End users sign-in Citrix Cloud Workspace using Azure Active Directory (AAD) as an identity provider. When launching a virtual desktop that is on-prem AD domain joined, user credential input is prompted by the VDA Windows OS. End user has to manually input the user credential to complete Windows sign-in, rather than getting a single sign-on experience.

In the mentioned use case sign-in Citrix Cloud Workspace using Azure Active Directory (AAD) as an identity provider, while the virtual desktop is on-prem AD domain joined, it is an excepted behavior that single sign-on to virtual desktop doesn't work.

To achieve single sign-on to virtual desktop in such use case, it is recommended to deploy Citrix Federated Authentication Service.

The article describes a failure of single sign-on Citrix DaaS virtual desktop due to the environmental design.