Mac OS connecting to Windows 365 and AVD

Posted on by
Reading Time: 8 minutes

Introduction

You may have seen from some of my posts on here and also on my YouTube channel I have been doing a lot about Windows 365 and AVD. You may have also noticed that I mainly use a Mac. Again, this is not a post about which device is better Mac or Windows Device, they both have their place. However, regardless of what device I use the common factor here is that I need to use the Windows App to access Windows 365 or AVD.

Using the Windows App on both devices pretty much offers the same experience, you sign in, with your credentials which supports signing in using a passkey and then you’re presented with your desktop and/or apps available to you. All good, yes? well not exactly, in my experience.

Accessing Windows 365 and AVD

There are 2 main ways to access Windows 365 and AVD using both a Mac and a Windows device via the browser and via the Windows App and both pretty much work as you’d expect, I log on open up my apps (that are “Windows Apps”) and do what I need to do. One thing I have discovered is that each device type handles the hardware pass through differently. This is where I have started noticing some differences. Lets take a look at these differences, well the ones I have picked up on that have (for me) the biggest impact on how I work.

Microsoft Teams

Like most people probably do I use Microsoft Teams a lot, for call’s meetings and chats. Its the “bread and butter’ for collaborating with colleagues, guests, clients and partners. And I use it a lot via AVD more so that Windows 365.

Connecting from Mac to Teams on Windows 365 or AVD

When I use My Windows 365 Cloud PC from my Mac or when I use AVD to access my work desktop I get the option to select which camera I would like to use:

I get the same options when I use my Windows device. However when it comes to audio I get a different list of options for each device. On the Mac I only get the following option

When I look at Team on my Mac itself I get this list:

So you can see that it does not pass the audio through other than what is set on the Mac at the time as the current Audio Output and Input. So I need to ensure that I have those setup correctly on the Mac before I join a teams call.

I noticed this is also the same experience when connecting directly from the browser, in my case I use Edge on my Mac.

Connecting from a Windows device to Teams on Windows 365 or AVD

When I connect to AVD/Windows 365 from a Windows Device I get the option to select any one of the audio devices that are connected to the local device giving me the opportunity to select a custom setup for audio.

This subsequently gives me a better user experience for AVD/Windows 365 when accessing from a Windows Devices.

Phishing resistant MFA in a Windows 365 or AVD Session

Once you’re signed in to a Cloud PC or Session Host you typically shouldn’t be prompted to sign in again, however there are occasions when you might need to:

  1. Logging in to a In private Window in Edge
  2. Logging in to another cloud account
  3. using Auth Context for PIM

I’f you’re using Passkeys then you will be using WebAuthn, this can be configured to redirect to the local computer:

What is WebAuthn

WebAuthn (Web Authentication) is a standard developed by the FIDO alliance and the World Wide Web Consortium (W3C). It allows users to authenticate to websites and online services such as Microsoft 365/AVD/Windows 365 using Public Key Cryptography instead of passwords, and is starting to be come the preferred method for authentication as it can help prevent things like Adversary-in-the-Middle attacks. And of course we’re all using this now aren’t we? Or at least planning to get to this point? (I hope).

I’ve been doing a lot with Passwordless and trying to couple this with things like Auth Context for PIM so that privileged access is secured as best it can be and this is where I have been hitting the issues with using this kind of approach with a Mac.

WebAuthn from a Mac

Logging on to Windows 365 and AVS from the Mac is easy enough, but I was unable use my passkey when I was prompted to re-authenticate with phishing resistant MFA. Was this an issue with my Mac or the Windows App client?

I then tried logging on to another account that uses passkeys only, which I do not know the password for and got the follow prompt, similar when using my PIM account and activating the role:

The first thing I noticed is that I am not presented with the QR Code for logging in with like I would be when using the browser natively on the local device, it wanted me to use my USB Key.

Typically when I plug in my USB Key it will then ask me for the PIN, however, this time is just asked me to touch it, which once I did I got the following:

Wondering if this is an issue with the Windows App I tried to see if this would work via the browser. So I connected to my Windows 365 Cloud PC via Edge and opened the connection within the browser and had the exact same experience.

WebAuthn from Windows

I then tried the same from my Windows Device. This seemed to work absolutely fine, it would accept my USB Key, my passkey on my phone and also with Windows Hello for Business

So to me this seems to be an issue related to the Mac more than the application?

Conclusion

Is this a limitation of the Windows App on the Mac? I don’t think so. Initially I was getting frustrated with it convinced it was the app itself, but after testing it with Edge and not using the Windows App and getting the same issue it seems to be a limitation of the Mac, or is it just mine?

What doesn’t help is the name being Windows App, as when you search for anything to do with “Mac OS Windows App WebAuthn” or other similar search queries you get lots of results for “Windows Apps” in general on Macs and not the actual Windows App itself.

This clearly doesn’t stop me from working with Windows 365 or AVD from the Mac via the Windows App, but it adds additional steps to take, especially if you want to use a different microphone/speaker over what is the default on the Mac, and also adds additional constrains for for using Passkeys in remote sessions. Sure you could look at additional Conditional Access policies but this would be a work around and not a solution.

Are you having the same kind of issues? if so let me know especially if you have been able to resolve it.

Posted in Azure Virtual Desktop, Mac OS, Microsoft, Passwordless, Virtual, Windows 365, Windows App and tagged , , , , , , .

One Comment

  1. Thank you for this. However, I do believe the issue is with the “Windows App” when it comes to passing audio. I use both Citrix VDI and Microsoft AVD. With my Citrix VDI, I do get the option to select any audio device connected to my Macbook. But with AVD I can only use the defaut audio devices (mic / speakers) for Teams & Zoom. I seam to recall that when I was using Remote Desktop on my Mac, I did have the option to select different audio devices in AVD, but I may be mistaking? Unfortunately, we can no longer install Remote Desktop from the App Store so I cannot confirm that any longer.

    Windows App running on a Windows computer to access AVD, all the audio devices pass to both Zoom and Teams. I hope that MS enhances the Windows App on MAC as it is fustrating to have to switch back and forth my default audio device on the MAC depending on where I want to hear audio. :-/

Leave a Reply

Your email address will not be published. Required fields are marked *