I was watching a pile of videos, to combine the puzzles together, to get up to speed with Identity piece of the stack, and I must admit that now I understand why this video is so valuable. Thank you for the whole effort Dean ! ps. this video deserves much more likes!
Great question Victor! As of today the only SSO state that is supported end to end would be with your hybrid user identities, hybrid VMs or domain joined VM‘s It has also been requested that the new azure A.D. join feature supports full end and SSO and we will see when the product group can deliver that… Stay tuned!
Hi, thanks for the video. Just one question. At 6:49 you are showing four URLs you are adding to the "Site to Zone Assignment List". Where did you get these? The only documentation I know so far is for single-sign on to add one URL. Maybe you can point me to the right direction :). Keep up the good work! Thanks in advance and best regards
Hi Dean, great video. Since AADDS is becoming more feature full can we have a video on Group Policy capabilities using AADDS, maybe against WVD Session Hosts? Thanks!
There is a lot about GPO and AADDS that is tough because you can’t edit the basic environment But for a general WVD GPO...I’d say it is the same in AD as AADDS Which for me is controlling idol time Screen lock out time Time is remote app sessions One drive settings
Hi Dean! So this is what you look like huh! (insert smile emoji!) Just a question please... If you register, join or hybrid-join a device to AAD , then how does VPN compare to this in terms of security? I can see from your demo here that you gain access with SSO and don't need to sign in again once you're logged onto your device as it is considered safe. I gather the permission/Conditional access policies would apply once you're logging in. Or perhaps you can tell me, am I missing something? Do you still need to set up VPN Point-2-Site connection if you need to connect to resources in Azure with a registered device? Thank you Aubin Bakana
☺️ the authentication trust is not the same as network security. A VPN would create a secure encrypted tunnel from your client to your network. SSO is possible because of the relationship your client has to the environment. So when I am a user from that environment and I’m on a device from that environment I can have SSO working. Make sense?
@@AzureAcademy Thank you Dean. I know that SSO and security is not the same, but it certainly raises the issue of security, am I correct? So if I'm clear, remote logging with a device that is trusted still leaves you vulnerable unless VPN encrypted. Am I correct? Or is it safe enough without VPN?
that is a big question...a VPN encrypts traffic between point A and B. Authentication over SSO to Azure AD has some public calls and encrypted calls. So if you want to be as secure as possible...Yes you can lock it down "MORE" with a VPN that how secure SSO is without it...lets say someone...somehow intercepts your Azure AD Auth and actually got your token...it would not allow them to SSO. SSO is dependent on the computers and the users relationship to the Authentication point. Since their user and machine are not in Azure AD...they would not be able to SSO...does that help?
@@AzureAcademy Yes, it does make total sense. Because the signal that is emitted by their device is a signal that is uniquely identified and will not be copied that easily. Can they not decipher the signal and imitate it pretending they are the authentic user without the use of signature. I seems like I need to look into SSO security in more details.
As far as I know...NO you cannot. Reason is there are multiple security layers across multiple systems to make SSO work...and you would have to compromise them all to "own" someone's SSO. But please let me know if you find anything different...I would love to learn as well 😁
Thanks Dean! I need like everytime to ask you some things 😅. First of all... If I don't have mdm configured... if i do an hybrid join with an wvd that is already in production.. I expect nothing change on the vm... Is this correct.? Please can you be more specific on use cases with the three methods? And when make sense to use it... I think if you don't have an mdm like Microsoft mobile device management... No make sense to do it...what do you think?
Today you can do WVD with hybrid join, but “soon” we will be able to do Azure AD Join and won’t need a domain controller. But windows 10 multi session is not supported by Intune / MEM yet. Once it is and Azure AD Join support is there then you will need to answer the question. Of how you want to manage WVD.
when I build my WVD VMs I use a special ADJoin account that I created...and granted it permissions over a specific OU...that way all the computer accounts that get joined are under that special OU...but there is another way
I was watching a pile of videos, to combine the puzzles together, to get up to speed with Identity piece of the stack, and I must admit that now I understand why this video is so valuable. Thank you for the whole effort Dean !
ps. this video deserves much more likes!
Awesome, thanks
I've watched dozens of your videos Dean and this was one of the best - short, fast, clear and incredibly useful! Thank you!
Thanks Peter! If you liked this one, you’ll love the next one and I’m doing #Shorts now too 😃
Thank you for yet another awesome video. Please continue on with more azure identity videos on azure access package and onboarding.
I will see what I can do
Great video !!!
👍👍
Cool .. Love the Video
Thanks 👍👍
Great video, thanks for clarifying the different states.
👍👍
there is that awesome group policy that changes the default folder that devices land in when they join ad. so you don't have to drag and drop.
Yup
Thank you Dean. Another great video!
👍👍
Really helpful
👍👍
Always great videos! keep up the good work
👍👍
👌👌
👍👍
Thank you Dean, great video. By today, Does any of those states support WVD SSO?
Great question Victor! As of today the only SSO state that is supported end to end would be with your hybrid user identities, hybrid VMs or domain joined VM‘s
It has also been requested that the new azure A.D. join feature supports full end and SSO and we will see when the product group can deliver that… Stay tuned!
That was very helpful. Thanks!
