User with Exchange Admin (or Global Admin) role cannot log into the Azure Virtual Desktop Workspace

Question

User with Exchange Admin (or Global Admin) role cannot log into the Azure Virtual Desktop Workspace

Eunice Barnes 0

We recently set up an Azure Virtual Desktop environment with a Personal Host Pool. All regular users can sign in using the Azure Virtual Desktop Preview desktop application. However, we have a couple of users who need either the Exchange Admin or Global Admin role assigned to their accounts. When assigning these roles, the users can no longer log into the Workspace. They are able to subscribe successfully (credentials work successfully, no errors) which then loads a SessionDesktop in the Azure Desktop Preview app. After clicking the SessionDesktop, the user is prompted for credentials again, however they receive an error: "Your credentials did not work. The credentials that were used to connect to E1_AVD_Workspace did not work. Please enter new credentials." When we remove the Exchange/Global Admin role assignment for the users, they are able to sign into the SessionDesktop successfully.

Konstantinos Passadis 19,596 Reputation points MVP

2024-01-19T12:50:22.88+00:00

Hello @Eunice Barnes ! Do you have any feedback on your issue? Kindly mark any answer that helped you as Accepted and Upvote or post your feedback to provide additional help! Regards
v-vvellanki-MSFT 4,920 Reputation points Microsoft External Staff

2024-01-23T06:44:50.73+00:00

Hi @Eunice Barnes,

Following up to see if the provided answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

1 answer

Your answer

Konstantinos Passadis 19,596 Reputation points MVP

2024-01-19T12:50:22.88+00:00

Hello @Eunice Barnes ! Do you have any feedback on your issue? Kindly mark any answer that helped you as Accepted and Upvote or post your feedback to provide additional help! Regards
v-vvellanki-MSFT 4,920 Reputation points Microsoft External Staff

2024-01-23T06:44:50.73+00:00

Hi @Eunice Barnes,

Following up to see if the provided answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 1

Konstantinos Passadis 19,596 MVP

Hello @Eunice Barnes !

Welcome to Microsoft QnA!

I suspect this is a Default Security Baseline issue with MFA

Can you verify the Defaults are On or OFF ?

https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults

In case they are not , can you kindly check and provide the Conditional Access Policies that are ON ?

Have a look on them and remove the users and recheck !

Also go to Entra ID and check the Sign In Logs , as well as the Workspace Logs , you can activate them temporarily Kindly tell us your feedback

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards

Eunice Barnes 0 Reputation points

2024-01-18T20:42:51.3666667+00:00
Thank you very much for the quick follow-up!

We have ensured the security defaults are disabled and have Conditional Access policies in place to require MFA for all AVD users as well as all Administrators. 2. The user logs show successful login's when not granted the Exchange or Global admin roles and show as failed when the role is applied with the error of invalid credentials. 3. The Workspace logs did not give any results for errors in the last 24 hours. (I've been testing today). 4. The user can log in successfully without error as long as they are not given any kind of Entra Admin role. MFA did not seem to be the issue.
Eunice Barnes 0 Reputation points

2024-01-18T22:07:20.0233333+00:00
Thank you so much for your quick reply!

We have ensured that the Security Defaults are disabled and have MFA enforces via Conditional Access policy (confirmed they are turned ON) for all AVD users and all Entra administrators. The users are able to log into the Workspace without the Exchange/Global Admin roles applied and the MFA is functioning normally without the role applied.

The users Sign In logs and found successful logins when the admin role is not applied, and failures with the mentioned error, when the admin roles are applied.

The Workspace logs do not show any errors.
Konstantinos Passadis 19,596 Reputation points MVP

2024-01-19T00:19:56.36+00:00

Hello @Eunice Barnes ! Thank you for your feedback

-- it is quite a riddle ! Can you verify that any Admin role produces the error ? e.g Teams or Sharepoint Admin? Can you remove MFA enforce for Admins or one Admin excluded and re try ? Are you using Hybrid Identity or Cloud Only ? Kindly send us your feedback I hope this helps! Kindly mark the answer as Accepted and Upvote in case it helped! Regards
Eunice Barnes 0 Reputation points

2024-01-19T22:48:07.3466667+00:00
Thanks again for the troubleshooting suggestions!

Teams Admin role assigned - can log into the AVD workspace

Sharepoint Admin role assigned - cannot log into the AVD workspace

Excluding the user from all MFA enforcements - cannot log into the AVD workspace

We are in a hybrid environment
Konstantinos Passadis 19,596 Reputation points MVP

2024-01-20T15:27:59.17+00:00

Hello @Eunice Barnes ! Please create a Cloud Only User Assign Exchnage Admin Role and proper license to be able to Login to AVD Try to login with that user If success , do that with a new Synced User , remove him from any OU and add him as a solo user Once synced add Global/Exchnage Admin and proper license Repeat Login please Kinldy share your feedback Regards

Share via

User with Exchange Admin (or Global Admin) role cannot log into the Azure Virtual Desktop Workspace

1 answer

Your answer