One user in Azure Virtual Desktop getting "Disconnected. Sign in failed." in Web app.

Question

One user in Azure Virtual Desktop getting "Disconnected. Sign in failed." in Web app.

Sarah Knickerbocker 0

We have one user in our Entra environment that is unable to login to our Hostpool. They get to the point where they accept all of the pop-ups and make the final connection before getting rejected.

No other users are have the same issue and all of the VDI machines accept new connections without issue.

users are synced to Entra using Entra sync from on-prem AD
Users connect to the VDI using the web app
OS of the VDI machines is windows 11 22H2 and up to date on all patches.

There are no conditional access or MFA settings on this user that would impact them, and the Entra sign-in logs all show success.

Jilakara Hemalatha 12,105 Reputation points Microsoft External Staff Moderator

2026-03-09T21:37:53.1766667+00:00
Hello Sarah,

Thank you for sharing the details regarding the Azure Virtual Desktop connection issue.

Based on the information provided, the user is able to successfully authenticate with Microsoft Entra ID and the sign-in logs indicate that the authentication request is successful. However, the connection fails during the final stage when the Azure Virtual Desktop session is being established, resulting in the “Disconnected. Sign in failed.” message.

Since other users are able to connect successfully to the same host pool and session hosts, the behavior appears to be related to session initialization or host pool configuration impacting this user

To further isolate the issue, could you please verify the following:

1. Test connection using the Web Client:

Please confirm whether the affected user is able to connect using the Azure Virtual Desktop Web Client: https://client.wvd.microsoft.com/arm/webclient

This helps determine whether the issue is client‑specific or related to session host or host pool configuration.

Reference: Use the Remote Desktop client to connect to Azure Virtual Desktop

2. Verify Application Group Assignment:

Ensure the affected user (or the group they belong to) is assigned to the correct Azure Virtual Desktop Application Group associated with the host pool. Azure Portal → Azure Virtual Desktop → Host Pool → Application Group → Assignments

Reference: https://learn.microsoft.com/en-us/azure/virtual-desktop/publish-applications-stream-remoteapp?tabs=portal

3. Confirm the user has at least one of the following roles assigned at the VM or Resource Group level:

Virtual Machine User Login or Virtual Machine Administrator Login

4. Check for Existing or Disconnected Sessions

Navigate to Host Pool → Session Hosts → Sessions If the user has an existing active or disconnected session, please sign out the session and attempt the connection again.

5. Verify Host Pool RDP Properties:

Navigate to Host Pool → Settings → RDP Properties and ensure the following custom RDP property is configured if the session hosts are Microsoft Entra ID joined: targetisaadjoined:i:1

Reference: https://learn.microsoft.com/en-us/azure/virtual-desktop/rdp-properties#targetisaadjoined

6.Verify Host Pool Authentication Settings:

Under Host Pool → RDP Properties → Connection Information, confirm the authentication configuration is appropriate for the environment. In some cases, enabling Azure AD authentication with Single Sign-On can help resolve session establishment issues.

Reference: Configure single sign-on for Azure Virtual Desktop using Microsoft Entra ID

Validate User Credential Format When logging in using Microsoft Entra accounts, ensure the credentials are entered using the correct format: AzureAD******@domain.com

Microsoft Entra joined session hosts in Azure Virtual Desktop

Since users are synchronized from on-premises Active Directory:

Ensure there are no duplicate accounts with the same UPN.

On the session host, run the following command to confirm the device join status:

dsregcmd /status

Ensure AzureAdJoined = YES if the session hosts are expected to be Microsoft Entra ID joined.

Reference: Troubleshoot Microsoft Entra hybrid joined devices

Troubleshoot devices by using the dsregcmd command

Troubleshoot connections to Microsoft Entra joined VMs

Hope this helps! Please let me know if you have any queries.

Could you please check the private message and provide necessary details
Sarah Knickerbocker 0 Reputation points

2026-03-09T23:11:12.16+00:00
The user has the same experience using both the Web and App.

The user has all the permissions necessary and inherits them by membership in an EntraID group he shares with all the successfully authenticating users.

Same answer as #2

No disconnected sessions. User has never been able to fully establish connection due to auth failures

We do not use the "targetisaadjoined:i:1" setting. As per this doc, we use "enablerdsaadauth:i:1", which is the newer setting.

Host pool Already uses "Connections will use Microsoft Entra authentication to provide single sign-on"

User is using their correct UPN (as evidenced by basic authentication through Entra that allows them to access the first stage of authentication)

The user's UPN is unique.

