Unable to login to AVD session - Error Code: 0x3000047

Question

Unable to login to AVD session - Error Code: 0x3000047

Tariq Ghouri 25

Users are experiencing issues logging into the AVD session, receiving the following error:

An error occurred while accessing this resource. Retry the connection or contact your system administrator. For more tips on how to resolve the issue, refer to the Troubleshooting Guide   
Error code: 0x3000047   
Extended error code: 0x0   
Timestamp (UTC): 2025-05-12T12:35:35.261Z 
Activity ID: 16b39503-4108-4512-81b5-826456a90000.

Attempts to resolve this include removing and re-adding users in Desktop App Group Assignments and assigning the users to the [Desktop Virtualization User] and [Virtual Machine User Login] roles in the AVD VM. Despite these efforts, users remain unable to log in.

Nikhil Duserla 7,935 Reputation points Microsoft External Staff Moderator

2025-05-13T09:26:17.16+00:00

Hello @Tariq Ghouri,

Checking to see whether you have resolved the issue with the solution provided above, or if you need any further assistance, please let us know. We are happy to help.
Tariq Ghouri 25 Reputation points

2025-05-13T09:57:20.7033333+00:00

Hi @Nikhil Duserla ,

As per the recommendation I have followed all the steps but still the error is same. Even though I have assigned public ip and tried to RDP the VM but it is not allowing me to do so.

One more important information for you is that the golden image which I have created is syspreped and used to built these 2 VMs. Does this makes any difference? As earlier when I had VMs in this DAG were created without the golden image and they were seemlessly connected through RDP/local admin and from Windows app and Entra login ID.
Akshay kumar Mandha 3,390 Reputation points Microsoft External Staff Moderator

2025-05-14T06:46:45.5766667+00:00

Hi Tariq Ghouri,
Can you check the VM is running properly by checking its status in Azure under Session Hosts. If it looks unavailable, go ahead and restart it to refresh the system and confirm it registers correctly as an active session host. If you're still having trouble, try connecting through Azure Serial Console this lets you interact with the VM even if RDP isn’t working. Once inside, check for firewall rules, RDP listener status, and authentication settings to figure out what’s blocking the connection
Get started with Serial Console
Tariq Ghouri 25 Reputation points

2025-05-14T08:56:45.1466667+00:00
Hi @Akshay kumar Mandha

Thank you so much for the response, as suggested I have followed your recommendations but I am still unable to login with the Entra ID. Below are the results

Firewall Rules

Ran netsh advfirewall firewall set rule group="remote desktop" new enable=Yes – returned “Updated 3 rule(s).”

Verified with netsh advfirewall firewall show rule name=all | findstr /C:"Remote Desktop" – relevant RDP rules are listed and appear enabled.

RDP Listener

Checked with netstat -an | findstr :3389 – port 3389 is listening on both IPv4 and IPv6.

Verified that the TermService (Remote Desktop Services) is running.

Authentication Settings

Registry value UserAuthentication is set to 0x1, indicating that Network Level Authentication (NLA) is enabled.

Device is Azure AD Joined (YES), but IsUserAzureAD shows NO, which seems to be the main issue.

AzureAdPrt is NO, and KeySignTest failed – possibly affecting credential-based logins.

The device certificate and token provisioning appear incomplete or invalid.

Despite having RDP enabled and listening, I am still unable to authenticate using Azure AD credentials. The device appears to be Azure AD joined, but the user account does not seem to be recognized as an Azure AD user.

Your precious guidance will be highly appreciated.
Mounika Reddy Anumandla 6,845 Reputation points Microsoft External Staff Moderator

2025-05-14T10:27:42.8733333+00:00
Hi Tariq Ghouri,

Connectivity problems could arise from incorrect setup or activation of the session host with the host pool.

Removing and re-adding the session host to the pool has worked for some.https://techcommunity.microsoft.com/discussions/azurevirtualdesktopforum/unable-to-connect-to-remote-desktop/4398165

Fix:

i. Open PowerShell and run:

Get-AzWvdSessionHost -ResourceGroupName "YourResourceGroup" -HostPoolName "YourHostPool"

ii. Verify that the session host appears in the list and is in a healthy state.

iii. If issues are found, re-register by removing it from the host pool:

Remove-AzWvdSessionHost -ResourceGroupName "YourResourceGroup" -HostPoolName "YourHostPool" -Name "YourVMName"

iv. Then add it back using:

New-AzWvdSessionHost -ResourceGroupName "YourResourceGroup" -HostPoolName "YourHostPool" -Name "YourVMName"

Can you also please check the tech doc https://techcommunity.microsoft.com/discussions/azurevirtualdesktopforum/error-when-connecting-to-mvd---0x3000047/1242145

Please reply to me in the private message!
Tariq Ghouri 25 Reputation points

2025-05-14T11:41:12.3666667+00:00
Hi @Mounika Reddy Anumandla

Thanks a lot for the response. Below are the results from the command you asked to run

Session Host Health Check: avd-vm-2

Status: Available – The host is online and ready to accept sessions.

