Product documentation
Citrix Virtual Apps and Desktops
Current Release Service 2511 2507 LTSR 2503 2411 2407 2402 LTSR 2311 2203 LTSR
View PDF

Microsoft Entra single sign-on

April 28, 2026
Contributed by: 
C

You can leverage single sign-on (SSO) when using Microsoft Entra ID credentials to access virtual applications and desktops on Microsoft Entra hybrid joined session hosts.

For DaaS, see Microsoft Entra single sign-on.

Supported infrastructure

The following is an overview of the infrastructure components supported for Microsoft Entra single sign-on:

Machine identity Citrix DaaS CVAD on-prem Citrix Storefront Citrix Gateway Service NetScaler Gateway
Microsoft Entra hybrid joined Yes Yes Yes Yes Yes

Note:

In Citrix on-premises StoreFront, the Entra SSO is supported only through Modern UI experience. The Classic UI experience is not supported.

Supported access methods

The following are the access methods available in a Citrix environment:

  • Native access: You use the native Citrix Workspace app client to access Citrix Storefront and establish the session connection.
  • Browser access: You access Citrix Storefront through a browser and connect to the virtual app or desktop session using the Citrix Workspace app for HTML5 client.
  • Hybrid access: You access Citrix Storefront through a browser and connect to the virtual app or desktop session using the native Workspace app client.

The following is an overview of the access methods supported for Microsoft Entra single sign-on:

Access Method Windows Linux Mac Chrome OS Android iOS
Native Yes Yes Yes Yes Yes Yes
Browser Yes Yes Yes Yes Yes Yes
Hybrid Yes No Yes No No No

Note:

Allow pop-ups for SSO to work for web browser session launches.

System requirements

The following are the system requirements for using Microsoft Entra single sign-on:

Note:

The Citrix Web Extension is only needed if your users will be leveraging hybrid access in Windows or Mac devices. If your users leverage native or browser access, the Citrix Web Extension is not needed.

Considerations

  • If your users will be leveraging hybrid access, they must use either Microsoft Edge or Google Chrome, and install the Citrix Web Extension. Microsoft Entra single sign-on with hybrid access is not supported with other browsers.
  • Auto Client Reconnect is not supported when Microsoft Entra single sign-on is used to log into the session. This feature is automatically disabled when this logon method is used. Session Reliability is still available for automatic reconnection in case of network disruptions.
  • When a virtual desktop is locked, the default behavior is to display the Windows lock screen. Depending on your authentication requirements, you might need to change the session lock behavior. See Session lock behavior for more details.
  • With Microsoft Entra hybrid joined session hosts, single sign-on does not work by default for members of privileged groups like Domain Admins. To enable it, add the group or user to the Read-Only Domain Controller (RODC) allowlist for Microsoft Entra Kerberos access. See Microsoft Entra Kerberos TGT and Active Directory access control for details.

How to configure Microsoft Entra single sign-on

Overview

The configuration of Microsoft Entra single sign-on consists of the following steps:

  1. Azure and Microsoft Entra ID configuration.
  2. Citrix configuration

Azure and Microsoft Entra ID configuration

In order to leverage Microsoft Entra single sign-on, you must first allow Microsoft Entra authentication for Windows in your Microsoft Entra ID tenant, which enables issuing the required authentication tokens that allow users to sign in to the Microsoft Entra hybrid joined session hosts.

To achieve this, you must do the following:

  1. Register Citrix Resoure Applicaton in your Azure Entra ID Tenant. Register your Own Client Application as well.
  2. Enable the Remote Desktop Security Configuration for the Citrix resource application.
  3. (Optional) Hide the user consent prompt dialog.
  4. Create a Kerberos server object.
  5. Review Microsoft Entra Conditional Access policies.

The person making the Azure configuration must be assigned one of the following Microsoft Entra built-in roles or equivalent at a minimum:

To complete the Azure configuration, you must use the Microsoft Graph PowerShell SDK or Microsoft Graph API with a tool like Graph Explorer.

Instructions in this article are provided for how to complete the configuration with both PowerShell and Graph Explorer.

If you choose to use the Microsoft Graph PowerShell SDK, then you must:

Register Citrix applications

You must register the Citrix Resource in your Azure tenant.

