This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 53%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGH%3C/text%3E%3C/svg%3E)
I used the portal to create a host pool, application group and VM for Azure Virtual Desktop. I indicated I wanted the machine joined to our AAD. I added the targetisaadjoined:i:1 property to the Host Pool. I assigned the
Virtual Machine User Login role to my account. When I try to login to AVD via the RDP client I get "The credentials that were used to connect to xxx.xxx.xxx.xxx did not work. Please enter new credentials". If I use the web client the error is "Sign in failed. Please check your username and password and try again.". For both the RDP and web clients the only account that works is the admin account that was specified in the portal when the VMs were created.
If I look at the devices listed in Entra, the AVD VM is listed as "Enabled" and "Azure AD joined".
Does anyone have suggestions on how to diagnose the problem?
We noticed that you rated an answer as not helpful. We value your feedback and want to see if there is anything we can do to improve it and make this a positive experience for you. Please review the answer provided by me and comment if you have any further questions.
If my answer is helpful, would you be so kind to re-evaluate your feedback by accepting it as answer and upvote the same.
Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 35%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERR%3C/text%3E%3C/svg%3E)
Hi Glenn,
It sounds like you have checked the obvious things there, but can you also double check that either of these two RBAC roles are assigned to the Virtual Machines/Resource group?
Thanks
I verified my userid does have the "Virtual Machine User Login". The doc isn't the easiest to follow but I'm guessing I need to disable MFA as described in this doc https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows#mfa-sign-in-method-required. I am trying to login from a machine that's joined to our on-prem AD, not AAD. I've asked my admin to do that but it hasn't been done yet. I'll try that when he's made the change.
Yep that sounds to be the problem. I have encountered this myself. Let us know how you get on.
"You need to ensure that the Windows 10 or later PC that's initiating the remote desktop connection to your VM signs in by using a strong authentication method such as Windows Hello"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 75%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDK%3C/text%3E%3C/svg%3E)
Hi Glenn,
When you say you're using the RDP client, do you mean you're using the Windows inbox MSTSC client and connecting using an IP address? If so, that's not a supported way to connect to Azure Virtual Desktop. You need to use a supported client (https://learn.microsoft.com/en-us/azure/virtual-desktop/users/remote-desktop-clients-overview) and subscribe to the workspace.
In addition to the assigning the RBAC roles to the users, you also need to add it to the application group (this is the way it shows up as a resource in one of the supported clients).
Hope that helps.
Yes, I did try MSTSC. I've also tried the web client and what the referenced doc refers to as "Remote Desktop client". They all exhibit similar behavior. I recently tried the web client from a laptop that was joined to AAD and that worked. I think we understand our options better now and can select a path forward.
It sounds like you may have "per user MFA" enabled - which does not work with AVD, as per: Log in to a Windows virtual machine in Azure by using Microsoft Entra ID - Microsoft Entra | Microsoft Learn - you want to use a conditional access policy instead.
If this does answer your question, please accept it as the answer as a token of appreciation.