Heartbeat: Active – Last received at 2025-05-14 08:35:40 UTC.

Health Checks: All succeeded:

DomainJoinedCheck: ✅

`DomainTrustCheck`: ✅ `SxSStackListenerCheck`: ✅ `UrlsAccessibleCheck`: ✅

Potential Issue Identified

Assigned User: None

The session host does not have a user assigned to it.

This could be the reason why login attempts are failing.

However, if I see the IAM roles of the host pool, users are added there and similarly the users are assigned in Desktop Application Assignment also. I have sent you the details in PM, please check.

2 answers

Your answer

Nikhil Duserla 7,935 Reputation points Microsoft External Staff Moderator

2025-05-13T09:26:17.16+00:00

Hello @Tariq Ghouri,

Checking to see whether you have resolved the issue with the solution provided above, or if you need any further assistance, please let us know. We are happy to help.
Tariq Ghouri 25 Reputation points

2025-05-13T09:57:20.7033333+00:00

Hi @Nikhil Duserla ,

As per the recommendation I have followed all the steps but still the error is same. Even though I have assigned public ip and tried to RDP the VM but it is not allowing me to do so.

One more important information for you is that the golden image which I have created is syspreped and used to built these 2 VMs. Does this makes any difference? As earlier when I had VMs in this DAG were created without the golden image and they were seemlessly connected through RDP/local admin and from Windows app and Entra login ID.
Akshay kumar Mandha 3,390 Reputation points Microsoft External Staff Moderator

2025-05-14T06:46:45.5766667+00:00

Hi Tariq Ghouri,
Can you check the VM is running properly by checking its status in Azure under Session Hosts. If it looks unavailable, go ahead and restart it to refresh the system and confirm it registers correctly as an active session host. If you're still having trouble, try connecting through Azure Serial Console this lets you interact with the VM even if RDP isn’t working. Once inside, check for firewall rules, RDP listener status, and authentication settings to figure out what’s blocking the connection
Get started with Serial Console
Tariq Ghouri 25 Reputation points

2025-05-14T08:56:45.1466667+00:00

Hi @Akshay kumar Mandha

Thank you so much for the response, as suggested I have followed your recommendations but I am still unable to login with the Entra ID. Below are the results

Firewall Rules

Ran netsh advfirewall firewall set rule group="remote desktop" new enable=Yes – returned “Updated 3 rule(s).”

Verified with netsh advfirewall firewall show rule name=all | findstr /C:"Remote Desktop" – relevant RDP rules are listed and appear enabled.

RDP Listener

Checked with netstat -an | findstr :3389 – port 3389 is listening on both IPv4 and IPv6.

Verified that the TermService (Remote Desktop Services) is running.

Authentication Settings

Registry value UserAuthentication is set to 0x1, indicating that Network Level Authentication (NLA) is enabled.

Device is Azure AD Joined (YES), but IsUserAzureAD shows NO, which seems to be the main issue.

AzureAdPrt is NO, and KeySignTest failed – possibly affecting credential-based logins.

The device certificate and token provisioning appear incomplete or invalid.

Despite having RDP enabled and listening, I am still unable to authenticate using Azure AD credentials. The device appears to be Azure AD joined, but the user account does not seem to be recognized as an Azure AD user.

Your precious guidance will be highly appreciated.
Mounika Reddy Anumandla 6,845 Reputation points Microsoft External Staff Moderator

2025-05-14T10:27:42.8733333+00:00

Hi Tariq Ghouri,

Connectivity problems could arise from incorrect setup or activation of the session host with the host pool.