Create a single-tenant Entra ID Client Application

  1. Go to the Azure Portal.
  2. Navigate to Enterprise Applications > New Application > Create your Own Application.
  3. Register an application to integrate with Microsoft Entra ID.
    1. Under Account, select Single Tenant Only.

    2. Add a Redirect URI. See the table for the Redirect URI as per the Platform type.

      Platform type Redirect URI Notes
      Web Customer specific NetScaler login The URI string is calculated based on the customer specific NetScaler login.
      Mobile and Desktop Applications ctxaadsso://citrix.aad.redirect Must be exactly this string (no leading/trailing spaces, no quotes etc around this string).
      SPA App (Single Page Application) Customer Specific (RFWebUrl) Depends on the RFWebUrl used by the customer for their Stores. (for example, if the customer logs in to RfWeb store using https://finance.acme.com/Citrix/MyStoreWeb, then the Redirect Uri should be : https://finance.acme.com/Citrix/MyStoreWeb). If multiple stores exist, each store’s RF web URL needs to be added as a redirect URI.
    3. Go to Enterprise Applications, search for the Client Application you created (by the name), and write down the assigned Application ID (name it clientAppOID). You’ll also need a few other variables like tenantId and resourceAppOID.

The following snippet explains which variables you should replace with your own values. These variables you’ll need in the next steps (in different machines).

# DirectoryId of your Tenant 
# (where you have your VDAs/Users and now your Client App)
$tenantId="8bf1502a-3d12-40b5-985e-547745129506"
# Application ID for the Client App that you just created in your tenant
$clientAppOID="7d63295c-8fe3-4336-8f49-e5d29f174363"
# If your Client App is Single-Tenant App
$azureSSOnAuthorizeUrl="https://login.microsoftonline.com/$tenantId/"
# ResourceApp - customers can use Citrix ResouceApps or create their own
$resourceAppOID="f2df77db-7c40-4932-8c22-391cdadec0d2" # Citrix-Workspace-Staging
#$resourceAppOID="3a510bb1-e334-4298-831e-3eac97f8b26c" # Citrix-Workspace-Prod
# In some places we must include the namespace (citrix.cloud.com)
$resourceAppFqdn="citrix.cloud.com/$resourceAppOID"
$azureGlobalCloudId="b16898c6-a148-4967-9171-64d755da8520" # AzureAD
<!--NeedCopy-->

You need to make the Citrix ResourceApp discoverable in your tenant, by opening https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}, and also need to authorize your new Client App:

  • Resource app: Start-Process "https://login.microsoftonline.com/$tenantId/adminconsent?client_id=$resourceAppOID"
  • Client app: Start-Process "https://login.microsoftonline.com/$tenantId/adminconsent?client_id=$clientAppOID"

Note:

For each one of those two urls, you’ll need to consent (needs to be tenant admin), and after each consent you’ll be redirected to the RedirectUrl. You can just ignore the redirect and close the window.

Enable Remote Desktop Security Configuration

You must enable the Remote Desktop Security Configuration in the Citrix Resource application. To do this using Azure Portal, see the DaaS doc.

You can also use one of two methods: PowerShell or Graph Explorer. Instructions for both are included, but you only need to follow one.

PowerShell

  1. Install Microsoft Graph PowerShell SDK and the latest beta.

    `Install-Module Microsoft.Graph      -Scope AllUsers -Repository PSGallery`  
`Install-Module Microsoft.Graph.Beta -Scope AllUsers -Repository PSGallery -Force`  
`Get-InstalledModule Microsoft.Graph`  
`Update-Module Microsoft.Graph`
<!--NeedCopy-->

    See Install the Microsoft Graph PowerShell SDK.

  2. Connect to your Tenant using Microsoft Graph.

    Import-Module Microsoft.Graph.Authentication`  
Import-Module Microsoft.Graph.Applications`  
Import-Module Microsoft.Graph.Beta.Applications`

`Connect-MgGraph -Scopes "Application.Read.All","Application-RemoteDesktopConfig.ReadWrite.All" -TenantId $tenantId`
<!--NeedCopy-->

  3. Get the Service Principal ID for the service principals associated with the app registrations.

    $CtxResourceSpId = (Get-MgServicePrincipal -Filter "AppId eq '$resourceAppOID'").Id

$CtxClientSpId = (Get-MgServicePrincipal -Filter "AppId eq '$clientAppOID'").Id
<!--NeedCopy-->

