What is Cloud SSO Authentication?

Cloud SSO Authentication, or Single Sign-On (IdP via RealVNC services), introduces a seamless way to verify your identity when connecting to remote devices running RealVNC Connect or RealVNC Server. Instead of entering a separate password for each connection, your Microsoft Entra ID credentials are used automatically - so if you're already signed in to RealVNC Connect with Account SSO, you can connect without any extra steps.

RealVNC Connect checks your Entra ID group memberships against its configured permissions and grants access accordingly. This means your admin controls who can connect and what they can do, all based on existing Entra ID groups.

Before you start

Before you can use Cloud SSO Authentication, make sure the following are in place:

1. You have a RealVNC Connect Enterprise subscription
2. Account SSO via Entra ID enabled and configured - your RealVNC Connect team must be configured to sign in using Microsoft Entra ID as the identity provider.
   Read more on how to set this up here: Managing RealVNC Connect users, roles and groups with Entra ID/Azure AD
3. The remote device is running RealVNC Connect (8.4.0 or later) or RealVNC Server (7.17.0 or later) and is joined to your RealVNC Connect team via cloud connectivity.
4. You have one or more Entra ID security groups containing the users who should have access. You'll need either the group UUID or the group display name when configuring permissions.
5. You have assigned a role to each of the groups in point 4 in the VNC-Connect-SSO app in Entra ID - see our guide here
6. (Optional) If you want to validate group UUIDs and display names directly from Entra ID when adding permissions in the RealVNC Connect app, the signed-in user needs the Group.Read.All permission.

Limitations

The settings UI described in this guide for managing SSO cloud authentication and managing cloud groups is currently only available in RealVNC Connect (8.4.0 and later) and not yet available in RealVNC Server.

If you are running RealVNC Server (7.17.0 and later), you will need to configure Cloud SSO Authentication using the CloudAuthGroupPermissions Expert/policy parameter instead. See the Bulk Device Configuration section below for details on the format for the value of this parameter and how to deploy it via policy.

Enabling Cloud SSO Authentication

To enable Cloud SSO Authentication, follow the steps below

1. Open RealVNC Connect on the remote device that you will be connecting to.
2. Go to Settings -> Inbound -> Security using the left navigation menu.
3. Under 'Authentication', select 'Single Sign-On (IdP via RealVNC services)' from the drop-down menu.

Managing cloud groups

Once you've enabled Cloud SSO Authentication, you need to specify which Entra ID groups are authorised to connect. Each group can be assigned its own set of permissions, giving you control over what different groups of users can do on the remote device.

If a connecting user is a member of more than one configured group, their permissions are combined. For example, if Group A grants view-only access and Group B grants full control, a user in both groups receives full control.

Adding a cloud group

To add a cloud group:

1. Go to Settings -> Inbound -> Users & Permissions using the left navigation menu, and click 'Add Cloud Group'.

   

2. Choose how you want to identify the group:
   • Select 'Add by group UUID' and enter the Entra ID group's UUID (object ID) (for example, a1b2c3d4-e5f6-7890-abcd-ef1234567890); or

   • Select 'Add by group name' and enter the group's display name as it appears in Entra ID

     

3. Click 'Validate' to verify the group against your Entra ID directory.
4. If validation succeeds, the resolved group name (or UUID) is displayed. Click 'Add' to save the group.
5. Set the permissions for the group using the permissions controls.

If you have the Group.Read.All permission in Entra ID, validation will confirm the group exists and show you the resolved name or UUID. If you don't have this permission, see the section below on adding groups manually.

Adding a cloud group manually

If validation fails with a "permission denied" error, it means the signed-in user does not have the Group.Read.All permission in Entra ID. This is managed by Entra ID, not RealVNC.

You can still add groups manually:

• If you were adding by group name, the dialog switches to UUID mode. Enter the group UUID (Object ID) from Entra ID instead, and optionally type a display name for your own reference.
• If you were adding by group UUID, you can proceed - enter the UUID (Object ID) and optionally add a local display name.

To find a group's UUID (Object ID), go to the Microsoft Entra admin centre, navigate to Groups, select the group, and look under Overview > Object Id.

If validation fails with a connection error, check your network connection and ensure the device has internet access, then try again. You can still add groups manually by UUID if needed.

Connecting to a remote device

Once Cloud SSO Authentication is set up on a remote device, connecting is straightforward.

1. Open RealVNC Connect or RealVNC Connect Viewer and make sure you are signed in with your Entra ID Account SSO credentials.
2. Double-click the remote device in your Devices list.
3. The connection authenticates automatically using your Entra ID identity - no extra password needed.
4. If you belong to at least one authorised group configured on the remote device, access is granted with the combined permissions of all matching groups.

Bulk Device Configuration and Policy Deployment

For larger teams or organisations that need to deploy Cloud SSO Authentication across many devices, you can configure cloud group permissions directly via policy rather than setting them up one server at a time through the RealVNC Connect UI.

The CloudAuthGroupPermissions parameter defines which cloud groups are authorised and what permissions each group has. This can be set in the RealVNC Server configuration file or deployed via group policy, making it ideal for rolling out consistent access controls across your entire estate.

Setting up by policy

First, download and install the latest policy templates for RealVNC Connect and/or RealVNC Server.

Locate the RealVNC configuration parameters in Group Policy Editor (Windows) or policy template file (macOS/Linux). For Group Policy Editor, this is in Computer Configuration, Administrative Templates, RealVNC, RealVNC Server, Service Mode.

Locate the Authentication parameter and set it to a value of CloudSso. Next, locate CloudAuthGroupPermissions, which controls which Entra ID groups are authorised to connect, and the permission that the users in those groups have during a remote access session.

CloudAuthGroupPermissions parameter format

The CloudAuthGroupPermissions value uses comma-separated entries in the form:

GROUP_UUID:DISPLAY_NAME:PERMISSIONS

For example:

a1b2c3d4-e5f6-7890-abcd-ef1234567890:Engineering Team:f,b2c3d4e5-f6a7-8901-bcde-f12345678901:Support Staff:v

Important notes when editing directly:

• Group UUIDs must be in lowercase.
• Display names containing : or , (comma) or % must be URL/percent-encoded.

For a complete list of permission values, please see https://help.realvnc.com/hc/en-us/articles/360002251297-RealVNC-Server-Parameter-Reference#permissions-0-80

Troubleshooting

No matching authentication methods

Please ensure you are connecting using either RealVNC Connect or RealVNC Connect Viewer, version 8.4.0 or later.