Again - all the VMs are accepting connections fine, all other users are connecting via SSO fine. This is an error isolated to one user. The event logs of the VMs the user is trying to connect to also show no authentication failures.
Jilakara Hemalatha 12,105 Reputation points Microsoft External Staff Moderator

2026-03-10T01:42:36.11+00:00
Thank you for the details regarding the sign-in issue. The user successfully authenticates with Microsoft Entra ID, and all other users can connect to the same host pool without issues. This indicates the problem is isolated to this user and occurs during session initialization, he AVD environment and host pool are functioning correctly, so this is likely caused by user-specific client or session/profile settings.

To resolve the issue, please follow these steps:

Have the user sign out of all Microsoft accounts on their device, clear browser cache if using the Web client, and remove any stored RDP credentials from Windows Credential Manager.

If possible, test the connection from a different device or browser to rule out local client-side issues.

On the session host, if a profile already exists for the user, rename or temporarily remove it and retry the connection.

Ensure the user’s device is properly registered with Entra by running: dsregcmd /status

For more details and guidance, please refer to the following documentation to check the entra details:

Troubleshoot Microsoft Entra hybrid joined devices

Troubleshoot devices by using the dsregcmd command

Troubleshoot connections to Microsoft Entra joined VMs

As an additional troubleshooting step, you may temporarily add the RDP property targetisaadjoined:i:1 at the host pool level and retry the connection.

Please proceed with the above steps and share the results. Thanks
Sarah Knickerbocker 0 Reputation points

2026-03-10T15:04:11.0966667+00:00

User experiences the same behavior on known good hardware with a clean browser cache. User has no profile on any of the VMs as they were never able to fully authenticate.
Jilakara Hemalatha 12,105 Reputation points Microsoft External Staff Moderator

2026-03-10T15:44:57.2366667+00:00

Sarah Knickerbocker, Could you please check the private message and provide necessary details

2 answers

Your answer

Sarah Knickerbocker 0 Reputation points

2026-03-09T23:11:12.16+00:00

The user has the same experience using both the Web and App.

The user has all the permissions necessary and inherits them by membership in an EntraID group he shares with all the successfully authenticating users.

Same answer as #2

No disconnected sessions. User has never been able to fully establish connection due to auth failures

We do not use the "targetisaadjoined:i:1" setting. As per this doc, we use "enablerdsaadauth:i:1", which is the newer setting.

Host pool Already uses "Connections will use Microsoft Entra authentication to provide single sign-on"

User is using their correct UPN (as evidenced by basic authentication through Entra that allows them to access the first stage of authentication)

The user's UPN is unique.

Again - all the VMs are accepting connections fine, all other users are connecting via SSO fine. This is an error isolated to one user. The event logs of the VMs the user is trying to connect to also show no authentication failures.
Jilakara Hemalatha 12,105 Reputation points Microsoft External Staff Moderator

2026-03-10T01:42:36.11+00:00

Thank you for the details regarding the sign-in issue. The user successfully authenticates with Microsoft Entra ID, and all other users can connect to the same host pool without issues. This indicates the problem is isolated to this user and occurs during session initialization, he AVD environment and host pool are functioning correctly, so this is likely caused by user-specific client or session/profile settings.

To resolve the issue, please follow these steps:

Have the user sign out of all Microsoft accounts on their device, clear browser cache if using the Web client, and remove any stored RDP credentials from Windows Credential Manager.

If possible, test the connection from a different device or browser to rule out local client-side issues.

On the session host, if a profile already exists for the user, rename or temporarily remove it and retry the connection.

Ensure the user’s device is properly registered with Entra by running: dsregcmd /status

For more details and guidance, please refer to the following documentation to check the entra details:

Troubleshoot Microsoft Entra hybrid joined devices

Troubleshoot devices by using the dsregcmd command

Troubleshoot connections to Microsoft Entra joined VMs

As an additional troubleshooting step, you may temporarily add the RDP property targetisaadjoined:i:1 at the host pool level and retry the connection.

Please proceed with the above steps and share the results. Thanks
Sarah Knickerbocker 0 Reputation points

2026-03-10T15:04:11.0966667+00:00

User experiences the same behavior on known good hardware with a clean browser cache. User has no profile on any of the VMs as they were never able to fully authenticate.
Jilakara Hemalatha 12,105 Reputation points Microsoft External Staff Moderator

2026-03-10T15:44:57.2366667+00:00

Sarah Knickerbocker, Could you please check the private message and provide necessary details

Answer 1

Hello @Sarah Knickerbocker ,

First, assign the Virtual Machine User Login role to the user. Additionally, ensure that the user is included in the Application Group assignments.

User's image

To troubleshoot AVD VM that are in a Running state but report a Shutdown health status, begin by restarting the VM from the Azure portal to resolve any potential state inconsistencies. Additionally, verify the Azure VM Agent status to ensure it is running and up to date. If issues persist, consider resetting or upgrading the agent following the recommended steps provided in the Azure documentation.