  4. Set the property isRemoteDesktopProtocolEnabled to true.

    $cfg = Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $CtxResourceSpId -EA Ignore
if (!$cfg -or !$cfg.IsRemoteDesktopProtocolEnabled) {
Update-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $CtxResourceSpId -IsRemoteDesktopProtocolEnabled
}
<!--NeedCopy-->

  5. Confirm the property isRemoteDesktopProtocolEnabled is set to true:

    Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $CtxResourceSpId
<!--NeedCopy-->

Graph Explorer

  1. Get the object ID (OID) for the service principals associated with the app registrations from the Azure portal:
    1. Navigate to Microsoft Entra ID > Enterprise Applications.
    2. Remove the Application type filter if set so all applications are listed.
    3. Search for Citrix-Workspace-Resource / Citrix-Workspace-Resource-JP and note the associated object ID for the Resource application.
    4. Search for your single-tenant Entra ID Client App and note the associated object ID for the client application.
  2. In Graph Explorer, sign in with an account from the target Azure tenant that has the required permissions.

  3. Set the following query:

    • HTTP request method: PATCH
    • Microsoft Graph API Version: v1.0

    • Query:

       https://graph.microsoft.com/v1.0/servicePrincipals/<$resourceAppOID>/remoteDesktopSecurityConfiguration
 <!--NeedCopy-->

    • Request body:

       {
 "@odata.type": "#microsoft.graph.remoteDesktopSecurityConfiguration",
 "isRemoteDesktopProtocolEnabled": true
 }
 <!--NeedCopy-->
  4. Select the Modify Permissions tab and ensure that you have consented to the Application.ReadWrite.All permission.
  5. Run the query.

See remoteDesktopSecurityConfiguration resource type for reference.

See the DaaS doc for the detailed instuctions using Azure Portal.

Approve the customer managed client application

This can be done with either PowerShell or Graph Explorer. Instructions for both methods are provided, but you only need to follow one.

PowerShell

  1. Create an approvedClientApp object.

    $acp = New-Object -TypeName Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphApprovedClientApp
$acp.Id = $CtxClientSpId
<!--NeedCopy-->

  2. Add the client app to the approvedClientApp object.

    New-MgBetaServicePrincipalRemoteDesktopSecurityConfigurationApprovedClientApp -ServicePrincipalId $CtxResourceSpId -BodyParameter $acp
<!--NeedCopy-->

Graph Explorer

  1. Set the following query and run it:

    • HTTP request method: POST
    • Microsoft Graph API Version: beta

    • Query:

       https://graph.microsoft.com/beta/servicePrincipals/<$resourceAppOID>/remoteDesktopSecurityConfiguration/approvedClientApps
 <!--NeedCopy-->

    • Request body:

       {
 "@odata.type": "#microsoft.graph.approvedClientApp",
 "id": "<$clientAppOID>"
 }
 <!--NeedCopy-->

Create a Kerberos server object

If your session hosts are Microsoft Entra hybrid joined, you must configure a Kerberos server object in the Active Directory domain where the user and computer accounts reside. See Create a Kerberos Server object for details.

Review Microsoft Entra Conditional Access policies

If you use or plan to use Microsoft Entra Conditional Access policies, review the configuration applied to the Citrix Resource application to ensure users have the intended sign‑in experience.

For detailed guidance on configuring Conditional Access when using Microsoft Entra single sign‑on for DaaS, refer to the Microsoft documentation. Remember that the required Conditional Access settings must be applied to the Citrix Resource application, not the Microsoft applications.

Citrix Session Hosts

Ensure the system requirements for the session hosts are met:

  1. Ensure the session hosts are Microsoft Entra hybrid joined.
  2. Install the required operating system version and build as specified in the system requirements.
  3. Install the required VDA version as specified in the system requirements.

Microsoft Entra hybrid joined session hosts

When deploying Microsoft Entra hybrid joined session hosts with Citrix Machines Creation Services, Citrix Provisioning, or Windows 365, proceed to the next section. If you are provisioning Microsoft Entra hybrid joined hosts using any other tool or method, you must add the following registry value to your session hosts:

  • Key: HKLM\SYSTEM\CurrentControlSet\Control\Citrix
  • Value type: DWORD
  • Value name: AzureADJoinType
  • Data: 1

Session lock behavior

When a virtual desktop is locked, the default behavior is to display the Windows lock screen. At this point, the supported authentication methods for unlocking the desktop are username and password or smart card.

