Hey everyone! I'm currently interning and I could really use some guidance on setting up a multi-tenant Azure Virtual Desktop (AVD) environment. We're shifting from an on-prem VMware setup to a hybrid model using Azure Local and AVD for multiple external tenants.
Here's what I'm trying to achieve:
- Each external tenant should log into the AVD client with their own credentials.
- They should have Windows Single Sign-On (SSO) on the session host after logging in.
- FSLogix profile containers need to work per user to keep their profiles secure and isolated.
- It's crucial that there's no cross-tenant synchronization.
I'm hitting some blockers with user authentication and wanted to know the best methods to achieve the setup outlined above. I've looked into a few options:
1. Pure B2B guest accounts: Good for resource access, but it doesn't support Windows SSO since they lack AD representation.
2. Forest trust with customer Active Directory: This could enable Windows SSO but requires each session host to connect to customer AD DCs, complicating things.
3. Shadow/local accounts: This setup works for SSO, but it involves manual mapping and lots of account management.
Does anyone have best practices or tips for a multi-tenant AVD setup that meets these needs without complicating things with cross-tenant setups or direct AD connections? Thanks in advance for any insights or resources you can share!
2 Answers
It's a tricky situation. While exact solutions may not be available yet, focusing on setting up Azure AD B2C could be beneficial. You can have external users log in with their own credentials and manage them separately. It's designed for scenarios involving multiple tenants and might help with SSO as well. Just be prepared to handle the complexity that comes with managing these identities.
Using local accounts mapped to B2B clients seems like a solid option if you want to avoid convoluted setups. Sure, it involves extra management, but it grants you the right amount of control without compromising the security and tenant isolation you need. Plus, it seems like you're already on the right path if SSO is a requirement, even if it means dealing with all the accounts manually.
Yeah, I get that. It's really about finding that balance between security and manageability, right?
That sounds interesting! Have you had any success with that approach? I'm curious about the SSO part because that seems crucial.