Citrix DaaS™

Microsoft Entra single sign-on Azure configuration

March 30, 2026

Contributed by:

In order to leverage Microsoft Entra single sign-on, you must first allow Microsoft Entra authentication for Windows in your Microsoft Entra ID tenant, which enables issuing the required authentication tokens that allow users to sign in to the Microsoft Entra joined and Microsoft Entra hybrid joined session hosts. To achieve this, you must do the following:

Register the Citrix applications (Resource app and Client app) in your Microsoft Entra ID tenant.
Enable the Remote Desktop Security Configuration for the Citrix resource application.
Add the Citrix client application as an approved client for the Citrix resource application.
[Optional] Hide the user consent prompt dialog.
Create a Kerberos server object.
Review Microsoft Entra Conditional Access policies.

The person making the Azure configuration must be assigned one of the following Microsoft Entra built-in roles or equivalent at a minimum:

If you wish to complete the Azure configuration via PowerShell, you will need to use the Microsoft Graph PowerShell SDK. You can also leverage Microsoft Graph API with a tool like Graph Explorer.

Instructions are provided for how to complete the configuration with both PowerShell and Graph Explorer.

PowerShell configuration

If you choose to use the Microsoft Graph PowerShell SDK, please note:

You will need to use the Azure Cloud Shell with the PowerShell terminal type, or run PowerShell 7.x on your local system, and ensure your Azure context is set to the subscription that you want to use.
You will need to install the Microsoft Graph PowerShell SDK v1.0 module (Microsoft.Graph) and the beta application module (Microsoft.Graph.Beta.Applications).

Enable Remote Desktop Security Configuration

After you register the Citrix applications, you must enable the Remote Desktop Security Configuration in the Citrix Resource application.

Import the Authentication and Application Microsoft Graph modules and connect to Microsoft Graph with the Application.Read.All and Application-RemoteDesktopConfig.ReadWrite.All scopes:

Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Applications
Import-Module Microsoft.Graph.Beta.Applications
Connect-MgGraph -Scopes "Application.Read.All","Application-RemoteDesktopConfig.ReadWrite.All"
<!--NeedCopy-->

Get the object ID for the service principals associated with the app registrations:

Citrix Cloud US, EU, APS

$CtxResourceSpId = (Get-MgServicePrincipal -Filter "AppId eq '3a510bb1-e334-4298-831e-3eac97f8b26c'").Id
$CtxClientSpId = (Get-MgServicePrincipal -Filter "AppId eq '85651ebe-9a8e-49e4-aaf2-9274d9b6499f'").Id
<!--NeedCopy-->

Citrix Cloud Japan

$CtxResourceSpId = (Get-MgServicePrincipal -Filter "AppId eq '0027603f-364b-40f2-98be-8ca4bb79bf8b'").Id
$CtxClientSpId = (Get-MgServicePrincipal -Filter "AppId eq '0fa97bc0-059c-4c10-8c54-845a1fd5a916'").Id
<!--NeedCopy-->

Set the property isRemoteDesktopProtocolEnabled to true:

If ((Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $CtxResourceSpId) -ne $true) {
    Update-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $CtxResourceSpId -IsRemoteDesktopProtocolEnabled
}
<!--NeedCopy-->

Confirm the property isRemoteDesktopProtocolEnabled is set to true:

Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $CtxResourceSpId
<!--NeedCopy-->

Approve the client application

You must explicitly add the Citrix Client application as an approved client in the Citrix Resource application.

Create an approvedClientApp object:

$acp = New-Object -TypeName Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphApprovedClientApp
$acp.Id = $CtxClientSpId
<!--NeedCopy-->

Add the client app to the approvedClientApp object:

New-MgBetaServicePrincipalRemoteDesktopSecurityConfigurationApprovedClientApp -ServicePrincipalId $CtxResourceSpId -BodyParameter $acp
<!--NeedCopy-->

The output should be similar to this:

Id                                    DisplayName
--                                    -----------
87654321-wxyz-1a2b-3c4d-1029384756af  Citrix-Workspace

By default, users are prompted to allow the Remote Desktop connection when connecting to a Microsoft Entra joined or Microsoft Entra hybrid joined session host with Microsoft Entra single sign-on enabled, in which they must select Yes to allow single sign-on. Microsoft Entra will remember up to 15 unique session hosts for 30 days before prompting again.

You can hide this dialog by configuring a list of target devices. To configure the list of devices, you must create one or more groups in Microsoft Entra ID that contain the Microsoft Entra joined and/or Microsoft Entra hybrid joined session hosts and then authorize the groups in the resource application, up to a maximum of 10 groups.

NOTE

It is highly recommended to create a dynamic group to simplify the membership management for the group. While dynamic groups normally update within 5-10 minutes, large tenants can take up to 24 hours.

Dynamic groups requires the Microsoft Entra ID P1 license or Intune for Education license. For more information, see Dynamic membership rules for groups.

Once the groups have been created, follow these steps:

Get the object ID (OID) of the group that contains the session hosts for which you want to hide the Remote Desktop connection prompt.

