Wednesday, June 24, 2015

Azure RemoteApp Client Single Sign On using Azure Active Directory (AAD) and Windows 10

As you might know there currently is no Single Sign On towards the Azure RemoteApp client, based ion locally logged on credentials. When you install and open the Azure RemoteApp client you will be presented with the dialog below. This is an authentication against Azure Active Directory (Azure AD) and based on these credentials the Azure RemoteApp client will retrieve the RemoteApps that have been assigned to you.

image

Currently into preview in Azure AD is the option to allow users to Azure AD join their devices. If you enable this option, users can join a device to Azure AD and log on to that device using their Azure AD account (which is optionally synced from on premises AD).

image

To configure this on the Windows 10 client, (this option is only available on Windows 10 you go to Settings and then About. These you click Join Azure AD.

image

You specify the domain name of your Azure AD. In this case rdsgurus.com

image

You acknowledge the enrolment and click continue.

image

Next, specify the account you want to use to join this device. This account obviously has to exist in Azure AD. And this is the account that has been added to the Azure RemoteApp collection, configured in the same Azure AD domain.

image

Confirm this is the correct organization and click Join.

image

And that’s it. The Windows 10 device is now joined to your Azure AD.

image

We can confirm this by going to the AAD in the Azure Portal, browsing to the user and opening the devices tab. Here we’ll see an overview of all the devices that this user joined to AAD.

image

We’re now able to log on to the device using the corporate (AAD) account.

image

When opening the Azure RemoteApp client and clicking Get Started, the client automatically signs in with the Azure AD account that is used to log on to the local device!

imageimage

Obviously, there still is the current limitation to Hybrid scenario’s of Azure RemoteApp where at this point there is no full Single Sign On experience towards actual RemoteApp. This means you will be prompted when opening the 1st RemoteApp (with the option to save those credentials to your local credential store). This is in on roadmap to fix.

But with this experiment, with Windows 10 as an AAD joined device, there is already one authentication prompt less! Now all we need to do is wait for Win10 to go GA! :)

3 comments:

  1. I tried to reproduce this result with our corporate Azure AD and it doesn't seem to work. After clicking Get Started the client prompts me and other users for a password. Did the functionality get lost in an update?

    ReplyDelete
    Replies
    1. "prompts me and other users for a password" to be correct, it prompts me for my credentials. The same way as it worked before joining the Azure AD.

      Delete
  2. Such a lovely blog and well crafted, short and crisp.I was really looking for some informative blog like this one for research purpose on single sign on solutions. Thanks for the shoot out.Keep blogging.

    ReplyDelete