Intoduction
Azure Virtual Desktop (AVD) is a desktop and app virtualization service running in Azure. To ensure secure and efficient access to AVD, it’s crucial to understand the various authentication methods available. In this blog post of my series about “What is AVD?“, you’ll explore the different authentication methods, their features, pros, and cons. If you don’t know what AVD is, just read this blog post: What is Azure Virtual Desktop?
Microsoft Entra ID Authentication
Entra ID is Microsoft’s cloud-based identity and access management service. It allows users to sign in and access resources in Azure, Microsoft 365, and other SaaS applications. Entra ID’s main features are:
- Single Sign-On (SSO): Provides seamless access to multiple applications with one set of credentials.
- Multi-Factor Authentication (MFA): Enhances security by requiring additional verification methods.
- Conditional Access Policies: Controls access based on conditions like user location, device state, and more.
Entra ID authentication also comes with a lot of pros like:
- Enhanced Security: MFA and Conditional Access policies significantly improve security.
- User Convenience: SSO reduces the need for multiple passwords, simplifying the user experience.
- Scalability: Easily scales with your organization’s growth and integrates with various cloud services.
For Entra ID authentication there are some cons you have to consider like:
- Complexity: Initial setup and configuration can be complex, especially for large organizations.
- Dependency on Internet: Requires a stable internet connection for authentication.
- No Kerberos authentication: Entra ID does not support Kerberos authentication via SMB.
Active Directory Domain Services (AD DS)
Traditional on-premises Active Directory that can be extended to Azure using Entra ID Connect or Entra ID Cloud sync. With your identities synced to the cloud (hybrid identities) you have some benefits and features like:
- Centralized Domain Management: Manages user accounts, groups, and devices centrally.
- Group Policy Management: Applies policies to users and computers or AVD session hosts within the domain.
- Integration with On-Premises Infrastructure: Seamlessly integrates with existing on-premises AD infrastructure.
AD DS authentication also comes with a lot of pros like:
- Familiarity: Many organizations are already familiar with AD DS, making it easier to manage.
- Control: Provides granular control over domain resources and policies.
- Compatibility: Works well with legacy applications and systems.
For AD DS authentication there are some cons you have to consider like:
- Maintenance: Requires ongoing maintenance and management of domain controllers.
- Scalability: Scaling can be challenging and may require additional infrastructure.
- Complexity: Managing a hybrid environment can be complex and resource-intensive.
Entra ID Domain Services (Entra ID DS)
Managed domain services like domain join, group policy, and LDAP, without the need to deploy, manage, and patch domain controllers in the cloud. You still need a management VM to manage GPO’s or the AD structure, but there are some handy features that come with Entra ID Domain Service.
- Managed Domain Services: Provides domain join, group policy, and LDAP services.
- Compatibility: Compatible with traditional AD DS applications.
- Integration with Entra ID: Seamlessly integrates with Entra ID.
Entra ID DS authentication also comes with a lot of pros like:
- Reduced Management Overhead: Microsoft manages the domain services, reducing the need for manual maintenance.
- Scalability: Easily scales with your organization’s needs.
- Compatibility: Supports legacy applications that require traditional AD DS.
For Entra ID DS authentication there are some cons you have to consider like:
- Limited Customization: Less control over domain controllers and policies compared to on-premises AD DS.
- Cost: Can be more expensive than managing your own domain controllers.
- Dependency on Azure: Requires a stable connection to Azure services.
Conclusion
Choosing the right authentication method for Azure Virtual Desktop is crucial for ensuring security, user convenience, and efficient management. Each method has its own set of features, pros, and cons, and the best choice depends on your organization’s specific needs and existing infrastructure.
In my opinion Entra ID authentication is ideal for organizations looking for a cloud-first approach with enhanced security features. It has its perks and cons, especially with not supporting the Kerberos authentication which is crucial for profile management via FSLogix (SMB authentication). You can implement a workaround to still use FSLogix with cloud only identities. More to that here: Azure File share with Entra ID cloud identities for FSLogix
AD DS is suitable for those with existing on-premises infrastructure and a need for granular control (GPO’s). Furthermore, you should deploy or pick AD DS over Entra ID DS. In my point of view Entra ID DS is not the ideal solution for a AVD infrastructure. The hassle with management of Entra ID DS is just annoying. Simply deploy a B-Series VM with AD DS instead. It’s much cheaper and the management of the AD is way easier.
Source:
Identity and access management for Azure Virtual Desktop – Cloud Adoption Framework | Microsoft Learn
Azure Virtual Desktop identities and authentication – Azure | Microsoft Learn