Enabling SSO (single sign on)

Parallels DaaS automatically enables Single Sign-On (SSO) in multi-session environments at the host pool level during deployment. SSO allows users to log in once using their primary credentials (e.g., corporate Entra-ID) and gain seamless access to virtual desktops without repeated authentication prompts.

Follow these steps to enable Single Sign-On (SSO) for Parallels DaaS using Microsoft Graph.

1. Sign in to Azure

Use the following command to sign in to Azure with your tenant context and then set the desired subscription context:

Connect-AzAccount -Tenant "<your-tenant-id>" -UseDeviceAuthentication Set-AzContext -SubscriptionId "<your-subscription-id>" -Tenant "<your-tenant-id>"

2. Prepare your environment

Ensure that the PowerShell execution policy allows local scripts:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

3. Install the required Microsoft Graph modules

Install the Microsoft Graph PowerShell module:

Install-Module Microsoft.Graph -Scope CurrentUser -Repository PSGallery -Force

4. Import necessary modules

Import the authentication and applications modules:

Import-Module Microsoft.Graph.Authentication Import-Module Microsoft.Graph.Applications

5. Connect to Microsoft Graph

Connect using Microsoft Graph with the appropriate permissions:

Connect-MgGraph -Scopes "Application.Read.All","Application-RemoteDesktopConfig.ReadWrite.All" -Tenant "<your-tenant-id>"

6. Enable SSO on required service principals

Fetch the service principal IDs for the following two apps:

• Microsoft AVD Client: App ID a4a365df-50f1-4397-bc59-1a1564b8bb9c

• Windows Cloud Login: App ID 270efc09-cd0d-444b-a71f-39af4910ec45

Then update their remote desktop security configuration:

$MSRDspId = (Get-MgServicePrincipal -Filter "AppId eq 'a4a365df-50f1-4397-bc59-1a1564b8bb9c'").Id $WCLspId = (Get-MgServicePrincipal -Filter "AppId eq '270efc09-cd0d-444b-a71f-39af4910ec45'").Id Update-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $MSRDspId -IsRemoteDesktopProtocolEnabled Update-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $WCLspId -IsRemoteDesktopProtocolEnabled

7. Verify SSO is enabled

You can verify the settings using:

Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $MSRDspId Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $WCLspId