Product documentation
Citrix DaaS™
View PDF

Microsoft Entra single sign-on

November 14, 2025
Contributed by: 
C

You can leverage single sign-on (SSO) when using Microsoft Entra ID credentials to access virtual applications and desktops on Microsoft Entra joined or Microsoft Entra hybrid joined session hosts.

Supported infrastructure

The following is an overview of the infrastructure components supported for Microsoft Entra ID SSO:

Machine identity Citrix DaaS CVAD On-prem Citrix Workspace Citrix Storefront Citrix Gateway Service NetScaler Gateway
Microsoft Entra joined Yes No Yes No Yes Yes
Microsoft Entra hybrid joined Yes No Yes No Yes Yes

Supported identity providers

The The following is an overview of the Workspace identity providers supported for Microsoft Entra SSO:

Machine identity Entra ID Active Directory Active Directory + Token Okta SAML NetScaler Gateway Adaptive Authentication
Microsoft Entra joined Yes No No No Yes No No
Microsoft Entra hybrid joined Yes No No No Yes No No

NOTE

If you are planning to use SAML as your IdP, you must ensure your SAML provider is configured properly to support Entra based authentication. See SAML using Microsoft Entra ID and Microsoft Entra identities for workspace authentication.

System requirements

The following are the system requirements for using Microsoft Entra SSO:

  • Control plane: Citrix DaaS
    • Citrix Cloud Commercial (US, EU, and APS)
    • Citrix Cloud Japan
  • User portal: Citrix Workspace
  • Virtual Delivery Agent (VDA)
    • Windows: version 2507 or newer
  • Citrix Workspace app
    • Windows: version 2507 or newer
    • Linux: version 2508 or newer
    • Mac: version 2508 or newer
  • Session host OS:

Considerations

  • Microsoft Entra single sign-on is only supported when accessing Citrix Workspace through Citrix Workspace app. If your users access Citrix Workspace through a web browser, single sign-on will not work.
  • Auto Client Reconnect is not supported when Microsoft Entra single sign-on is used to log into the session. This feature is automatically disabled when this logon method is used. Session Reliability is still available for automatic reconnection in case of network disruptions.
  • When a virtual desktop is locked, the default behavior is to display the Windows lock screen. Depending on your authentication requirements, you might need to change the session lock behavior. See Session lock behavior for more details.

How to configure Microsoft Entra single sign-on

Azure and Microsoft Entra ID configuration

In order to leverage Microsoft Entra single sign-on, you must first allow Microsoft Entra authentication for Windows in your Microsoft Entra ID tenant, which enables issuing the required authentication tokens that allow users to sign in to the Microsoft Entra joined and Microsoft Entra hybrid joined session hosts. To achieve this, you must do the following:

  1. Register the Citrix applications (Resource app and Client app) in your Microsoft Entra ID tenant.
  2. Enable the Remote Desktop Security Configuration for the Citrix resource application.
  3. Add the Citrix client application as an approved client for the Citrix resource application.
  4. [Optional] Hide the user consent prompt dialog.
  5. Create a Kerberos server object

The person making the Azure configuration must be assigned one of the following Microsoft Entra built-in roles or equivalent at a minimum:

To complete the Azure configuration, you will need to use the Microsoft Graph PowerShell SDK or Microsoft Graph API with a tool like Graph Explorer. Instructions are provided for how to complete the configuration with both PowerShell and Graph Explorer.

If you choose to use the Microsoft Graph PowerShell SDK, please note:

Register Citrix applications

You must register the Citrix Resource and Citrix Client applications in your Azure tenant.

You can use the following consent URLs to register the applications. Please make sure to register the Resource app first, followed by the Client app.

