Forum Discussion

KevinDeSchrijver's avatar
KevinDeSchrijver
Copper Contributor
Oct 14, 2022

AVD - Pooled VM's - Outlook Authentication issue

Setup:

 

Latest Gallery image Win10+O365 Apps. A few older AVD setups as well but all with the preset Registry setting to block WorplaceJoin which used to give the same result as this case for any setup basically.

Azure AD Hybrid Joined Devices

Single-Sign On Configured and working

FSLogix implemented and working

MFA implemented and working

 

What does work?

As long as you restrict yourself in Outlook to the signed-in user everthying works fine. You are never presented with requirements to login when you roam to another VM. Seems logic as SSO kicks in if Outlook should  need authentication.

 

What doesn't work?

The trouble starts when you add a second O365 account to Outlook. This can be simply another account in the same tenant or an account in a totally different tenant. Doesn't make a difference. For this account SSO doesn't kick in and it shouldn't. Doesn't cause any issues we can detect within Office apps such as Word/Excel/PowerPoint. As in: accounts appear to be active within those apps and we can still access the OneDrive/Sharepoint locations. The problem is Outlook when you roam to another VM after a given amount of time. We get the notorious "Need password" and the authentication window breefly pops-up but disappears and remains in this state. No way to get the Modern Authentication handled from within Outlook anymore on any VM except the VM used when the second account was first added (more on that later)

 

What are stop-gaps that do "fix" it?

Two things "fix" it:

1) Sign out from the non-SSO account in Word/Excel/PowerPoint and then sign back in from that app. When you open Outlook afterwards no passwords prompt and everything works as expected for a few hours/days.

2) Force log on to the VM used for the very first log on performed for the non-SSO user. Then everything starts working again without performing procedure in step 1. If you log back out from that "original" VM everything works on all VM's again. That works again for a couple of hours/days and then breaks again.

 

A hypothesis:

The token you get after doing a Modern Authentication and should prevent future prompts contains the device ID. This roams along with FSLogix to another VM but breaks as the device ID is no longer the same. As long as the broken auth token is for the SSO user this doesn't matter as SSO kicks in and performs a completely new auth. If this is the case I don't see any resolution other than a design change from MS. But the question is if the setup IS the problem. Does anyone else have a pooled AVD setup with multiple VM's AND external O365 mail accounts added to Outlook? Or is this simply "not supported". If someone wants to test it out: It works for a day or two after adding the second account. It breaks if you haven't logged on to the initial VM in a while. Naturally this problem gets worse as you add more and more VM's to the pool as the likelihood of you logging on to that original VM gets less and less.

 

 

 

Resources