Unable to login to Azure Desktop using EntraID

Question

Unable to login to Azure Desktop using EntraID

Nate Fuhriman 0

I've created an Azure Virtual Desktop pool that is joined to EntraID. I can login using the local admin account but unable to access with EntraID. I've go through the troubleshooter with out that changing anything. Here are the things I've verified

Users do not have per-user MFA enabled.

User is setup in IAM as "Virtual Machine User Login"

RDP properties has "targetisaadjoined:i:1" as users will be using web interface to access

In the actual VM machine I've added the user and they do show up as "AzureAD/XXXX"

In the event logs I do see an error about "Due to a configuration change made by your administrator, or because you moved to a new location, You must use multifactor authentication to access". However when logging in I'm never prompted for multifactor autentication. I'm unable to see anywhere that I can disable this for logins to azure.

Venkata Jagadeep 1,325 Reputation points Microsoft External Staff Moderator

2025-04-30T15:50:19.73+00:00

Hello Nate Fuhriman,

As per the description, we understand that Entra-ID user is not able to sign-in to virtual desktop even he is added as VM user login and you have verified the pre-requisites of VM login.

I request you to check the below pre-requisites

The VM should be Windows Server 2019 or later or Windows 10 1809 or later.

The Windows 10 or later PC that is used to initiate the remote desktop connection must be Azure AD joined, or hybrid Azure AD joined to the same Azure AD directory.

And when you are using Azure AD registered as the RDP client to initiate connection, you should enter credentials in for AzureAD\UPN

I request you to check if Conditional Access policies are configured to enforce MFA under certain conditions for the user, he might get triggered with MFA if he logs in from a new location or untrusted network.

For example, if the user’s IP address changes, or if they are trying to log in from a different country or a new device, the system might require MFA to verify the user’s identity.

I suggest you refer the below document.

https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows
Nate Fuhriman 0 Reputation points

2025-04-30T22:42:27.6666667+00:00

The machines that are connecting are NOT joined to the domain. We are using web browser to connect. The clients are a mix (MacOS,Windows,Linux). We are trying to connect at https://windows365.microsoft.com/ent#/devices

The VM is a win11 system

We don't have any conditional access policies. We are on the Free tier of EntraID which doesn't allow conditional access prolicies. We just have the "Security defaults" enabled which turns on MFA everywhere.

I've tried logging in with AzureAD/<username> and with <email address> neither one works.

I understand if we need to use MFA to login. However, it doesn't request this it just throws an error that it is needed but never shows the MFA validation screen on login windows.
Venkata Jagadeep 1,325 Reputation points Microsoft External Staff Moderator

2025-05-06T09:22:36.8166667+00:00

Hello Nate Fuhriman,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Venkata Jagadeep 1,325 Reputation points Microsoft External Staff Moderator

2025-05-07T03:18:06.4266667+00:00

Hello Nate Fuhriman,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

1 answer

Your answer

Venkata Jagadeep 1,325 Reputation points Microsoft External Staff Moderator

2025-04-30T15:50:19.73+00:00

Hello Nate Fuhriman,

As per the description, we understand that Entra-ID user is not able to sign-in to virtual desktop even he is added as VM user login and you have verified the pre-requisites of VM login.

I request you to check the below pre-requisites

The VM should be Windows Server 2019 or later or Windows 10 1809 or later.

The Windows 10 or later PC that is used to initiate the remote desktop connection must be Azure AD joined, or hybrid Azure AD joined to the same Azure AD directory.

And when you are using Azure AD registered as the RDP client to initiate connection, you should enter credentials in for AzureAD\UPN

I request you to check if Conditional Access policies are configured to enforce MFA under certain conditions for the user, he might get triggered with MFA if he logs in from a new location or untrusted network.

For example, if the user’s IP address changes, or if they are trying to log in from a different country or a new device, the system might require MFA to verify the user’s identity.

I suggest you refer the below document.

https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows
Nate Fuhriman 0 Reputation points

2025-04-30T22:42:27.6666667+00:00

The machines that are connecting are NOT joined to the domain. We are using web browser to connect. The clients are a mix (MacOS,Windows,Linux). We are trying to connect at https://windows365.microsoft.com/ent#/devices

The VM is a win11 system

We don't have any conditional access policies. We are on the Free tier of EntraID which doesn't allow conditional access prolicies. We just have the "Security defaults" enabled which turns on MFA everywhere.

I've tried logging in with AzureAD/<username> and with <email address> neither one works.

I understand if we need to use MFA to login. However, it doesn't request this it just throws an error that it is needed but never shows the MFA validation screen on login windows.
Venkata Jagadeep 1,325 Reputation points Microsoft External Staff Moderator

2025-05-06T09:22:36.8166667+00:00

Hello Nate Fuhriman,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Venkata Jagadeep 1,325 Reputation points Microsoft External Staff Moderator

2025-05-07T03:18:06.4266667+00:00

Hello Nate Fuhriman,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Answer 1

Hello Nate Fuhriman,

As you mentioned that this issue started after enabling Security Defaults, it is the reason to trigger MFA for user for every sign-in.

The native RDP protocol doesn't allow interactive MFA prompts unless you're pre-authenticated

I suggest you to try to connect to your Azure VMs through the below url

https://rdweb.wvd.microsoft.com/arm/webclient

Please let us know if you are able to see your session.

If you don’t see your session listed, it means the AVD host pool isn’t assigned to you or is misconfigured.

Share via

Unable to login to Azure Desktop using EntraID

1 answer

Your answer