Create a targetDeviceGroup object:

$tdg = New-Object -TypeName Microsoft.Graph.PowerShell.Models.MicrosoftGraphTargetDeviceGroup
$tdg.Id = "<groupOID>"
<!--NeedCopy-->

Add the client app to the approvedClientApp object:

New-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $CtxResourceSpId -BodyParameter $tdg
<!--NeedCopy-->

The output should be similar to this:

Id                                    DisplayName
--                                    -----------
87654321-wxyz-1a2b-3c4d-1029384756af  Entra-SSO-Desktops

If you later need to remove a device group from the targetDeviceGroup object, run the following command:

Remove-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $CtxResourceSpId -TargetDeviceGroupId "<groupOID>"
<!--NeedCopy-->

NOTE

You can repeat these steps to add more groups if needed, up to a maximum of 10 groups.

Microsoft Graph API configuration

Enable Remote Desktop Security Configuration

After you register the Citrix applications, you must enable the Remote Desktop Security Configuration in the Citrix Resource application.

Get the object ID (OID) for the service principals associated with the app registrations from the Azure portal:
1. Navigate to Microsoft Entra ID > Enterprise Applications.
2. Remove the Application type filter if set so all applications are listed.
3. Search for Citrix-Workspace-Resource / Citrix-Workspace-Resource-JP and note the associated object ID for the Resource application.
4. Search for Citrix-Workspace / Citrix-Workspace-JP and note the associated object ID for the client application.
In Graph Explorer, sign in with an account from the target Azure tenant that has the required permissions.

Set the following query:

HTTP request method: PATCH
Microsoft Graph API Version: v1.0

Query:

 https://graph.microsoft.com/v1.0/servicePrincipals/<resourceAppOID>/remoteDesktopSecurityConfiguration
 <!--NeedCopy-->

Request body:

 {
     "@odata.type": "#microsoft.graph.remoteDesktopSecurityConfiguration",
     "isRemoteDesktopProtocolEnabled": true
 }
 <!--NeedCopy-->

Select the Modify Permissions tab and ensure that you have consented to the Application.ReadWrite.All permission.
Run the query.

See remoteDesktopSecurityConfiguration resource type for reference.

Approve the client application

You must explicitly add the Citrix Client application as an approved client in the Citrix Resource application.

Set the following query and run it:

HTTP request method: POST
Microsoft Graph API Version: beta

Query:

 https://graph.microsoft.com/beta/servicePrincipals/<resourceAppOID>/remoteDesktopSecurityConfiguration/approvedClientApps
 <!--NeedCopy-->

Request body:

 {
     "@odata.type": "#microsoft.graph.approvedClientApp",
     "id": "<clientAppOID>"
 }
 <!--NeedCopy-->

NOTE

It is highly recommended to create a dynamic group to simplify the membership management for the group. While dynamic groups normally update within 5-10 minutes, large tenants can take up to 24 hours.

Dynamic groups requires the Microsoft Entra ID P1 license or Intune for Education license. For more information, see Dynamic membership rules for groups.

Once the groups have been created, follow these steps:

Get the object ID (OID) of the group that contains the session hosts for which you want to hide the Remote Desktop connection prompt.

Set the following query and run it:

HTTP request method: POST
Microsoft Graph API Version: v1.0

Query:

 https://graph.microsoft.com/v1.0/servicePrincipals/<resourceAppOID>/remoteDesktopSecurityConfiguration/targetDeviceGroups
 <!--NeedCopy-->

Request body:

 {
     "@odata.type": "#microsoft.graph.targetDeviceGroup",
     "id": "<groupOID>"
 }
 <!--NeedCopy-->

NOTE

You can repeat these steps to add more groups if needed, up to a maximum of 10 groups.

If you later need to remove a device group from the targetDeviceGroup object, set the following and run the query:

HTTP request method: DELETE
Microsoft Graph API Version: v1.0

Query:

 https://graph.microsoft.com/beta/servicePrincipals/<resourceAppOID>/remoteDesktopSecurityConfiguration/targetDeviceGroups
 <!--NeedCopy-->

See targetDeviceGroup resource type for reference.

Create a Kerberos server object

If your session hosts are Microsoft Entra hybrid joined, you must configure a Kerberos server object in the Active Directory domain where the user and computer accounts reside. See Create a Kerberos Server object for details.

Review Microsoft Entra Conditional Access policies

If you use or plan to use Microsoft Entra Conditional Access policies, review the configuration applied to the Citrix Resource application and the Citrix Client application to ensure users have the intended sign‑in experience.

For detailed guidance on configuring Conditional Access when using Microsoft Entra single sign‑on for DaaS, refer to the Microsoft documentation. Remember that the required Conditional Access settings must be applied to the Citrix Resource application or Citrix Client application, not the Microsoft applications.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Microsoft Entra single sign-on Azure configuration

March 30, 2026

Contributed by:

March 30, 2026

Contributed by:

Microsoft Entra single sign-on Azure configuration

PowerShell configuration

Enable Remote Desktop Security Configuration

Approve the client application

Hide the user consent prompt dialog

Microsoft Graph API configuration

Enable Remote Desktop Security Configuration

Approve the client application

Hide the user consent prompt dialog

Create a Kerberos server object

Review Microsoft Entra Conditional Access policies

In this article