---
title: "RDS AAD Authentication"
slug: "rds-aad-authenticaion"
tags: ["Entra ID", "Entra ID Only", "Hello", "NLA"]
updated: 2026-02-04T19:24:55Z
published: 2026-02-04T19:24:55Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.workspot.com/llms.txt
> Use this file to discover all available pages before exploring further.

# RDS AAD Authentication

RDS AAD Authentication is an optional RDP protocol supported by Entra ID. It allows single sign-on to remote resources if the local resource is domain-joined.

With an appropriate Workspot Client, RDS AAD Authentication is supported on:

- Workspot persistent desktops (but not non-persistent desktops).
- Workspot Cloud Applications (that is, apps running on a Workspot Application Server).
- RD Apps (apps running on an arbitrary Windows device that supports RDS AAD Authentication).
- Non-RDS AAD devices (if the “fallback to non-NLA RDP Connections” option is selected in Control).

## Prerequisites

- Three selective features must be enabled:
  - “RDS AAD Auth” (called “Entra ID Authentication Support” internally by Control).
  - “[Entra ID Only](/v1/docs/configuring-an-aad-only-control-account)” (called “Enable AADLogin on Cloud Apps” internally by Control).
  - “MSTSC Auto Reconnect.”
- Support is for the [Workspot Windows Client 6.4.0](/v1/docs/windows-client-640) at first, with other Clients to follow.
- Only persistent desktops are supported.

## Configuration

### In the Pool Definition

In Control, the RDS AAD Authentication parameters are part of the [“Add/Edit Pool” page](/v1/docs/control-desktop-pools):

![Entra ID Authentication Options with various security settings for remote desktop connections.](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/rdsaadauth1.png)

Select all the options you want to support: (“RDS AAD Authentication,” “Windows Hello for Business,” and “Allow fallback.”)

> **Note:**You must select at least one option to enable connections.

The fallback option allows non-NLA, non-Entra ID RDP connections.

### In the User Page

For debugging, you can select a single, specific connection method for a desktop belonging to an individual user.

1. Go to the “Users > *username* > User Details” page, in the “Active Devices” section.
2. Expand the desired device.
3. Click the “Entra ID Auth. Options” button.
4. In the popup, select an authentication option.

![Active devices list showing device details and action options for management.](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/rdsaadauth3.png)

![Options for Entra ID authentication settings with selection buttons and action prompts.](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/rdsaadauth4.png)