  • Citrix Cloud US, EU, APS
    • Resource app: https://login.microsoftonline.com/common/adminconsent?client_id=3a510bb1-e334-4298-831e-3eac97f8b26c
    • Client app: https://login.microsoftonline.com/common/adminconsent?client_id=85651ebe-9a8e-49e4-aaf2-9274d9b6499f
  • Citrix Cloud Japan
    • Resource app: https://login.microsoftonline.com/common/adminconsent?client_id=0027603f-364b-40f2-98be-8ca4bb79bf8b
    • Client app: https://login.microsoftonline.com/common/adminconsent?client_id=0fa97bc0-059c-4c10-8c54-845a1fd5a916

The following are the applications’ permissions:

Citrix Resource application

An application is created with the following permissions:

API name Claim value Permission Type
Microsoft Graph User.Read Sign in and read user profile Delegated

For Citrix Cloud US, EU, and APS, the application is called Citrix-Workspace-Resource (application ID 3a510bb1-e334-4298-831e-3eac97f8b26c).

For Citrix Cloud Japan, the application is called Citrix-Workspace-Resource-JP (application ID 0027603f-364b-40f2-98be-8ca4bb79bf8b).

Citrix Client application

An application is created with the following permissions:

API name Claim value Permission Type
Citrix-Workspace-Resource
Citrix-Workspace-Resource-JP		 user_impersonation
Citrix Entra ID SSO
Delegated
Microsoft Graph User.Read Sign in and read user profile Delegated

For Citrix Cloud US, EU, and APS, the application is called Citrix-Workspace (application ID 85651ebe-9a8e-49e4-aaf2-9274d9b6499f).

For Citrix Cloud Japan, the application is called Citrix-Workspace-JP (application ID 0fa97bc0-059c-4c10-8c54-845a1fd5a916).

Enable Remote Desktop Security Configuration

You must enable the Remote Desktop Security Configuration in the Citrix Resource application using one of two methods: PowerShell or Graph Explorer. Instructions for both are included, but you only need to follow one.

PowerShell

  1. Import the Authentication and Application Microsoft Graph modules and connect to Microsoft Graph with the Application.Read.All and Application-RemoteDesktopConfig.ReadWrite.All scopes:

    Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Applications
Import-Module Microsoft.Graph.Beta.Applications
Connect-MgGraph -Scopes "Application.Read.All","Application-RemoteDesktopConfig.ReadWrite.All"
<!--NeedCopy-->

  2. Get the object ID for the service principals associated with the app registrations:

    Citrix Cloud US, EU, APS

    $CtxResourceSpId = (Get-MgServicePrincipal -Filter "AppId eq '3a510bb1-e334-4298-831e-3eac97f8b26c'").Id
$CtxClientSpId = (Get-MgServicePrincipal -Filter "AppId eq '85651ebe-9a8e-49e4-aaf2-9274d9b6499f'").Id
<!--NeedCopy-->

    Citrix Cloud Japan

    $CtxResourceSpId = (Get-MgServicePrincipal -Filter "AppId eq '0027603f-364b-40f2-98be-8ca4bb79bf8b'").Id
$CtxClientSpId = (Get-MgServicePrincipal -Filter "AppId eq '0fa97bc0-059c-4c10-8c54-845a1fd5a916'").Id
<!--NeedCopy-->

  3. Set the property isRemoteDesktopProtocolEnabled to true:

    If ((Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $CtxResourceSpId) -ne $true) {
    Update-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $CtxResourceSpId -IsRemoteDesktopProtocolEnabled
}
<!--NeedCopy-->

  4. Confirm the property isRemoteDesktopProtocolEnabled is set to true:

    Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $CtxResourceSpId
<!--NeedCopy-->
Graph Explorer
  1. Get the object ID (OID) for the service principals associated with the app registrations from the Azure portal:
    1. Navigate to Microsoft Entra ID > Enterprise Applications.
    2. Remove the Application type filter if set so all applications are listed.
    3. Search for Citrix-Workspace-Resource / Citrix-Workspace-Resource-JP and note the associated object ID for the Resource application.
    4. Search for Citrix-Workspace / Citrix-Workspace-JP and note the associated object ID for the client application.
  2. In Graph Explorer, sign in with an account from the target Azure tenant that has the required permissions.