If you have a passwordless deployment where users don’t know their passwords, it’s recommended to configure the session lock behavior to disconnect the session instead of showing the lock screen.

  • Multi-session session hosts: You can configure this behavior by enabling the Disconnect remote session on lock for Microsoft identity platform authentication setting through Intune or Group Policy. For detailed steps, see Configure the session lock behavior for Azure Virtual Desktop.

  • Single-session session hosts: The Disconnect remote session on lock for Microsoft identity platform authentication setting is not currently supported. However, you can achieve the same behavior by creating a Windows scheduled task.
    The following example script creates a scheduled task on single-session hosts that runs cmd.exe /c tsdiscon when the desktop is locked:

     # Create the TaskService COM object
 $service = New-Object -ComObject "Schedule.Service"
 $service.Connect()

 # Get the root folder and create a new task definition
 $rootFolder = $service.GetFolder("\")
 $taskDef = $service.NewTask(0)

 # Registration info
 $taskDef.RegistrationInfo.Description = "Disconnect session when workstation is locked"

 # Principal (Users group, least privilege)
 $principal = $taskDef.Principal
 $principal.GroupId = "S-1-5-32-545"
 $principal.RunLevel = 0  # 0 = LeastPrivilege

 # Settings
 $settings = $taskDef.Settings
 $settings.Enabled = $true
 $settings.AllowDemandStart = $true
 $settings.DisallowStartIfOnBatteries = $false
 $settings.StopIfGoingOnBatteries = $false
 $settings.AllowHardTerminate = $false
 $settings.StartWhenAvailable = $false
 $settings.RunOnlyIfNetworkAvailable = $false
 $settings.IdleSettings.StopOnIdleEnd = $true
 $settings.IdleSettings.RestartOnIdle = $false
 $settings.Hidden = $false
 $settings.RunOnlyIfIdle = $false
 $settings.  DisallowStartOnRemoteAppSession = $false
 $settings.UseUnifiedSchedulingEngine = $true
 $settings.WakeToRun = $false
 $settings.ExecutionTimeLimit = "PT0S"   # Unlimited
 $settings.Priority = 7
 $settings.MultipleInstances = 1         # IgnoreNew

 # Trigger: SessionLock
 $trigger = $taskDef.Triggers.Create(11)  # 11 = TASK_TRIGGER_SESSION_STATE_CHANGE
 $trigger.StateChange = 7                 # 7 = SessionLock
 $trigger.Enabled = $true

 # Action: tsdiscon
 $action = $taskDef.Actions.Create(0)     # 0 = Exec
 $action.Path = "cmd.exe"
 $action.Arguments = "/c tsdiscon"

 # Register the task
 $rootFolder.RegisterTaskDefinition(
 "Disconnect on Lock",  # Task name
 $taskDef,
  6,                     # TASK_CREATE_OR_UPDATE
  $null, $null,          # No specific user/password
  3                      # TASK_LOGON_GROUP
 ) | Out-Null
 <!--NeedCopy-->

    If you later need to remove the scheduled task, you can run the following command:

     Unregister-ScheduledTask -TaskName "Disconnect on Lock" -Confirm:$false
 <!--NeedCopy-->

Citrix StoreFront

Authentication via NetScaler

Authentication direct to StoreFront

See SAML authentication and CTX237490

Enable Single sign-on

See StoreFront doc.

Enable Microsoft Entra single sign-on (SSO) in Web Studio

See Configure Microsoft Entra single sign-on (SSO).

After you save the configuration, Microsoft Entra single sign-on (SSO) is enabled for your site.

Enabling Microsoft Entra single sign-on for delivery group

Using Web Studio

  1. Go to delivery groups on Web Studio and click Create Delivery Group.
  2. On the Users page, select Microsoft Entra hybrid joined as the identity type.
  3. Complete the configuration on the following pages. For reference, see Create delivery groups.

