Merge pull request #6783 from ChristianMontoya/w365-identity-auth

Angela Fleischmann · web-flow · commit adbe43806f5d · 2022-02-15T15:55:31.000-07:00
New Doc - Windows 365 identity and authentication
diff --git a/windows-365/enterprise/TOC.yml b/windows-365/enterprise/TOC.yml
@@ -13,6 +13,8 @@ items:
   items:
   - name: Architecture
     href: architecture.md
+  - name: Identity and authentication
+    href: identity-authentication.md
   - name: Lifecycle
     href: lifecycle.md
   - name: Provisioning
diff --git a/windows-365/enterprise/architecture.md b/windows-365/enterprise/architecture.md
@@ -88,6 +88,8 @@ When configuring Cloud PCs to use Azure AD Join, Azure AD provides:
 - The domain join mechanism for the Cloud PCs.
 - User authentication for RDP connections.
 
+For more information on how the identity services impact the deployment, management, and usage of Cloud PCs, see [identity and authentication](identity-authentication.md).
+
 ### Azure AD
 
 Azure AD provides user authentication and authorization for both the Windows 365 web portal and for the Remote Desktop client apps. Both support modern authentication, which means Azure AD Conditional Access can be integrated to provide:
@@ -104,13 +106,13 @@ For more information on how to use Azure AD Conditional Access with Windows 365,
 
 ### Active Directory Domain Services
 
-Windows 365 Cloud PCs can be either Hybrid azure AD joined or Azure AD Joined. When using Hybrid Azure AD Join, Cloud PCs must domain join to an AD DS domain. This domain must be synchronized with Azure AD. The domain’s domain controllers may be hosted in Azure or on-premises. If hosted on-premises, connectivity must be established from Azure to the on-premises environment. The connectivity can be in the form of [Azure Express Route](/azure/architecture/reference-architectures/hybrid-networking/expressroute) or a [site-to-site VPN](/azure/architecture/reference-architectures/hybrid-networking/vpn). For more information on establish hybrid network connectivity, see [implement a secure hybrid network](/azure/architecture/reference-architectures/dmz/secure-vnet-dmz). The connectivity must allow communication from the Cloud PCs to the domain controllers required by Active Directory. For more information, see [Configure firewall for AD domain and trusts](/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts).
+Windows 365 Cloud PCs can be either Hybrid Azure AD joined or Azure AD Joined. When using Hybrid Azure AD Join, Cloud PCs must domain join to an AD DS domain. This domain must be synchronized with Azure AD. The domain’s domain controllers may be hosted in Azure or on-premises. If hosted on-premises, connectivity must be established from Azure to the on-premises environment. The connectivity can be in the form of [Azure Express Route](/azure/architecture/reference-architectures/hybrid-networking/expressroute) or a [site-to-site VPN](/azure/architecture/reference-architectures/hybrid-networking/vpn). For more information on establish hybrid network connectivity, see [implement a secure hybrid network](/azure/architecture/reference-architectures/dmz/secure-vnet-dmz). The connectivity must allow communication from the Cloud PCs to the domain controllers required by Active Directory. For more information, see [Configure firewall for AD domain and trusts](/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts).
 
 ## "Hosted on behalf of" architecture
 
 The "hosted on behalf of" architecture lets Microsoft services, after they’re delegated appropriate and scoped permissions to a virtual network by a subscription owner, attach hosted Azure services to a customer subscription. This connectivity model lets a Microsoft service provide software-as-a-service and user licensed services as opposed to standard consumption-based services.
 
-All Cloud PC connectivity is provided by the virtual network interface card. The "hosted on behalf of" architecture means that the Cloud PCs exists in the subscription owned by Microsoft. Therefore, Microsoft incurs the costs for running and managing this infrastructure.
+All Cloud PC connectivity is provided by the virtual network interface card. The "hosted on behalf of" architecture means that the Cloud PCs exist in the subscription owned by Microsoft. Therefore, Microsoft incurs the costs for running and managing this infrastructure.
 
 Windows 365 manages the capacity and in-region availability in the Windows 365 subscriptions. Windows 365 determines the size and type of VM based on the [license](cloud-pc-size-recommendations.md) you [assign to the user](assign-licenses.md). Windows 365 determines the Azure region to host your Cloud PCs in based on the virtual network you select when [creating an on-prem network connection](create-on-premises-network-connection.md).
 