  3. Set the following query:

    • HTTP request method: PATCH
    • Microsoft Graph API Version: v1.0

    • Query:

       https://graph.microsoft.com/v1.0/servicePrincipals/<resourceAppOID>/remoteDesktopSecurityConfiguration
 <!--NeedCopy-->

    • Request body:

       {
     "@odata.type": "#microsoft.graph.remoteDesktopSecurityConfiguration"
     "isRemoteDesktopProtocolEnabled": true
 }
 <!--NeedCopy-->
  4. Select the Modify Permissions tab and ensure that you have consented to the Application.ReadWrite.All permission.
  5. Run the query.

See remoteDesktopSecurityConfiguration resource type for reference.

Approve the client application

You must explicitly add the Citrix Client application as an approved client in the Citrix Resource application. This can be done with either PowerShell or Graph Explorer. Instructions for both methods are provided, but you only need to follow one.

PowerShell

  1. Create an approvedClientApp object:

    $acp = New-Object -TypeName Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphApprovedClientApp
$acp.Id = $CtxClientSpId
<!--NeedCopy-->

  2. Add the client app to the approvedClientApp object:

    New-MgBetaServicePrincipalRemoteDesktopSecurityConfigurationApprovedClientApp -ServicePrincipalId $CtxResourceSpId -BodyParameter $acp
<!--NeedCopy-->

    The output should be similar to this:

    Id                                    DisplayName
--                                    -----------
87654321-wxyz-1a2b-3c4d-1029384756af  Citrix-Workspace
Graph Explorer

Set the following query and run it:

  • HTTP request method: POST
  • Microsoft Graph API Version: beta

  • Query:

     https://graph.microsoft.com/beta/servicePrincipals/<resourceAppOID>/remoteDesktopSecurityConfiguration/approvedClientApps
 <!--NeedCopy-->

  • Request body:

     {
     "@odata.type": "#microsoft.graph.approvedClientApp",
     "id": "<clientAppOID>"
 }
 <!--NeedCopy-->

By default, users are prompted to allow the Remote Desktop connection when connecting to a Microsoft Entra joined or Microsoft Entra hybrid joined session host with Microsoft Entra single sign-on enabled, in which they must select Yes to allow single sign-on. Microsoft Entra will remember up to 15 unique session hosts for 30 days before prompting again.

You can hide this dialog by configuring a list of target devices. To configure the list of devices, you must create one or more groups in Microsoft Entra ID that contain the Microsoft Entra joined and/or Microsoft Entra hybrid joined session hosts and then authorize the groups in the resource application, up to a maximum of 10 groups.

NOTE

It is highly recommended to create a dynamic group to simplify the membership management for the group. While dynamic groups normally update within 5-10 minutes, large tenants can take up to 24 hours.

Dynamic groups requires the Microsoft Entra ID P1 license or Intune for Education license. For more information, see Dynamic membership rules for groups.

Once the groups have been created, you can authorize them through either PowerShell or Graph Explorer. Instructions for both methods are provided, but you only need to follow one.

PowerShell
  1. Get the object ID (OID) of the group that contains the session hosts for which you want to hide the Remote Desktop connection prompt.

  2. Create a targetDeviceGroup object:

    $tdg = New-Object -TypeName Microsoft.Graph.PowerShell.Models.MicrosoftGraphTargetDeviceGroup
$tdg.Id = "<groupOID>"
<!--NeedCopy-->

  3. Add the client app to the approvedClientApp object:

    New-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $CtxResourceSpId -BodyParameter $tdg
<!--NeedCopy-->

    The output should be similar to this:

    Id                                    DisplayName
--                                    -----------
87654321-wxyz-1a2b-3c4d-1029384756af  Entra-SSO-Desktops

