Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
This article provides information about Hybrid Azure AD support in VMware Horizon View
Hybrid Domain Join:We are pleased to announce the testing phase for hybrid domain join has been completed and all Horizon 8 editions now support Hybrid join with the caveats outlined below Horizon 8 now supports hybrid Microsoft AD / Azure AD - virtual desktops can now join both MSFT AD and AAD for unmanaged machines, automated full clones and instant clones. Prompt Azure PRT issuance: Azure PRT on VDI desktops enables end users to SSO into Azure AD assigned applications, hence timely issuance of Azure PRT is important. Recommendation for Instant Clone Performance - ADFS: Azure Primary Refresh Token (PRT) issuance is much quicker (of the order of 2-3 minutes) when on-prem AD is connected to Azure AD using ADFS as compared to Azure AD ConnectRecommendation for persistent clones: Both ADFS and Azure AD Connect methods of connecting on-prem AD to Azure AD are suitable. Hybrid Join Certificates are handled outside of the Horizon Suite by the chosen connectivity mechanism (ADFS or Azure AD connect) VMware Horizon 7 supports limited deployment types for Azure Active Directory.Supported Azure AD deployment types: Only a Hybrid Azure AD deployment (Hybrid Azure AD Join), where the on-prem Active directory is connected to Azure AD is supported.On-prem Active directory can be connected to Azure AD using either Azure AD Connect or ADFS.With the ADFS method of connectivity the Azure AD Primary Refresh Token (PRT) is issued much faster than the Azure AD connect method. Azure AD PRT is used to Single Sign-On into Azure AD assigned resources. See the Microsoft Azure AD documentation to learn more about Azure AD PRT.To connect your on-prem Active Directory to Azure AD, please refer to the Microsoft Azure AD documentation . Supported Horizon pool types: Manual and Automated full clone desktop pools are supported with both methods of connectivity i.e. Azure AD Connect or ADFS. Instant clones are supported only with ADFS method of connectivity. Known Limitations: Implementation of TrueSSO has not been tested in a Hybrid AAD based environment yet. With the True SSO feature, users are not required to also enter Active Directory credentials in order to use a virtual desktop or published desktop or application.SSO into Azure AD assigned resources will not work until the desktop VM is in a state where it can issue an Azure AD Primary Refresh Token (PRT) on the end user login. Example: If Office is an Azure AD assigned resource, whilst there is no PRT, There will be a period where SSO will fail to https://www.office.com. You can verify the status utilizing PowerShell on the virtual machine in question. dsregcmd /status | findstr AzureAdPrt The AzureAdPrt status will report as yes once ready to authenticate. Best Practices On the deletion or rebuild of any pool or virtual machine in a full clone pool, the newly created VM uses a different VM name and adds a new device account in Active Directory. The old device entry, which is no longer useful, remains in AD. To avoid this situation, select the "Allow Reuse of Existing Computer Accounts" check box when creating a full clone pool.When the desktop pool is deleted from Horizon 8, computer accounts are not removed from the AD. The Administrator must remove them from the Active Directory. This support is available for any Horizon version that is currently under support. For the list of currently supported Horizon please see end-of-life details: https://lifecycle.vmware.com/#/
Product Documentation on Support for Azure Active Directory in Horizon 2206 Last Reviewed: October 2023Next Review: December 2023