@@ -143,4 +145,4 @@ Windows 365 Cloud PCs don't support third-party connection brokers.
 <!-- ########################## -->
 ## Next steps
 
-[Learn about the Cloud PC lifecycle](lifecycle.md).
+[Learn about Windows 365 identity and authentication](identity-authentication.md).
diff --git a/windows-365/enterprise/identity-authentication.md b/windows-365/enterprise/identity-authentication.md
@@ -0,0 +1,123 @@
+---
+# required metadata
+title: Windows 365 identity and authentication
+titleSuffix:
+description: Windows 365 identity and authentication
+keywords:
+author: ErikjeMS  
+ms.author: erikje
+manager: dougeby
+ms.date: 02/11/2022
+ms.topic: overview
+ms.service: cloudpc
+ms.subservice:
+ms.localizationpriority: high
+ms.technology:
+ms.assetid: 
+
+# optional metadata
+
+#ROBOTS:
+#audience:
+
+ms.reviewer: chrimo
+ms.suite: ems
+search.appverid: MET150
+#ms.tgt_pltfrm:
+ms.custom: intune-azure; get-started
+ms.collection: M365-identity-device-management
+---
+
+# Windows 365 identity and authentication
+
+A Cloud PC user's identity defines which access management services manage that user and Cloud PC. This identity defines:
+
+- What types of Cloud PCs the user has access to.
+- What types of non-Cloud PC resources the user has access to.
+
+A device can also have an identity which is determined by its join type to Azure Active Directory (Azure AD). For a device, the join type defines:
+
+- If the device requires line of sight to a domain controller.
+- How the device is managed.
+- How users authenticate to the device.
+
+## Identity types
+
+There are two identity types:
+
+- **[Hybrid identity](/azure/active-directory/hybrid/whatis-hybrid-identity)**: Users or devices that are created in on-premises Windows Server Active Directory, then synchronized to Azure AD.
+- **Cloud-only identity**: Users or devices that are created and only exist in Azure AD.
+
+## Device join types
+
+There are two join types that you can select from when [provisioning a Cloud PC](provisioning.md):
+
+- **[Hybrid Azure AD Join](/azure/active-directory/devices/concept-azure-ad-join-hybrid)**: If you choose this join type, Windows 365 will join your Cloud PC to the Windows Server Active Directory domain you provide. Then, if your organization is properly [configured for Hybrid Azure AD Join](/azure/active-directory/devices/howto-hybrid-azure-ad-join), the device will be synchronized to Azure AD.
+- **[Azure AD Join](/azure/active-directory/devices/concept-azure-ad-join)**: If you choose this join type, Windows 365 will join your Cloud PC directly to Azure AD.
+
+
+Below is a table showing key capabilities or requirements based on the selected join type:
+
+|Capability or requirement|Hybrid Azure AD Join|Azure AD Join|
+|-|-|-|
+|Azure subscription|Required|Optional|
+|Azure virtual network with line of sight to the domain controller|Required|Optional|
+|User identity type supported for login|Hybrid users only|Hybrid users or cloud-only users|
+|Policy management|Group Policy Objects (GPO) or Intune MDM|Intune MDM only|
+|Windows Hello for Business login supported|Yes, and the connecting device must have line of sight to the domain controller through the direct network or a VPN|Yes|
+
+## Authentication
+
+To successfully access a Cloud PC, a user must authenticate, in turn, with both:
+
+- The Windows 365 service.
+- The Cloud PC.
+
+>[!NOTE]
+>Single sign-on (defined as a single authentication prompt that can satisfy both the Windows 365 service authentication and Cloud PC authentication) is not supported at this time.
+
+>[!IMPORTANT]
+>In order for authentication to work properly, the user's local machine must also be able to access the URLs in the [Remote Desktop clients](/azure/virtual-desktop/safe-url-list#remote-desktop-clients) section of the [Azure Virtual Desktop required URL list](/azure/virtual-desktop/safe-url-list).
+
+### Windows 365 service authentication
+
+Users must authenticate with the Windows 365 service when:
+
+- They access [windows365.microsoft.com](https://windows365.microsoft.com).
+- They navigate to the URL that maps directly to their Cloud PC.
+- They use a [Remote Desktop client](/windows-server/remote/remote-desktop-services/clients/remote-desktop-clients to list their Cloud PCs.
+
+This authentication triggers an Azure Active Directory prompt, allowing any credential type that is supported by both Azure Active Directory and your OS.
+
+### Cloud PC authentication
+
+Users must authenticate with the Windows 365 service when:
+
+- They navigate to the URL that maps directly to their Cloud PC.
+- They use a [Remote Desktop client](/windows-server/remote/remote-desktop-services/clients/remote-desktop-clients) to connect to their Cloud PC.
+
+>[!NOTE]
+>If a user launches the web browser URL that maps directly to their Cloud PC, they will encounter the Windows 365 service authentication first, then encounter the Cloud PC authentication.
+
+The following credential types are supported for Cloud PC authentication:
+- Windows desktop client
+    - Username and password
+    - Smartcard
+    - [Windows Hello for Business certificate trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust)
+    - [Windows Hello for Business key trust with certificates](/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs)
+- Windows store client
+    - Username and password
+- Web client
+    - Username and password
+- Android
+    - Username and password
+- iOS
+    - Username and password
+- macOS
+    - Username and password
+
+
+<!-- ########################## -->
+## Next steps
+
+[Learn about the Cloud PC lifecycle](lifecycle.md).