In the Azure portal, go to AVD VM > Select Access Control (IAM) > Select Role Assignments > Confirm that the user account has been granted either the Virtual Machine User Login or Virtual Machine Administrator Login role.

Ensure that the RDP property targetisaadjoined:i:1 was added to the AVD host pool. To do this, navigate to the Azure portal > Select the host pool configured for Azure AD Join > Select the RDP Properties blade > Select the Advanced Tab > Add targetisaadjoined:i:1.

Disable security defaults by navigating to Entra ID > Manage > Properties > Manage Security Defaults > Disable.

Add Conditional Access policies to exclude the VM from MFA by adding the user.

Enable Conditional Access policies and exclude the users and groups as needed.

Hope this helps! Please let me know if you have any queries.

Nikhil Duserla 9,690 Reputation points Microsoft External Staff Moderator

2026-03-24T08:06:02.4933333+00:00

Hello @Sarah Knickerbocker ,

Thank you for joining the call.

As recommended, a new VM was created with Microsoft Entra ID join. You are able to access the newly created VM; however, unable to log in with JD credentials. This may be related to user credentials, as we observed an issue during the sign-in attempt.

Please reset the password and try signing in again. Additionally, verify that all required permissions are correctly assigned to the user.

As discussed, you will also be creating a new user account under the name JD.

Answer 2

Alex Burlachenko 20,425 MVP Volunteer Moderator

Hi Sarah,

since only one user is affected and Entra sign in logs show success, this is almost certainly not an authentication problem at Azure level. It is happening after token validation when AVD tries to create the session on the session host.

This error usually means one of these

1.The user is not properly assigned to the Application Group linked to the Host Pool. See the exact app group and confirm the user or a group they belong to is assigned.

2.The user profile is corrupted on the session host. If you are using FSLogix, check the profile container. Try deleting or renaming the users profile folder or VHDX and let it recreate. Corrupted profiles often cause instant disconnect after authentication.

3.The user account has restrictions on the session host, such as not being in Remote Desktop Users group locally, or being denied log on through Remote Desktop Services via local policy or GPO.

4.There could be a broken SID mapping if the user was recently recreated in on prem AD and synced again. If the SID changed, the session host may not map permissions correctly.

Check Event Viewer on one of the session hosts under Applications and Services Logs > Microsoft > Windows > TerminalServices and also Security log for failed logon attempts.

Since all other users work and host pool is healthy focus on that specific user account and profile. In most cases like this it turns out to be a corrupted FSLogix profile or missing app group assignment.

rgds,

Alex

Sarah Knickerbocker 0 Reputation points

2026-03-12T16:45:24.8433333+00:00
User is confirmed to be assigned to the hostpool and the VM's Virtual Machine User Login role.

We are not using FSLogix profile management of any of our users. The user has no profile folder on any of the VDI machines since they can never get to the login step of loading a profile.

User is explicitly listed in the Remote Desktop Users group on the VMs. Still cannot log in. (there is actually an windows event showing that it added that user to the group during the login process).

User is synced from on-prem AD. SID listed in AD matches the "On-premises security identifier" property in Entra, as does the UPN. This user was created only once.

Additionally:

I recreated all the VDI machines from a known good image and the problem persists.

There are no entries in the VM's event logs in the Terminal Services logs that reference the user (likely because they never completed authentication).

There is a audit failure event on the VM's Security event log that shows the user was denied access but there is no reason given. There are no other failures before that event in the security log related to the user's login event.

The Entra Sign-in logs from today show one failure from "Windows App - Web" with Sign-in error code "50206", but is immediately followed 3 seconds later by a successful login to "Windows App - Web". However - This mirrors behavior seen in sign-in logs of users that successfully log in to the windows app.
Jilakara Hemalatha 12,105 Reputation points Microsoft External Staff Moderator

2026-03-12T19:37:30.95+00:00
Thank you for the updates and for ruling out so many things thoroughly.

Based on our investigation, the silent audit failure in the Security event log is pointing us toward a Group Policy setting called "Deny log on through Remote Desktop Services," which could be silently blocking this specific user on the session host side.

To dig into this, we would like to go through the following checks on one of your session hosts:

Review the local policy settings on the session host under User Rights Assignment

Run a GPO Resultant Set report (gpresult) to see exactly which policies are being applied.

Cross-check the affected user's group memberships against any deny policies

These steps are straightforward but are easiest to walk through together in real time to make sure we are looking in the right place.

Would you be available for a quick call so we can go through this together? Please let us know a time that works best for you, and we will get it scheduled right away.

Share via

One user in Azure Virtual Desktop getting "Disconnected. Sign in failed." in Web app.

2 answers

Your answer