Removing and re-adding the session host to the pool has worked for some.https://techcommunity.microsoft.com/discussions/azurevirtualdesktopforum/unable-to-connect-to-remote-desktop/4398165

Fix:

i. Open PowerShell and run:

Get-AzWvdSessionHost -ResourceGroupName "YourResourceGroup" -HostPoolName "YourHostPool"

ii. Verify that the session host appears in the list and is in a healthy state.

iii. If issues are found, re-register by removing it from the host pool:

Remove-AzWvdSessionHost -ResourceGroupName "YourResourceGroup" -HostPoolName "YourHostPool" -Name "YourVMName"

iv. Then add it back using:

New-AzWvdSessionHost -ResourceGroupName "YourResourceGroup" -HostPoolName "YourHostPool" -Name "YourVMName"

Can you also please check the tech doc https://techcommunity.microsoft.com/discussions/azurevirtualdesktopforum/error-when-connecting-to-mvd---0x3000047/1242145

Please reply to me in the private message!
Tariq Ghouri 25 Reputation points

2025-05-14T11:41:12.3666667+00:00

Hi @Mounika Reddy Anumandla

Thanks a lot for the response. Below are the results from the command you asked to run

Session Host Health Check: avd-vm-2

Status: Available – The host is online and ready to accept sessions.

Heartbeat: Active – Last received at 2025-05-14 08:35:40 UTC.

Health Checks: All succeeded:

DomainJoinedCheck: ✅

`DomainTrustCheck`: ✅ `SxSStackListenerCheck`: ✅ `UrlsAccessibleCheck`: ✅

Potential Issue Identified

Assigned User: None

The session host does not have a user assigned to it.

This could be the reason why login attempts are failing.

However, if I see the IAM roles of the host pool, users are added there and similarly the users are assigned in Desktop Application Assignment also. I have sent you the details in PM, please check.

Answer 1

Hello @Tariq Ghouri,

Please follow below steps-

Navigate to the VM\Extensions + applications
Note the Version, for Win11ms, I would expect 2.2.0.0.
Click the Uninstall button.
Reboot the VM
Once the VM is back online after reboot, open Cloud Shell

Run the following in Cloud Shell substituting in your Resource Group name, VM name, and LocationAzure PowerShellAI ConvertCopy

      Set-AzVMExtension -ResourceGroupName "<RESOURCE GROUP NAME>" -VMName "<VM NAME>" -Name "AADLoginForWindows" -Location "<LOCATION>" -Publisher "Microsoft.Azure.ActiveDirectory" -Type "AADLoginForWindows" -TypeHandlerVersion "2.2"

Ensure user must have Virtual Machine User Login or Virtual Machine Administrator Login role

In Azure portal go to AVD VM > Select Access control (IAM) > Select Role Assignments > Confirm the User account has been granted Virtual Machine User Login or Virtual Machine Administrator Login

Checked have the necessary licenses to allow multiple users to connect to the virtual machine.

Ensure RDP property targetisaadjoined:i:1 was added to the AVD host pool. So, add going through. Navigate to Azure portal > select host pool configured for Azure AD Joined > select RDP Properties blade > Select Advanced Tab > added- targetisaadjoined:i:1

May have "per user MFA" enabled - which does not work with AVD, disable it. as per: Log in to a Windows virtual machine in Azure by using Microsoft Entra ID - Microsoft Entra | Microsoft Learn

If you have any further queries, do let us know.

Answer 2

Alex Burlachenko 10,255

Dear Tariq Ghouri

thank you for reaching out about the login issue with Azure Virtual Desktop. I understand how frustrating it can be when users cannot access their sessions. Let me explain the possible causes and solutions for error code 0x3000047 in a simple way.

This error usually happens when there are permission problems or configuration issues in Azure Virtual Desktop.

First, make sure the users have the correct roles assigned in Azure. They need both the Desktop Virtualization User role and the Virtual Machine User Login role to access the AVD session. You can check the role assignments in the Azure portal under Access Control (IAM) for the virtual machine or host pool. Microsoft’s official documentation explains this in detail here: Assign the Virtual Machine User Login role in Azure.

Next, verify that the users are properly added to the Desktop Application Group. If they were recently added, it might take some time for changes to apply. You can try removing and re-adding them to refresh the permissions. Microsoft provides guidance on managing app groups here: Manage app groups for Azure Virtual Desktop.

Another common issue is network connectivity. Ensure that the session host virtual machine has proper internet access and can communicate with Azure services. Sometimes, firewalls or network security groups block the required connections.

If the problem continues, check the session host’s health in the Azure portal. A failing or overloaded session host can cause login errors. Restarting the virtual machine might help.