  4. If you later need to remove a device group from the targetDeviceGroup object, run the following command:

    Remove-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $CtxResourceSpId -TargetDeviceGroupId "<groupOID>"
<!--NeedCopy-->
Graph Explorer

Set the following query and run it:

  • HTTP request method: POST
  • Microsoft Graph API Version: v1.0

  • Query:

     https://graph.microsoft.com/v1.0/servicePrincipals/<resourceAppOID>/remoteDesktopSecurityConfiguration/targetDeviceGroups
 <!--NeedCopy-->

  • Request body:

     {
     "@odata.type": "#microsoft.graph.targetDeviceGroup",
     "id": "<groupOID>"
 }
 <!--NeedCopy-->

NOTE

You can repeat these steps to add more groups if needed, up to a maximum of 10 groups.

If you later need to remove a device group from the targetDeviceGroup object, set the following and run the query:

  • HTTP request method: DELETE
  • Microsoft Graph API Version: v1.0

  • Query:

     https://graph.microsoft.com/beta/servicePrincipals/<resourceAppOID>/remoteDesktopSecurityConfiguration/targetDeviceGroups
 <!--NeedCopy-->

See targetDeviceGroup resource type for reference.

Create a Kerberos server object

If your session hosts are Microsoft Entra hybrid joined, you must configure a Kerberos server object in the Active Directory domain where the user and computer accounts reside. See Create a Kerberos Server object for details.

Citrix Session Hosts

Ensure the system requirements for the session hosts are met:

  1. Ensure the session hosts are either Microsoft Entra joined or Microsoft Entra hybrid joined.
  2. Install the required operating system version and build as specified in the system requirements.
  3. Install the required VDA version as specified in the system requirements.

Microsoft Entra hybrid joined session hosts

If you are deploying Microsoft Entra hybrid joined session hosts with Citrix Machines Creation Services, Citrix Provisioning, or Windows 365, you can proceed to the next section. If you are provisioning Microsoft Entra hybrid joined hosts using any other tool or method, you must add the following registry value to your session hosts:

  • Key: HKLM\SYSTEM\CurrentControlSet\Control\Citrix
  • Value type: DWORD
  • Value name: AzureADJoinType
  • Data: 1

Session lock behavior

When a virtual desktop is locked, the default behavior is to display the Windows lock screen. At this point, the supported authentication methods for unlocking the desktop are username and password or smart card.

If you have a passwordless deployment where users don’t know their passwords, it’s recommended to configure the session lock behavior to disconnect the session instead of showing the lock screen.

  • Multi-session session hosts

    You can configure this behavior by enabling the Disconnect remote session on lock for Microsoft identity platform authentication setting through Intune or Group Policy. For detailed steps, see Configure the session lock behavior for Azure Virtual Desktop.

  • Single-session session hosts

    The Disconnect remote session on lock for Microsoft identity platform authentication setting is not currently supported. However, you can achieve the same behavior by creating a Windows scheduled task.

The following example script creates a scheduled task on single-session hosts that runs cmd.exe /c tsdiscon when the desktop is locked:

# Create the TaskService COM object
$service = New-Object -ComObject "Schedule.Service"
$service.Connect()

# Get the root folder and create a new task definition
$rootFolder = $service.GetFolder("\")
$taskDef = $service.NewTask(0)

# Registration info
$taskDef.RegistrationInfo.Description = "Disconnect session when workstation is locked"

# Principal (Users group, least privilege)
$principal = $taskDef.Principal
$principal.GroupId = "S-1-5-32-545"
$principal.RunLevel = 0  # 0 = LeastPrivilege

