Azure AVD SSO not working

Question

Hi all,

I encounter a strange behavior when authenticating with Azure Virtual Desktop.
When trying to login I keep getting the login prompt as seen in the below image:

I created a test account which is comparable to my own account.
This account is able to login via SSO.

I have tested with disabling MFA or enforcing MFA both
When MFA is enabled I also keep getting the login prompt after authenticating with the Authenticator App.

When I disable Azure AD Authentication I keep getting this error: (It doesn't allow saved credentials)

I don't know if these 2 issues are related to each other.

Can anybody provide me with a solution to this problem or explain why this happens?

Answer 1

Hi Sander,

Please try to access the web version of AVD with your account, just to eliminate the issue with Remote Desktop app?

https://client.wvd.microsoft.com/arm/webclient/index.html

If you're able to access the AVD via web link, please try to re-subscribe to the Remote Desktop app and let us know if your issue is resolved.

Best regards.

Answer 2

Is your AVD AAD domain-joined? If it is, and you're still keep receiving an error message that says your credentials are incorrect, first make sure you're using the right credentials. If you keep seeing error messages, ask yourself the following questions:

Does your Conditional Access policy exclude multi-factor authentication requirements for the Azure Windows VM sign-in cloud application?
Have you assigned the Virtual Machine User Login role-based access control (RBAC) permission to the VM or resource group for each user?
If you answered "no" to either of these questions, follow the instructions in Enforce Azure Active Directory Multi-Factor Authentication for Azure Virtual Desktop using Conditional Access (https://learn.microsoft.com/en-us/azure/virtual-desktop/set-up-mfa#azure-ad-joined-session-host-vms)

Note:
VM sign-ins don't support per-user enabled or enforced Azure AD Multi-Factor Authentication. If you try to sign in with multi-factor authentication on a VM, you won't be able to sign in and will receive an error message.

For detailed guidance on connections to Azure AD-joined VMs please refer to the following Microsoft AVD document - https://learn.microsoft.com/en-us/azure/virtual-desktop/troubleshoot-azure-ad-connections (troubleshoot-azure-ad-connections)

--please don't forget to upvote and accept as answer if the reply is helpful--

Answer 3

Thanks for the info,

The VM is Azure Hybrid AD joined so joined with on premise domain.
For MFA, it is already excluded.
I have also assigned the Virtual Machine User Login role to the VM.

The strange thing is that i'm able to login with the test account and not with my own account.
Both are in the same Security Group and have the same permissions set.

With the test account i'm also able to login via the remote desktop desktop client.

Answer 4

Hi @Sander ,

Can you verify if you have disabled the per user MFA prompt and not just conditional access MFA, based on the error you're seeing, it's very likely you have not disabled the legacy MFA prompt: Log in to a Windows virtual machine in Azure by using Azure AD - Microsoft Entra | Microsoft Learn. They will also find some information on the error within AVD Insights so have them verify what the error is showing on their failed attempts.

Hope this helps.
Please accept as answer and upvote if the above information is helpful for the benefit of the community.

Answer 5

This may already be resolved, but I was getting the same issue and the fix was to go into RDP properties for the hostpool > Connection information, then change Azure AD authentication to "RDP will attempt to use Azure AD authentication to sign in".