Understanding Microsoft Azure AD SSO with non-persistent VDI (Instant Clones)

This is an excellent suggestion! We are running into this issue because we're in the midst of phasing out ADFS and migrating to PTA. Had a lot of issues with the non-persistent machines but this could be the solution! I've seen it before but I thought it only works for down-level Windows devices...thank you!

Nice video and just reiterates the nightmare that VDI has become with cloud integration. We are developing a complex stew of Horizon 8 Instant Win10 21H2 clones (testing with hybrid and non hybrid join) along with AAD SSO/MFA o365, Onedrive, fslogix, DEM. The user experience is wrought with password and MFA authentication prompts from one session to the next. MFA tokens are not persisting from one logon to the next. Beyond frustrating.

Hey Stephen, great video and site!
What happens when you have a Azure conditional access policy that is requiring devices be Hybrid AD joined, or Enforce MFA? Every login, every MS app wants a password and MFA prompt, regardless of profile management. Instant clones are not supported by VMware for HAADJ, and the access policy wants HAADJ devices. I know a exception by location in the policy will fix this but that doesn't seem to be an option. I tried the reg entry and excluding the OU from sync, but that's not the issue, it seems the policy is the issue, just not sure how to work around it without changing the policy which will weaken security.

Oh man I've been fighting this for 4 months with Microsoft and Citrix. Definitely going to try your suggestion for SSO on non-persistent legacy AD joined only! Please let me know if anything has changed on this recently Stephen! Thanks!

Great tip! Actually we just got these issues in a new VDI deployment with instant clone pools. Thanks.