Finally, if none of these steps work, reviewing the Azure Virtual Desktop logs can provide more clues. The logs may show specific errors that explain why the login is failing. Microsoft’s guide on diagnostics and logging is here: Diagnostics and logging for Azure Virtual Desktop.

I hope this helps resolve the issue.

Best regards,
Alex
P.S. If my answer help to you, please Accept my answer
PPS That is my Answer and not a Comment
https://ctrlaltdel.blog/

Tariq Ghouri 25 Reputation points

2025-05-13T14:01:49.3266667+00:00

Hi @Alex Burlachenko

Thank you for your detailed feedback.

I have successfully logged into the virtual machine using RDP and local admin credentials. To enable this, I modified the NSG to allow RDP connections from any source to any destination.

However, I observed that the virtual machine is not joined to Entra ID but is instead part of a WORKGROUP. This configuration may be preventing login with Entra ID credentials.

Could you please provide further guidance on the steps needed to resolve this issue and enable Entra ID-based authentication for the AVD?
Alex Burlachenko 10,255 Reputation points

2025-05-13T14:24:28.41+00:00
Tariq Ghouri great news ... and thank you for your update. I’m really glad you were able to access the virtual machine via RDP, and I understand that the VM being in a WORKGROUP instead of Microsoft Entra ID (formerly Azure Active Directory) is likely causing the login issues for Azure Virtual Desktop (AVD). So step by step

Step 1: Join the Virtual Machine to Microsoft Entra ID

for AVD to work properly, the session host (your VM) must be joined to Microsoft Entra ID.

Log in to the VM using RDP (as you already did).

Open PowerShell as Administrator and run the following command to join the VM to Microsoft Entra ID:

dsregcmd /leave

(This ensures any previous domain registrations are cleared.)

Next, run

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force Install-Script -Name Register-AzVMForWVD -Force Register-AzVMForWVD -TenantId "your-tenant-id" -SubscriptionId "your-subscription-id" -ResourceGroupName "your-resource-group" -VMName "your-vm-name"

(Replace the placeholders with your actual Azure details.)

Step 2: Verify Microsoft Entra ID Join Status

After running the script, confirm the VM is successfully joined:

Open Settings -> Accounts -> Access work or school.

Check if it shows Connected to [Your Tenant’s] Microsoft Entra ID.

or you can use PS as well

dsregcmd /status

Look for AzureAdJoined: YES in the output.

Step 3: Assign Required Roles in Azure

Even after joining Microsoft Entra ID, users still need proper role assignments:

Go to the Azure Portal -> Virtual Machines -> Select your AVD VM.

Under Access Control (IAM), ensure users have

Desktop Virtualization User

Virtual Machine User Login (Reference: Assign AVD roles in Azure)

Step 4: Restart the VM and Test AVD Login

After completing these steps:

Restart the VM to apply changes.

Have a user attempt to log in via the AVD client again.

Troubleshooting if Login Still Fails

Check Event Viewer on the VM (Windows Logs > Application) for AVD-related errors.

Ensure network security groups (NSGs) allow outbound connections to Azure services (ports 443, 80).

If using Conditional Access, verify no policies block AVD logins.

So... thats all... I really hope that would help. Let me to know if so

rgds,

Alex

p.s. hate to write from smartphone :((((
Tariq Ghouri 25 Reputation points

2025-05-13T15:17:40.5933333+00:00
Hi @Alex Burlachenko

Thank you so much for the detailed response.

I attempted to run the Install-Script -Name Register-AzVMForWVD -Force command as suggested, but it failed with the following error:

No match was found for the specified search criteria and script name 'Register-AzVMForWVD'.

It looks like the script is no longer available in the PowerShell Gallery. Even after installing the required NuGet provider, the command still fails.

Additionally, when I try to run Register-AzVMForWVD directly, PowerShell returns:

The term 'Register-AzVMForWVD' is not recognized as the name of a cmdlet, function, script file, or operable program.

From what I’ve gathered, this script appears to be deprecated and is no longer used in modern Azure Virtual Desktop (AVD) deployments. Could you confirm if this is the case? If so, I’d appreciate guidance on the updated method to register a VM with AVD.
Alex Burlachenko 10,255 Reputation points

2025-05-13T15:36:47.1766667+00:00
Tariq Ghouri Ah yes, the old Register-AzVMForWVD script… you’re spot on that it’s been deprecated (Microsoft’s docs don’t even mention it anymore). These days, joining a VM to Microsoft Entra ID for Azure Virtual Desktop is way simpler. let’s get that VM properly joined to Microsoft Entra ID. Since you’re already logged in via RDP, just open Settings > Accounts > Access work or school and click “Connect.” Choose the option to join it to Microsoft Entra ID it’ll guide you through signing in with your admin credentials. A quick restart after should do the trick.