# Settings
$settings = $taskDef.Settings
$settings.Enabled = $true
$settings.AllowDemandStart = $true
$settings.DisallowStartIfOnBatteries = $false
$settings.StopIfGoingOnBatteries = $false
$settings.AllowHardTerminate = $false
$settings.StartWhenAvailable = $false
$settings.RunOnlyIfNetworkAvailable = $false
$settings.IdleSettings.StopOnIdleEnd = $true
$settings.IdleSettings.RestartOnIdle = $false
$settings.Hidden = $false
$settings.RunOnlyIfIdle = $false
$settings.DisallowStartOnRemoteAppSession = $false
$settings.UseUnifiedSchedulingEngine = $true
$settings.WakeToRun = $false
$settings.ExecutionTimeLimit = "PT0S"   # Unlimited
$settings.Priority = 7
$settings.MultipleInstances = 1         # IgnoreNew

# Trigger: SessionLock
$trigger = $taskDef.Triggers.Create(11)  # 11 = TASK_TRIGGER_SESSION_STATE_CHANGE
$trigger.StateChange = 7                 # 7 = SessionLock
$trigger.Enabled = $true

# Action: tsdiscon
$action = $taskDef.Actions.Create(0)     # 0 = Exec
$action.Path = "cmd.exe"
$action.Arguments = "/c tsdiscon"

# Register the task
$rootFolder.RegisterTaskDefinition(
    "Disconnect on Lock",  # Task name
    $taskDef,
    6,                     # TASK_CREATE_OR_UPDATE
    $null, $null,          # No specific user/password
    3                      # TASK_LOGON_GROUP
) | Out-Null
<!--NeedCopy-->

If you later need to remove the scheduled task, you can run the following command:

Unregister-ScheduledTask -TaskName "Disconnect on Lock" -Confirm:$false
<!--NeedCopy-->

Citrix Access and Control Plane

Workspace authentication

You must configure Citrix Workspace to use Microsoft Entra ID or SAML as the IdP. Please refer to the Citrix Workspace documentation for details if needed.

NOTE

If you are planning to use SAML as your IdP, you must ensure your SAML provider is configured properly to support Entra based authentication. See SAML using Microsoft Entra ID and Microsoft Entra identities for workspace authentication.

Managing Workspace access

If your users will be accessing Citrix Workspace through a web browser, single sign-on will not work and they will be required to enter their credentials in the virtual desktop. Alternatively, you can enforce access through Citrix Workspace app in the store’s access configuration.

Enabling Microsoft Entra single sign-on in Workspace

After the Citrix Workspace authentication is configured, you must enable the use of Microsoft Entra single sign-on:

  1. Create a Service principal in Citrix Cloud:
    1. Go to Identity and access management > API access > Service principals.
    2. Click on Create service principal.
    3. Enter a name for the service principal and click Next.
    4. Set Access for the service principal:
      1. Select Full access, or
      2. Select Custom access > General > Workspace Configuration, then click Next.
    5. Set the secret expiration time and click Next.
    6. Click Complete.
    7. Save both the secret and ID.
  2. Download and extract the Citrix Workspace PowerShell module to your workstation, or any machine you can use for administrative purposes.
  3. Open PowerShell in the machine in which you downloaded the Citrix Workspace PowerShell module.

  4. Run the following commands:

    Import-Module -Name “<extractedPath>\Citrix.Workspace.StoreConfigs.psm1”
Set-StoreConfigurations -StoreUrl "https://<yourPrimaryStore>.cloud.com" -ClientId "<clientId>" -ClientSecret "<clientSecret>" -AzureAdSsoEnabled $True
<!--NeedCopy-->

  5. Run the following command to verify the setting was configured properly:

    Get-StoreConfigurations -StoreUrl "https://<yourPrimaryStore>.cloud.com" -ClientId "<clientId>" -ClientSecret "<clientSecret>"
<!--NeedCopy-->

Microsoft Entra hybrid joined session hosts

For session hosts that are Microsoft Entra hybrid joined, the following configuration is required:

  1. Create a Kerberos server object, if you haven’t already.
  2. If you are provisioning your sessions hosts with anything other than Citrix Machine Creation Services, Citrix Provisioning, or Windows 365, ensure the required settings are applied.
  3. Within Citrix Studio, assign the virtual apps and/or desktops to the appropriate Microsoft Entra users or groups. Any existing assignments to Active Directory users or groups may be removed, but it is not required.
  4. Configure the logon type for the Delivery Groups:
    1. If you do not already have the Citrix Remote PowerShell SDK installed, download it and install it on your workstation, or any machine you can use for administrative purposes.
    2. Open a PowerShell prompt in the machine in which you installed the Citrix Remote PowerShell SDK.

