Windows 365 SSO

post-thumb

This is just a quick post showing you the latest update regarding Windows 365 and Single Sign On. On the 15th of December Microsoft announced the Public Preview for SSO. This was already on the roadmap. As you can see the GA is planned for June 2023.

Now let’s get started!

Please keep in mind this feature is in preview

Windows 365 without SSO

Currently, if you have deployed Cloud PCs via a provisioning policy the end users have to log in twice. The first time you navigate to the web portal via https://windows365.microsoft.com and the second prompt when you connected to your Cloud PC. This is not really a seamless experience for our end users. With this new SSO option, users can connect to their Cloud PC without the need to provide their password.

Second authentication prompt without SSO
Second authentication prompt without SSO

Preparing for Windows 365 SSO

Currently, the preview setting can be found within the provisioning policy, meaning that if you change your current provisioning policy you have to reprovision your Cloud PCs to use the SSO feature.

You can accomplish this in two ways, either you can create a new provisioning policy with the SSO setting enabled. Note that a user can only be a member of 1 provisioning policy. So make sure your test user isn’t getting the current provisioning policy. Or you can just modify/update the existing provisioning policy with this new setting.

Update the current provisioning policy

If you want to update your current provisioning policy you can edit the current policy and enable the Use single sign-on (preview) option. Make sure that after you update the provisioning policy you reprovision your Cloud PCs otherwise the new settings won’t be configured on the current Cloud PCs.

New provisioning policy

For this demo, I have created a new provisioning policy and assigned it to a new group (W365-WE-ProvisioningPolicySSO)

  1. Navigate to endpoint.microsoft.com and log in with an account with the correct permissions

  2. Go to Devices –> Windows 365 –> Provisioning Policies

  3. Click on Create policy

Provisioning policy - General settings
Provisioning policy - General settings
  1. On the General page enter a Name and Description (Optional) for the new policy. I would recommend choosing a naming convention that will help you identify the configuration of this provisioning policy.

  2. Next, choose the Join type and configure it to use Azure AD Join

  3. Now select the Network type, for this policy, I choose the easiest deployment Microsoft hosted network

  4. And now the setting has been added! Select the checkbox next to Use single sign-on (preview) and hit Next

Provisioning policy - Image settings
Provisioning policy - Image settings
  1. Choose your Image type and click on Next
Provisioning policy - Configuration
Provisioning policy - Configuration
  1. Select the Language and Region you would like to use and hit Next to proceed to the assignments page.
Provisioning policy - Assignment
Provisioning policy - Assignment
  1. Now we need to assign the policy to a group.
Provisioning policy - Review + create
Provisioning policy - Review + create

(Re)provision a Cloud PC

As I said before, creating or changing a provisioning policy will not change anything on the previously provisioned Cloud PCs. If you’re not sure if a Cloud PC has been provisioned with the latest version of a provisioning policy you could create a dynamic device group containing all the CLoud PCs with a certain provisioning policy.

Dynamic group with Cloud PCs per provisioning policy

  1. Navigate to groups

  2. Select New group within the Microsoft Endpoint Manager admin center

New dynamic group
New dynamic group
  1. Give the group a name and description (optional)

  2. Select Dynamic Device as Membership type and click on Edit dynamic query

Dynamic group membership rules
Dynamic group membership rules
  1. Configure the following rules
  • Property = ennrollmentProfileName
  • Operator = equals
  • Value = Your provisioning policy name
  1. Hit the create button and wait for the group to refresh.

Now you can validate based on the dynamic group which Cloud PC is provisioned with the newly built

(Re)provision

For this demo I created a new provisioning policy because I have removed my user from the previously assigned provisioning policy you will notice that after reprovisioning the status of the Cloud PC will change to In grace period

In grace period: The grace period is triggered if the Windows 365 license is removed from the assigned user, or the provisioning policy is unassigned.

Single sign-on experience (web interface)

If your Cloud PC has been reprovisioned we are ready to test drive the new SSO experience.

Navigate to the [Windows 365 portal and log in with your Azure AD credentials. If the provisioning of your Cloud PC is complete you will see your assigned Cloud PC.

Now let’s connect to our Cloud PC and see what happens.

Connect to Cloud PC
Connect to Cloud PC

You will notice that the first time nothing happens because of the pop-up which is being blocked by your browser. You need to allow this pop-up and refresh the page. In the next chapter, I will describe how you can allow this pop-up with a configuration profile for the Microsoft Edge browser.

Connect to Cloud PC - Pop-up
Connect to Cloud PC - Pop-up

Once you have allowed the pop-up you will see a second login screen where you need to reauthenticate, after this authentication you will be prompted with the following screen to Allow remote desktop connect.

Allow remote desktop connection - Pop-up
Allow remote desktop connection - Pop-up

As soon as you hit Next the screen will disappear and the connection to your Cloud PC will start. The second time you need to log in to your Cloud PC you will have a complete SSO experience.

Single Sign-On to your Cloud PC
Single Sign-On to your Cloud PC

Allow pop-up windows for Windows 365

During my initial testing, I noticed that when I sign in the first time via the Windows 365 portal that there was a pop-up being blocked by my Edge browser. To provide a seamless experience for our end users we can allow these pop-ups for certain websites. To accomplish this we need to create a new configuration profile based on the settings catalog and deploy it to our users.

Microsoft Edge - Windows 365 pop-up
Microsoft Edge - Windows 365 pop-up
  1. Navigate within the Microsoft Endpoint Manager admin center to devices –> Configuration profiles and click on Create profile
New configuration profile
New configuration profile
  1. Select Windows 10 and later as the platform and select Settings catalog for the profile type
Create configuration profile
Create configuration profile
  1. Fill in the Basics information like the name and the description and click next

  2. In the configuration tab of the wizard click on Add settings and search for “Allow pop-up” and hit search. You will see the category for this settings is Microsoft Edge\Content settings and you will see the setting Allow pop-up windows on specific sites (User)

Microsoft Edge Content settings
Microsoft Edge Content settings
  1. Select the settings in the right pane and configure the content settings on the left. Here you can add specific websites to allow Microsoft Edge to show the pop-ups.

  2. Enable the setting and fill in the name https://windows365.microsoft.com and hit Next

  3. For this demo, you can skip the Scope tags and go directly to the Assignments. Include all users in the assignment tab and click on Next and review the settings. If everything is set up correctly click the Create button to create the configuration profile.

New configuration profile
New configuration profile

Single sign-on experience (Windows 365 app)

Of course, the web portal isn’t the only client which can be used to connect to your Cloud PC. With the same configuration change in the provisioning policy the following is the experience when you connect to your Cloud PC via the new Windows 365 app.

https://www.stefandingemanse.comimage3-10.png does not exist

That’s it! In this post, I tried to explain how to configure the new Single Sign-On experience for your Cloud PCs and how to get the best user experience for your end users. I think this experience is great for our end users!

Hope you enjoyed this post, if you have any questions or feedback please feel free to reach out to me.

Have a great weekend!

Sources

Whats new in Windows 365

Create a provisioning policy

comments powered by Disqus