Windows 365 identity and authentication
A Cloud PC user's identity defines which access management services manage that user and Cloud PC. This identity defines:
- The types of Cloud PCs the user has access to.
- The types of non-Cloud PC resources the user has access to.
A device can also have an identity determined by its join type to Microsoft Entra ID. For a device, the join type defines:
- If the device requires line of sight to a domain controller.
- How the device is managed.
- How users authenticate to the device.
Identity types
There are three identity types:
- Hybrid identity: Users or devices that are created in on-premises Windows Server Active Directory, then synchronized to Microsoft Entra ID.
- Cloud-only identity: Users or devices that are created and only exist in Microsoft Entra ID.
- External identity: Users who are created and managed outside of your Microsoft Entra tenant but are invited in to your Microsoft Entra tenant to access your organization's resources.
Note
Windows 365 does not support external identities.
Device join types
There are two join types that you can select from when provisioning a Cloud PC:
- Microsoft Entra Hybrid Join: If you choose this join type, Windows 365 joins your Cloud PC to the Windows Server Active Directory domain you provide. Then, if your organization is properly configured for Microsoft Entra hybrid join, the device is synchronized to Microsoft Entra ID.
- Microsoft Entra Join: If you choose this join type, Windows 365 joins your Cloud PC directly to Microsoft Entra ID.
The following table shows key capabilities or requirements based on the selected join type:
| Capability or requirement | Microsoft Entra hybrid join | Microsoft Entra join |
|---|---|---|
| Azure subscription | Required | Optional |
| Azure virtual network with line of sight to the domain controller | Required | Optional |
| User identity type supported for login | Hybrid users only | Hybrid users or cloud-only users |
| Policy management | Group Policy Objects (GPO) or Intune MDM | Intune MDM only |
| Windows Hello for Business sign-in supported | Yes, and the connecting device must have line of sight to the domain controller through the direct network or a VPN | Yes |
Authentication
To successfully access a Cloud PC, a user must authenticate, in turn, with both:
- The Windows 365 service.
- The Cloud PC.
Windows 365 offers single sign-on (defined as a single authentication prompt that can satisfy both the Windows 365 service authentication and Cloud PC authentication) as part of the service. For more information, see single sign-on.
Important
In order for authentication to work properly, the user's local machine must also be able to access the URLs in the Remote Desktop clients section of the Azure Virtual Desktop required URL list.
Windows 365 service authentication
Users must authenticate with the Windows 365 service when:
- They access windows365.microsoft.com.
- They navigate to the URL that maps directly to their Cloud PC.
- They use a Remote Desktop client to list their Cloud PCs.
This authentication triggers a Microsoft Entra ID, allowing any credential type that is supported by both Microsoft Entra ID and your OS.
Passwordless authentication
You can use any authentication type supported by Microsoft Entra ID, such as Windows Hello for Business and other passwordless authentication options (for example, FIDO keys), to authenticate to the service.
Smart card authentication
To use a smart card to authenticate to Microsoft Entra ID, you must first configure AD FS for user certificate authentication or configure Microsoft Entra certificate-based authentication.
Cloud PC authentication
Users must authenticate to their Cloud PC when:
- They navigate to the URL that maps directly to their Cloud PC.
- They use a Remote Desktop client to connect to their Cloud PC.
This authentication request is processed by Microsoft Entra ID for Microsoft Entra joined Cloud PCs and on-premises Active Directory for Microsoft Entra hybrid joined Cloud PCs.
Note
If a user launches the web browser URL that maps directly to their Cloud PC, they will encounter the Windows 365 service authentication first, then encounter the Cloud PC authentication.
The following credential types are supported for Cloud PC authentication:
- Windows desktop client
- Single sign-on
- Username and password
- Smartcard
- Windows Hello for Business certificate trust
- Windows Hello for Business key trust with certificates
Note
Smartcard and Windows Hello authentication require the Windows desktop client to be able to perform Kerberos authentication when used with Microsoft Entra Hybrid joined Cloud PCs. This requires the physical client to have line of sight to a domain controller.
- Windows store client
- Username and password
- Web client
- Single sign-on
- Username and password
- Android
- Single sign-on
- Username and password
- iOS
- Single sign-on
- Username and password
- macOS
- Single sign-on
- Username and password
Single sign-on (SSO)
Single sign-on (SSO) allows the connection to skip the Cloud PC VM credential prompt and automatically sign the user in to Windows through Microsoft Entra authentication. Microsoft Entra authentication provides other benefits including passwordless authentication and support for third-party identity providers. To get started, review the steps to configure single sign-on.
Without SSO, the client prompts users for their Cloud PC credentials for every connection. The only way to avoid being prompted is to save the credentials in the client. We recommend you only save credentials on secure devices to prevent other users from accessing your resources.
In-session authentication
Once you're connected to your Cloud PC, you may be prompted for authentication inside the session. This section explains how to use credentials other than username and password in this scenario.
In-session passwordless authentication
Windows 365 supports in-session passwordless authentication using Windows Hello for Business or security devices like FIDO keys when using the Windows Desktop client. Passwordless authentication is enabled automatically when the Cloud PC and local PC are using the following operating systems:
- Windows 11 Enterprise with the 2022-10 Cumulative Updates for Windows 11 (KB5018418) or later installed.
- Windows 10 Enterprise, versions 20H2 or later with the 2022-10 Cumulative Updates for Windows 10 (KB5018410) or later installed.
When enabled, all WebAuthn requests in the session are redirected to the local PC. You can use Windows Hello for Business or locally attached security devices to complete the authentication process.
To access Microsoft Entra resources with Windows Hello for Business or security devices, you must enable the FIDO2 Security Key as an authentication method for your users. To enable this method, follow the steps in Enable FIDO2 security key method.
In-session smart card authentication
To use a smart card in your session, make sure you've installed the smart card drivers on the Cloud PC and allow smart card redirection as part of managing RDP device redirections for Cloud PCs. Review the client comparison chart to make sure your client supports smart card redirection.
Next steps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for