How to assign / connect a user to a Session Host within a Host Pool?

Question

How to assign / connect a user to a Session Host within a Host Pool?

Zach Johnson 0

Hi, I created an Entra ID Host pool with one Session Host VM called BP-Test-1. However, even with adding the correct users to have IAM access to the Application Group and the Virtual Machine, I still am unable to add them as a user to that VM.

I can log into the VM using RDP or other connections using only the Admin account. All the other accounts do not allow a connection or allow me to add them as users assigned. User's image

What else can I do? I have tried to create a support ticket for this issue but have found it extremely difficult to actually make a support ticket that goes to the right department. I met with a support member who helped me setup this test Host Pool and Session Host and VM using Entra ID but it does not actually work even with the "right" configurations. I do not understand what I am missing?

kobulloc-MSFT 26,626 Reputation points Microsoft Employee

2025-04-01T23:29:11.9766667+00:00

Hello, @Zach Johnson ! I'm sorry to hear that you are still running into this. We'll work to get this resolved for you and are looking through what has already been done to make sure we aren't missing anything. At a glance, it seems like you should be able to follow the documentation on Entra joined session hosts but we'll review your setup to see what is needed.
Pramidha Yathipathi 325 Reputation points Microsoft External Staff

2025-04-02T05:52:36.3066667+00:00
Hi Zach Johnson,

Azure Virtual Desktop > Host Pools > [Your Host Pool] > Application Groups. Select the appropriate Application Group (usually Desktop Application Group),Under Assignments ensure that the users are explicitly assigned.

Since your Session Host is Entra ID-joined, users must be Entra ID-native users or hybrid joined users with SSO enabled. Ensure that the users are members of the Remote Desktop Users group on the session host. You can do this by running the following command in PowerShell (as an admin on the VM):

net localgroup "Remote Desktop Users"

If the users are missing, add them with:

net localgroup "Remote Desktop Users" /add "AzureAD\UPN_of_User"

Replace UPN_of_User with their Entra ID username (e.g., ******@yourdomain.com).

Ensure the Session Host shows as Available in Azure Virtual Desktop > Host Pools > [Your Host Pool] > Session Hosts. If it’s not available, try running:

Get-AzWvdSessionHost -ResourceGroupName "YourResourceGroup" -HostPoolName "YourHostPool"

In the VM’s Network settings, confirm that RDP access (port 3389) is allowed in NSG rules.

If Conditional Access policies restrict non-admin logins, review them in Microsoft Entra ID > Security > Conditional Access.

• Verify that MFA is not preventing the login.

Ensure that users have at least Virtual Machine User Login or Virtual Machine Administrator Login roles assigned at the VM level:

• Go to Azure Portal > Virtual Machines > BP-Test-1 > Access Control (IAM)

• Click Add Role Assignment

• Select Virtual Machine User Login

• Assign it to the necessary users or a security group.

Licensing Issues:

The user might be missing a valid Intune license or have the wrong license type. To resolve this, verify in the Microsoft 365 admin center that the user has an appropriate Intune license assigned under Users > Active Users > Product licenses > Edit. If the issue still persist please provide what error your getting so that it will be helpful to figure it out.

If the comment was helpful, please don't forget to click "Upvote".

Thank You.
Pramidha Yathipathi 325 Reputation points Microsoft External Staff

2025-04-07T01:43:20.2166667+00:00

Hi Zach Johnson,

Just checking in to see if you had a chance to review the comment on your question. Please let us know if it was helpful and feel free to reach out if you have any further queries.

If you found the information useful, please click "Upvote" on the post to let us know.

Thank You.
Pramidha Yathipathi 325 Reputation points Microsoft External Staff

2025-04-08T01:06:52.8+00:00

Hi Zach Johnson,

Just checking in to see if you had a chance to review the comment on your question. Please let us know if it was helpful and feel free to reach out if you have any further queries.

If you found the information useful, please click "Upvote" on the post to let us know.

Thank You.
Zach Johnson 0 Reputation points

2025-04-08T16:55:38.1533333+00:00

Hi, thank you for you response. I do have that Micorosft Entra Signle Sign on turned on the same as you have there. Also, I have the correct roles you are talking about. It seems to still have an issue connecting with any Entra ID user and only allow connection with an admin or a test "other user" that I created while in the VM.
Zach Johnson 0 Reputation points

2025-04-08T17:04:49.8166667+00:00

Thank you for the response. I have made progress, but I am still stuck!. I was able to successfully ADD an Entra ID user to my VM under "Remote Desktop Users" group, but this does not add them to be a regular user of the desktop, and it does not seem to let me log in using that user account.

Here is a screenshot:

How can I login to these accounts? I did create a local account using my same username but this is not connected to my company email / Entra ID like I wanted.

However, I DO see in user profiles there seems to be a virtual user? However, I am confused on what this means since I am unable to login to this account.
Zach Johnson 0 Reputation points

2025-04-08T17:05:47.2633333+00:00

Yes, I responded to the 2 solutions as they have not fixed my problem. One of the solutions has gotten me a little closer, but I am still having issues.
Zach Johnson 0 Reputation points

2025-04-08T17:26:46.79+00:00

I figured out how to log in using AzureAD\username through my RDP client. However, it now says:

I have legacy MFA (per user MFA) enabled. The company is transitioning to the newer MFA policies with Microsoft Authenticator.

I disabled the MFA for my account to try and allow this to work, but it is still not functioning.

