Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Azure Virtual Desktop Web Client – Sign-in Failed After Successful Entra ID Authentication (AzureADJoined VM)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 73%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
SB
0
Reputation points
Hello Azure Community,
I’m currently facing a persistent sign-in failure issue when connecting to my Azure Virtual Desktop (AVD) environment. The initial web client login (via https://client.wvd.microsoft.com/arm/webclient) succeeds using Microsoft Entra ID SSO, but when the connection is redirected to the session host, it fails with the message:
“Sign-in failed. Please check your username and password and try again.”
Environment Details
Deployment Type: Azure Virtual Desktop (pooled host pool)
Join Type: Entra ID joined (not hybrid)
VM OS: Windows 11 (non-ARM)
Host Pool Name: HP-Lab-internal
Users: ******@unieyes.in, ******@unieyes.in
Licenses: Microsoft 365 Business Premium + Entra ID P2
Access Method: Web client
Region: East US
Diagnostics (dsregcmd /status output summary)
AzureAdJoined: YES
EnterpriseJoined: NO
DomainJoined: NO
AzureAdPrt: NO
DeviceAuthStatus: SUCCESS
Troubleshooting Performed
Confirmed that users have valid Microsoft 365 Business Premium + Entra ID P2 licenses.
Verified RDP Properties – tested both with and without Microsoft Entra single sign-on.
Added users to Remote Desktop Users group on session host.
Disabled MFA enforcement for affected users.
No active Conditional Access Policies enforcing MFA or device restrictions.
Re-ran dsregcmd /join (successful device join).
Checked Sign-in Logs → shows MFA failure (AADSTS50076 or interaction_required) or status 52006 (credential prompt failed).
Request for Help
Can anyone help me identify why AVD Entra ID–joined session hosts fail at credential handoff even though:
Device registration and join state are successful, and
SSO works at web login, but RDP credential exchange fails?
Is this related to missing Entra Primary Refresh Token (PRT), MFA token handoff, or RDP properties configuration (CredSSP / Entra SSO)?Hello Azure Community,
I’m currently facing a persistent sign-in failure issue when connecting to my Azure Virtual Desktop (AVD) environment. The initial web client login (via https://client.wvd.microsoft.com/arm/webclient) succeeds using Microsoft Entra ID SSO, but when the connection is redirected to the session host, it fails with the message:
“Sign-in failed. Please check your username and password and try again.”
Screenshot
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Sign in to answer