user experience is wrought with password and MFA authentication prompts from one session to the next. MFA tokens are not persisting from one logon to the next. Beyond frustrating.

@StephenWagner Жыл бұрын

Hey Ron, you should be able to get some of this patched up once you configure all the identity stuff properly. However, with that being said, this gets a lot more easier with 2303 as it now supports hybrid join with instant clones and does not require ADFS

@DoubleA-ARon 2 жыл бұрын

Hey Stephen, great video and site! What happens when you have a Azure conditional access policy that is requiring devices be Hybrid AD joined, or Enforce MFA? Every login, every MS app wants a password and MFA prompt, regardless of profile management. Instant clones are not supported by VMware for HAADJ, and the access policy wants HAADJ devices. I know a exception by location in the policy will fix this but that doesn't seem to be an option. I tried the reg entry and excluding the OU from sync, but that's not the issue, it seems the policy is the issue, just not sure how to work around it without changing the policy which will weaken security.

@StephenWagner 2 жыл бұрын

Technically you can Hybrid AD join on login, and then unjoin on logout, but this isn't a supported workflow (but I have heard of a lot of organizations doing this). It will require an Azure AD clean-script to remove old Device objects. As for conditional access, that's a tough one. Why do you specifically require Hybrid joining? And when you mention the exclude OU from sync, are you refering to Azure AD Connect?