How do I resolve this issue now?
Zach Johnson 0 Reputation points

2025-04-08T17:27:09.0533333+00:00

I have legacy MFA (per user MFA) enabled. The company is transitioning to the newer MFA policies with Microsoft Authenticator. I disabled the MFA for my account to try and allow this to work, but it is still not functioning. How do I resolve this issue now?
chrischin 915 Reputation points Microsoft Employee

2025-04-08T18:49:09.6933333+00:00

The MSTSC window on its own can't handle MFA. Make sure you check 'Use a web account to sign in to the remote computer' so that it pops up a child window to complete the signin process.
Pramidha Yathipathi 325 Reputation points Microsoft External Staff

2025-04-09T07:49:34.7566667+00:00

Hi Zach Johnson,

Can you please check the latest comment mentioned by chrischin. how to check "Use a web account to sign in to the remote computer'.

Please let me know if you any other query.

Thank you.
Pramidha Yathipathi 325 Reputation points Microsoft External Staff

2025-04-10T01:13:06.89+00:00

Hi Zach Johnson,

Just checking in to see if you had a chance to review the latest comment on your question mentioned by chrischin. Please let me know if you any other query.

If you found the information useful, please click "Upvote" on the post to let us know.

Thank You.

1 answer

Your answer

kobulloc-MSFT 26,626 Reputation points Microsoft Employee

2025-04-01T23:29:11.9766667+00:00

Hello, @Zach Johnson ! I'm sorry to hear that you are still running into this. We'll work to get this resolved for you and are looking through what has already been done to make sure we aren't missing anything. At a glance, it seems like you should be able to follow the documentation on Entra joined session hosts but we'll review your setup to see what is needed.
Pramidha Yathipathi 325 Reputation points Microsoft External Staff

2025-04-07T01:43:20.2166667+00:00

Hi Zach Johnson,

Just checking in to see if you had a chance to review the comment on your question. Please let us know if it was helpful and feel free to reach out if you have any further queries.

If you found the information useful, please click "Upvote" on the post to let us know.

Thank You.
Pramidha Yathipathi 325 Reputation points Microsoft External Staff

2025-04-08T01:06:52.8+00:00

Hi Zach Johnson,

Just checking in to see if you had a chance to review the comment on your question. Please let us know if it was helpful and feel free to reach out if you have any further queries.

If you found the information useful, please click "Upvote" on the post to let us know.

Thank You.
Zach Johnson 0 Reputation points

2025-04-08T16:55:38.1533333+00:00

Hi, thank you for you response. I do have that Micorosft Entra Signle Sign on turned on the same as you have there. Also, I have the correct roles you are talking about. It seems to still have an issue connecting with any Entra ID user and only allow connection with an admin or a test "other user" that I created while in the VM.
Zach Johnson 0 Reputation points

2025-04-08T17:04:49.8166667+00:00

Thank you for the response. I have made progress, but I am still stuck!. I was able to successfully ADD an Entra ID user to my VM under "Remote Desktop Users" group, but this does not add them to be a regular user of the desktop, and it does not seem to let me log in using that user account.

Here is a screenshot:

How can I login to these accounts? I did create a local account using my same username but this is not connected to my company email / Entra ID like I wanted.

However, I DO see in user profiles there seems to be a virtual user? However, I am confused on what this means since I am unable to login to this account.
Zach Johnson 0 Reputation points

2025-04-08T17:05:47.2633333+00:00

Yes, I responded to the 2 solutions as they have not fixed my problem. One of the solutions has gotten me a little closer, but I am still having issues.
Zach Johnson 0 Reputation points

2025-04-08T17:26:46.79+00:00

I figured out how to log in using AzureAD\username through my RDP client. However, it now says:

I have legacy MFA (per user MFA) enabled. The company is transitioning to the newer MFA policies with Microsoft Authenticator.

I disabled the MFA for my account to try and allow this to work, but it is still not functioning.

How do I resolve this issue now?
Zach Johnson 0 Reputation points

2025-04-08T17:27:09.0533333+00:00

I have legacy MFA (per user MFA) enabled. The company is transitioning to the newer MFA policies with Microsoft Authenticator. I disabled the MFA for my account to try and allow this to work, but it is still not functioning. How do I resolve this issue now?
chrischin 915 Reputation points Microsoft Employee

2025-04-08T18:49:09.6933333+00:00

The MSTSC window on its own can't handle MFA. Make sure you check 'Use a web account to sign in to the remote computer' so that it pops up a child window to complete the signin process.
Pramidha Yathipathi 325 Reputation points Microsoft External Staff

2025-04-09T07:49:34.7566667+00:00

Hi Zach Johnson,

Can you please check the latest comment mentioned by chrischin. how to check "Use a web account to sign in to the remote computer'.

Please let me know if you any other query.

Thank you.
Pramidha Yathipathi 325 Reputation points Microsoft External Staff

2025-04-10T01:13:06.89+00:00

Hi Zach Johnson,

Just checking in to see if you had a chance to review the latest comment on your question mentioned by chrischin. Please let me know if you any other query.

If you found the information useful, please click "Upvote" on the post to let us know.

Thank You.

Answer 1

Hi Zach,

When you say you've already given IAM access to the Virtual Machine, do you explicitly mean either the Virtual Machine User Login role or the Virtual Machine Admin Login role? It must be one of these two, having contributor or owner at the VM or above is not a subsititute for one of these roles.

The other thing to check is the RDP Properties of the host pool, make sure, under the 'Connection information' tab that Microsoft Entra single sign-on = Connections will use Microsoft Entra authentication to provide single sign-on.

User's image

Share via

How to assign / connect a user to a Session Host within a Host Pool?

1 answer

Your answer