    3. Run the following commands:

      asnp citrix*
Get-XDAuthentication
Get-BrokerDesktopGroup -Name <dgName> | Set-BrokerDesktopGroup -MachineLogOnType "HybridAzureAd"
<!--NeedCopy-->

Client Device

Ensure the system requirements for the client devices are met:

  1. Install the required Citrix Workspace app version as specified in the system requirements.

Troubleshooting

Known issues

  • After enabling Microsoft Entra single sign-on, users may encounter the Microsoft error AADSTS293005 when launching their virtual desktop, indicating RDP protocol is not enabled for the requested resource application. Please configure the RemoteDesktopSecurityConfiguration property on resource service principal to enable RDP protocol. To resolve this issue, restart Citrix Workspace app.
  • Users may encounter a 30-second delay when launching sessions if their Citrix Workspace app does not support Microsoft Entra single sign-on or if they access Citrix Workspace via a web browser.
  • Users may encounter a 30-second delay when launching sessions if Microsoft Entra single sign-on is enabled on Citrix Workspace and the required Azure configuration has not been completed.
  • Single sign-on fails when using Microsoft Entra hybrid joined sessions hosts if the user account is a domain administrator.

When single sign-on fails

If single sign-on fails when accessing virtual desktops or applications, proceed as follows:

  1. Confirm that Microsoft Entra single sign-on is enabled in Citrix Workspace.

  2. Confirm that the client device is running the required version of Citrix Workspace app.

  3. If the user is accessing Citrix Workspace through a browser, instruct them to access Citrix Workspace through Citrix Workspace app.

  4. If the user is accessing Citrix Workspace through a browser in an Android or iOS device, instruct them to access Citrix Workspace through the Citrix Workspace app.

  5. Confirm that your session hosts are running the required Windows build.

  6. Confirm that your session hosts are running the required VDA version.

  7. Ensure that the Windows setting Always prompt for password upon connection is not enabled on the session hosts.

  8. Confirm that the AzureADJoinType setting is configured correctly in the session hosts:
    • Key: HKLM\SYSTEM\CurrentControlSet\Control\Citrix
    • Value type: DWORD
    • Value name: AzureADJoinType
    • Value data: 1 (Microsoft Entra hybrid joined); 2 (Microsoft Entra joined)

  9. Ensure that the virtual desktops or applications are assigned to Microsoft Entra identities instead of Active Directory identities in Citrix Studio.

  10. Confirm that the Delivery Groups’ logon type is configured correctly by running the following PowerShell command:

    Get-BrokerDesktopGroup -Name <deliveryGroupName>
<!--NeedCopy-->

    For Microsoft Entra joined session hosts, MachineLogOnType must be set to AzureAd. For Microsoft Entra hybrid joined session hosts, MachineLogOnType must be set to HybridAzureAd.

  11. If you are using a SAML IdP, confirm that the necessary configuration was implemented.

  12. Confirm that the Citrix Resource and Client applications are registered in the Microsoft Entra tenant.

  13. Confirm that the Remote Desktop Security Configuration is enabled on the Citrix Resource application.

  14. Confirm that the Citrix Client application was added as an approved client application in the Citrix Resource application.

  15. If your session hosts are Microsoft Entra hybrid joined, confirm that a Kerberos server object was created in the Active Directory domain where the user and computer accounts reside.
Microsoft Entra single sign-on
November 14, 2025
Contributed by: 
C
November 14, 2025
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.