Back to Blog
Azure
4 min read

Passwordless Authentication with Azure Virtual Desktop

AzureAVDPasswordlessSecurityAuthentication

Passwordless authentication is the future, but Azure Virtual Desktop has specific requirements and limitations. Here's the current state and what to expect.

AVD Passwordless Support

AVD supports passwordless authentication for:

  • Windows Hello for Business
  • FIDO2 security keys
  • Certificate-based authentication

But there are caveats depending on your identity configuration.

Requirements

For Windows Hello for Business

RequirementDetails
Session host OSWindows 10/11 (20H2+)
Host pool typePersonal or Pooled
IdentityHybrid Azure AD joined
FSLogixWorks with some limitations

For FIDO2 Security Keys

RequirementDetails
Session host OSWindows 11 22H2+
Host pool typePersonal recommended
IdentityAzure AD joined (cloud-only)
ClientWindows Remote Desktop client (MSIX)

Hybrid Identity Limitation

For organisations with hybrid identity (on-prem AD synced to Azure AD):

  • FSLogix profiles require Kerberos - needs password or certificate
  • SMB file share authentication - needs password-based auth
  • Windows Hello for Business - works but some scenarios need password fallback
# Hybrid joined session hosts
resource "azurerm_virtual_machine" "avd" {
  # ... VM config ...

  identity {
    type = "SystemAssigned"
  }

  # Hybrid join requires line of sight to DC
  # And specific AD group policies
}

Cloud-Only Configuration

For pure Azure AD (Entra ID) environments:

resource "azurerm_virtual_desktop_host_pool" "this" {
  name                = "hp-passwordless"
  resource_group_name = azurerm_resource_group.this.name
  location            = azurerm_resource_group.this.location
  type                = "Pooled"
  load_balancer_type  = "BreadthFirst"

  # Required for passwordless
  custom_rdp_properties = "enablerdsaadauth:i:1"
}

Azure AD Authentication

Enable Azure AD authentication for the session:

custom_rdp_properties = join(";", [
  "enablerdsaadauth:i:1",
  "enablecredsspsupport:i:0",
  "authentication level:i:2"
])

FSLogix and Passwordless

The challenge: FSLogix needs to mount SMB shares, which traditionally requires Kerberos authentication.

Option 1: Azure AD Kerberos

Azure Files with Entra Kerberos (for cloud-only users):

resource "azurerm_storage_account" "profiles" {
  name                     = "stfslogixprofiles"
  resource_group_name      = azurerm_resource_group.this.name
  location                 = azurerm_resource_group.this.location
  account_tier             = "Premium"
  account_kind             = "FileStorage"
  account_replication_type = "LRS"

  azure_files_authentication {
    directory_type = "AADKERB"
  }
}

Limitation: Only works for hybrid users (synced from on-prem) as of now.

Option 2: Storage Key (Less Ideal)

Mount with storage account key instead of user credentials:

VHDLocations=\\storage.file.core.windows.net\profiles
AccessNetworkAsComputerObject=1

This works but doesn't provide per-user access control at the SMB level.

Client Configuration

Windows Remote Desktop Client

For FIDO2 support, use the MSIX version from Microsoft Store, not the MSI installer.

Users sign in:

  1. Open Remote Desktop client
  2. Subscribe to workspace
  3. Authenticate with FIDO2 key (when Azure AD auth is enabled)
  4. Connect to session (may prompt for FIDO2 again)

Web Client

Limited passwordless support:

  • Passkeys (FIDO2) work for initial authentication
  • Session authentication may still prompt for password

Conditional Access

Create policies that enforce passwordless methods:

{
  "displayName": "Require passwordless for AVD",
  "conditions": {
    "clientAppTypes": ["all"],
    "applications": {
      "includeApplications": [
        "9cdead84-a844-4324-93f2-b2e6bb768d07",  // AVD
        "a4a365df-50f1-4397-bc59-1a1564b8bb9c"   // AVD Client
      ]
    }
  },
  "grantControls": {
    "authenticationStrength": {
      "id": "PASSWORDLESS_MFA_STRENGTH_POLICY_ID"
    }
  }
}

Known Limitations

  1. Single sign-on (SSO) - Limited without Windows Hello
  2. Reconnection - May prompt for credentials again
  3. RD Gateway - Some scenarios still need password
  4. Third-party apps - May not support passwordless in session
  5. FSLogix - Complicated with pure passwordless

Migration Strategy

Phase approach:

  1. Phase 1: Enable MFA everywhere (SMS/Authenticator)
  2. Phase 2: Roll out Windows Hello for Business
  3. Phase 3: Add FIDO2 keys for admin users
  4. Phase 4: Evaluate full passwordless for AVD
  5. Phase 5: Conditional Access to require passwordless

Don't try to go passwordless on AVD before the rest of your environment.

Need help implementing passwordless authentication? Get in touch - we help organisations modernise their identity infrastructure.

Previous
Azure Service Bus VNET Isolation and Power Automate
Next
Zero-Password User Onboarding with Temporary Access Pass

Need help with your Azure environment?

Get in touch for a free consultation.

Get in Touch