👍👍
Thanks a lot ;)
👍👍
Hi, thanks for the video. Just one question. At 6:49 you are showing four URLs you are adding to the "Site to Zone Assignment List". Where did you get these? The only documentation I know so far is for single-sign on to add one URL. Maybe you can point me to the right direction :).
Keep up the good work!
Thanks in advance and best regards
Thanks! This link can be found in the video description section under resources
Hi Dean, can you pls create a video on Terraform plz??
I have had this request several times...but I am still learning Terraform...so I’m working on it
Hi Dean, great video. Since AADDS is becoming more feature full can we have a video on Group Policy capabilities using AADDS, maybe against WVD Session Hosts? Thanks!
There is a lot about GPO and AADDS that is tough because you can’t edit the basic environment
But for a general WVD GPO...I’d say it is the same in AD as AADDS
Which for me is controlling idol time
Screen lock out time
Time is remote app sessions
One drive settings
@@AzureAcademy Thanks Dean.
👍👍
Dean, your "Azure Academy" banner may block the Application Menu sometimes.
Did it? I don’t think I noticed?
@@AzureAcademy yeah, for example, 6:52. But it doesn't really matter, just for your information.
thanks!
Hi Dean! So this is what you look like huh! (insert smile emoji!)
Just a question please...
If you register, join or hybrid-join a device to AAD , then how does VPN compare to this in terms of security? I can see from your demo here that you gain access with SSO and don't need to sign in again once you're logged onto your device as it is considered safe. I gather the permission/Conditional access policies would apply once you're logging in. Or perhaps you can tell me, am I missing something?
Do you still need to set up VPN Point-2-Site connection if you need to connect to resources in Azure with a registered device?
Thank you
Aubin Bakana
☺️ the authentication trust is not the same as network security. A VPN would create a secure encrypted tunnel from your client to your network. SSO is possible because of the relationship your client has to the environment.
So when I am a user from that environment and I’m on a device from that environment I can have SSO working.
Make sense?
@@AzureAcademy Thank you Dean. I know that SSO and security is not the same, but it certainly raises the issue of security, am I correct? So if I'm clear, remote logging with a device that is trusted still leaves you vulnerable unless VPN encrypted. Am I correct? Or is it safe enough without VPN?
that is a big question...a VPN encrypts traffic between point A and B. Authentication over SSO to Azure AD has some public calls and encrypted calls. So if you want to be as secure as possible...Yes you can lock it down "MORE" with a VPN that how secure SSO is without it...lets say someone...somehow intercepts your Azure AD Auth and actually got your token...it would not allow them to SSO. SSO is dependent on the computers and the users relationship to the Authentication point. Since their user and machine are not in Azure AD...they would not be able to SSO...does that help?
@@AzureAcademy Yes, it does make total sense. Because the signal that is emitted by their device is a signal that is uniquely identified and will not be copied that easily. Can they not decipher the signal and imitate it pretending they are the authentic user without the use of signature. I seems like I need to look into SSO security in more details.
As far as I know...NO you cannot. Reason is there are multiple security layers across multiple systems to make SSO work...and you would have to compromise them all to "own" someone's SSO.
But please let me know if you find anything different...I would love to learn as well 😁
Thanks Dean! I need like everytime to ask you some things 😅. First of all... If I don't have mdm configured... if i do an hybrid join with an wvd that is already in production.. I expect nothing change on the vm... Is this correct.? Please can you be more specific on use cases with the three methods? And when make sense to use it... I think if you don't have an mdm like Microsoft mobile device management... No make sense to do it...what do you think?
Today you can do WVD with hybrid join, but “soon” we will be able to do Azure AD Join and won’t need a domain controller.
But windows 10 multi session is not supported by Intune / MEM yet.
Once it is and Azure AD Join support is there then you will need to answer the question. Of how you want to manage WVD.
@@AzureAcademy yes i think if they require things lik group policies they will still rely on domain controllers?
correct...the BIG question is...what do you use GPO for 😁
is there a way to use Windows Hello for Business with the Remote Desktop App for WVD?
Yes you can, it works the same for remote apps or desktops
@@AzureAcademy is there a setup guide? Because i tried it about 3 times with Microsoft Support to make it work, without success.
Are you asking for a setup guide on windows hello for business or for setting up WVD to work with it?
@@AzureAcademy yes sir. But i think SSO would also do the work wenn it's ad joined.
Here it is! let me know what you think
ruclips.net/video/_PrgdDH1oB4/видео.html&pp=ygUHYXZkIHNzbw%3D%3D
do you have a example of that awesome gpo?
Do you mean the GPO I showed in the video? To enable hybrid join?
@@AzureAcademy Hi Dean, I mean the GPO that changes the default folder that devices land in when they join ad.
@@AzureAcademy Hi Dean, I mean the GPO that changes the default folder that devices land in when they join ad.
when I build my WVD VMs I use a special ADJoin account that I created...and granted it permissions over a specific OU...that way all the computer accounts that get joined are under that special OU...but there is another way
you can do this with the following command
redircmp
this will permanently change the default location for all new computer objects.
You hinted that WVD will not need AD DS in future roadmap~ Hahahahaha
Did I...hm....I guess we will have to wait and see ☺️