RDS AAD Authentication is an optional RDP protocol supported by Entra ID. It allows single sign-on to remove resources if the local resource is domain-joined.
With an appropriate Workspot Client, RDS AAD Authentication is supported on:
Workspot persistent desktops (but not non-persistent desktops).
Workspot Cloud Applications (that is, apps running on a Workspot Application Server).
RD Apps (apps running on an arbitrary Windows device that supports RDS AAD Authentication).
Non-RDS AAD devices (if the “fallback to non-NLA RDP Connections” option is selected in Control).
Prerequisites
Three selective features must be enabled:
“RDS AAD Auth” (called “Entra ID Authentication Support” internally by Control).
“Entra ID Only” (called “Enable AADLogin on Cloud Apps” internally by Control).
“MSTSC Auto Reconnect.”
Support is for the Workspot Windows Client 6.4.0 at first, with other Clients to follow.
Only persistent desktops are supported.
Configuration
In the Pool Definition
In Control, the RDS AAD Authentication parameters are part of the “Add/Edit Pool” page:
Select all the options you want to support: (“RDS AAD Authentication,” “Windows Hello for Business,” and “Allow fallback.”)
Note: You must select at least one option to enable connections.
The fallback option allows non-NLA, non-Entra ID RDP connections.
In the User Page
For debugging, you can select a single, specific connection method for a desktop belonging to an individual user.
Go to the “Users > username > User Details” page, in the “Active Devices” section.
Expand the desired device.
Click the “Entra ID Auth. Options” button.
In the popup, select an authentication option.
