![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 34%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJD%3C/text%3E%3C/svg%3E)
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 6%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJH%3C/text%3E%3C/svg%3E)
Hii Jampula,
Thank you for reaching out Q/A. In some Azure Virtual Desktop (AVD) deployments where the session hosts are domain-joined to on-premises Active Directory Domain Services (AD DS)—including hybrid environments synchronized using Azure AD Connect—connection issues can occur if the Host Pool RDP property “Azure AD authentication” is enabled without the required Kerberos configuration in place.
When this setting is enabled, AVD attempts to authenticate the session using Microsoft Entra ID. If the environment is not fully configured to support this (for example, if the Kerberos Server Object that bridges Entra ID and AD DS is missing), the login may fail even though the virtual machine itself is reachable. This can result in errors such as:
The remote PC ended your session, if this keeps happening, please ask your admin or tech support for help,
Please Check the Following
- In Azure Portal → Host Pool → RDP Properties
- Verify whether Azure AD Authentication is enabled.
- If enabled, temporarily disable it and test the connection.
- Confirm your session hosts are:
- Domain-joined to AD DS (on-prem or IaaS DC)
- Synced using Azure AD Connect (Hybrid Identity).
- If you intend to use Azure AD authentication, ensure the Kerberos Server Object is configured to allow Entra ID authentication with AD DS.
Reference:
Additional Troubleshooting Steps
Verify User Access to AVD Application Groups Ensure the affected user is properly assigned to the required AVD roles/resources:
Get-AzRoleAssignment -SignInName <userUPN>
Clear Cached Credentials Ask the user to sign out from the AVD client (web/desktop), clear cached credentials or browser cache, and reconnect.
Review Conditional Access Policies Confirm that Conditional Access or MFA policies are not inadvertently blocking AVD sign-in. Please check especially for policies applied broadly (for example, to “All Cloud Apps”).
Check Network / Firewall Connectivity Validate there are no recent network, proxy, or firewall changes that could be interfering with authentication or connectivity.
To help us narrow this down further, could you please confirm:
- Has the affected user been granted the necessary access to the AVD application group and VM?
- Are there any Conditional Access policies that might be restricting this user?
- Is the issue affecting multiple users, or is it isolated to a specific user?
- Have you tested the connection from a different device or network?
- Were there any recent changes to identity configuration, host pool settings, or security policies?
- Users are Entra-id login users?