If you prefer PowerShell (or need to automate this later), you can use dsregcmd /leave to clean up any old joins, then run Add-Computer with your Entra ID domain. Just don’t forget to restart!

Once the VM shows as “AzureAdJoined: YES” (check with dsregcmd /status), hop over to the Azure portal. Navigate to your Azure Virtual Desktop host pool and manually add this VM as a session host. The portal will handle the registration behind the scenes no more deprecated scripts needed.

and about those roles please double-check that users have both Desktop Virtualization User and Virtual Machine User Login assigned in the VM’s IAM settings. Sometimes the Azure portal is slow to reflect changes, so a 10-minute coffee break might help before testing logins again.

If users still hit snags, peek at the VM’s Event Viewer under Windows Logs > Application for AVD-related errors. and maybe triple-check that NSG it’s easy to overlook a stray rule blocking traffic.

rgds,

Alex

p.s. just in cases if you would like to join via PowerShell

# Install the Azure AD module (if not already present) Install-Module -Name AzureAD -Force -AllowClobber # Connect to Azure AD (authenticate with an Entra ID admin account) Connect-AzureAD # Join the VM to Entra ID Add-Computer -DomainName "yourdomain.onmicrosoft.com" -Credential (Get-Credential) -Restart

just replace yourdomain.onmicrosoft.com with your Entra ID tenant domain.

and check

dsregcmd /status

look for AzureAdJoined: YES if still NO the join failed check network/firewall permissions.

BTW as I find "the Register-AzVMForWVD script is deprecated and is no longer supported in modern Azure Virtual Desktop (AVD) deployments. This script was part of the classic Windows Virtual Desktop (WVD) model, which has been replaced by the Azure Resource Manager (ARM)-based AVD. The ARM-based AVD offers better integration with Azure services and improved management capabilities. Microsoft has been transitioning users to this newer model, and as a result, older scripts like Register-AzVMForWVD are no longer maintained or recommended for use"
Tariq Ghouri 25 Reputation points

2025-05-13T17:53:08.3366667+00:00
Hi @Alex Burlachenko

Thanks a lot for your continous effort in supporting. Below is my response,

I couldn't find the option here, Settings > Accounts > Access work or school and click “Connect.”

It worked sregcmd /leave

I tried to run the powershell commands you provided but they also didn't work, instead I ran
Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph

But still unable the error persist on joining the Entra ID.

What I have found on internet is that my OS Windows 11 Enterprise multi-session, does not support full Entra ID Join. But if I switch to Single session then it will join the Entra ID but obviously won't achieve the goal of AVD.

Now, what could be the possible solution for this.
Alex Burlachenko 10,255 Reputation points

2025-05-14T11:40:07.8+00:00
hi ))) hmmmmmmm, okay so yes, you’re absolutely right about the limitation with Windows 11 Enterprise multi-session and Entra ID joining. It’s a common hiccup since multi-session VMs currently don’t support full Entra ID join like single-session VMs do.

I'm pretty sure you already did

dsregcmd /status

and if its still No... let's try to do it manually

Connect-MgGraph -Scopes "Directory.ReadWrite.All" New-MgDevice -DisplayName "Your-AVD-VM-Name" -OperatingSystem "Windows"

but be sure - you’ll need Global Admin or Intune Admin rights for this.

Next, manually register the VM with your AVD host pool via the Azure Portal:

Go to Azure Virtual Desktop -> Host pools -> [Your host pool] -> Session hosts.

Click + Add and select your VM from the list.

Complete the registration this bypasses the need for full Entra ID join.

For user access, double-check these role assignments in Azure IAM:

Desktop Virtualization User (assigned to users/groups).

Virtual Machine User Login (assigned at the VM/resource group level).

If users still can’t sign in, try these quick checks:

Temporarily disable Conditional Access policies (if any) to rule out access blocks.

In the VM, run gpupdate /force to refresh Group Policies.

Verify the AVD agent is healthy in Services.msc (look for "Remote Desktop Agent Loader").

Microsoft’s official guidance for this scenario is here: AVD requirements for session hosts.

Lets try taht way... let me know how its goes.

rgds,

Alex

Share via

Unable to login to AVD session - Error Code: 0x3000047

2 answers

Your answer