Citrix DaaS – Entra ID SSO with PRT and without FAS

Reading Time: 2 minutes


This guide provides information for configuring Entra ID Single Sign-on (AAD SSO) for Citrix DaaS without the use of FAS and also getting a PRT – so there are no SSO problems with M365 Apps inside your HDX session. The architecture is based on modern auth (OAuth) without any legacy method. The VDA’s machine identity has to be Entra joined or Entra hybrid joined.

This feature is currently in private tech preview.


The following are the system requirements for using Entra ID SSO:

Currently NDA


The configuration part – I’m very sorry! – at the moment is strictly under NDA. I will update this post with all details (Config for DaaS and Citrix Workspace App) as soon as I’m allowed to.

I just want to make sure that there is something in the pipe! So if you’re planning to switch your IdP in DaaS to Entra ID and you’re considering some FAS / SSO problems – maybe lean back and wait a few minutes more 😉

Here’s a quick sneak peek how’s the look & feel and the confirmation that it’s also working fine with Windows Server 2022, too.

This is a brand new user, never started a resource before, adding first time Account in Workspace App:

Look & Feel first time User Entra ID SSO

Some Screenshots:

Workspace App Windows Entra ID SSO

Published Desktop Windows Server 2022 with PRT


Finally we can put FAS to sleep and make usage of all kind of modern auth from Microsoft Entra ID’s spectrum.

Thanks to Miguel Contreras and Team for the great work!


  1. I need this for one of our customers ASAP, how can I participate to the private technical preview? It’s an enterprise customers with a large number of users and many countries involved.

Leave a Reply

Your email address will not be published. Required fields are marked *