Using PowerShell

  1. Create a new delivery group and add the VDA to the delivery group. Assign the user to the VDA (AD account).

  2. Set the delivery group MachineLogonType to HybridAzureAd. For example:

    $dg = Get-BrokerDesktopGroup -Name DG  
$dg | Set-BrokerDesktopGroup -MachineLogOnType HybridAzureAD
<!--NeedCopy-->

  3. Trust the Xml Service.

    Add-PSSnapin Citrix.Broker.Admin.V2
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true
<!--NeedCopy-->

  4. Set the SSO parameters.

    Set-BrokerSite -AzureGlobalCloudId "B16898C6-A148-4967-9171-64D755DA8520" -AzureSSOnAuthorizeUrl "<URL>" -AzureSSOnClientId "<`$clientAppOID`>" -AzureSSOnRedirectUrl "URL" -AzureSSOnResourceAppId "<`$resourceAppFqdn`>"
<!--NeedCopy-->

    The following table lists the parameters, their default values, and description.

    Parameter Default value Description
    AzureGlobalCloudId B16898C6-A148-4967-9171-64D755DA8520 Identifies the Entra CloudAP in Windows.
    AzureSSOnClientId No default Entra Application ID to be used for SSO to the VDA.
    AzureSSOnRedirectUrl No default Post-authentication redirect URI to be used for SSO to the VDA. It must be a registered redirect URI of the application identified by ‘AzureSSOnClientId’.
    AzureSSOnAuthorizeUrl https://login.microsoftonline.com/common/ Initial login URI. This is determined by what sovereign deployment of Entra the customer uses (as in Azure vs. Azure Gov).
    AzureSSOnResourceAppId citrix.cloud.com/3a510bb1-e334-4298-831e-3eac97f8b26c Entra Application ID to be used for issuing the PRT. Must be provided by Citrix.

Client Device

Ensure the system requirements for the client devices are met:

  1. Install the required Citrix Workspace app version as specified in the system requirements.
  2. If your users will be leveraging hybrid access, make sure the Citrix Web Extension is installed. If your users will be using native or browser access, the Citrix Web Extension is not needed.

Troubleshooting

  • For troubleshooting StoreFront issues, see Diagnostics logs.
  • If you’re getting the following error from storefront: There was a failure with the mapped account : That’s probably a pure Entra user, without a synced/backing AD account.
  • On launch there is an immediate error before getting an Ica file: Make sure you enabled trusting the Xml Service
  • If the VDA get’s stuck at Initializing during registration: Make sure the VDA has been moved to an OU that is actually Entra synced.

When single sign-on fails

If single sign-on fails when accessing virtual desktops or applications, proceed as follows:

  1. Confirm that Microsoft Entra single sign-on is enabled in StoreFront.
  2. Confirm that the access method leveraged by the user is supported.
  3. If the user is leveraging hybrid access, confirm that the Citrix Web Extension is installed.
  4. Confirm that the client device is running the required Citrix Workspace app version.
  5. Confirm that your session hosts are running the required Windows build.
  6. Confirm that your session hosts are running the required VDA version.
  7. Ensure that the Windows setting Always prompt for password upon connection is not enabled on the session hosts. This setting is disabled by default, and can be configured through Group Policy or Intune under Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security. You can check in the registry if the setting is enabled by looking for the value fPromptForPassword under HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services. If the value is set to 1, the setting is enabled and single sign-on will not be available. If the value is missing or set to 0, the setting is disabled.

  8. Confirm that the AzureADJoinType setting is configured correctly in the session hosts:

    • Key: HKLM\SYSTEM\CurrentControlSet\Control\Citrix
    • Value type: DWORD
    • Value name: AzureADJoinType
    • Value data: 1 (Microsoft Entra hybrid joined)
  9. Ensure that the virtual desktops or applications are assigned to Microsoft Entra identities instead of Active Directory identities in Citrix Studio.

  10. Confirm that the Delivery Groups’ logon type is configured correctly by running the following PowerShell command:

    Get-BrokerDesktopGroup -Name <deliveryGroupName>
<!--NeedCopy-->

    For Microsoft Entra hybrid joined session hosts, MachineLogOnType must be set to HybridAzureAd.

  11. Confirm that the Citrix Resource and Customer Managed Client applications are registered in the Microsoft Entra tenant.
  12. Confirm that the Remote Desktop Security Configuration is enabled on the Citrix Resource application.
  13. Confirm that the Customer Managed Client application was added as an approved client application in the Citrix Resource application.
  14. If your session hosts are Microsoft Entra hybrid joined, confirm that a Kerberos server object was created in the Active Directory domain where the user and computer accounts reside.
Microsoft Entra single sign-on
April 28, 2026
Contributed by: 
C
April 28, 2026
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.