Forum Discussion
AVD Logins get stuck in loop
We have been suffering intermittent AVD Auth/Login issues to multiple Host Pools for multiple users - the login gets stuck and just loops continually between the Authentication "Just a moment" screen, and then initiating/configuring/securing remote connection dialog box.
It occurs on a per user basis (others can login to the same VM's perfectly fine) and it seems to be related to Entra MFA (we have a conditional access policy to enforce MFA for users when not on Corp. network). We use EntraID joined AVD Session Hosts (not attached to Corp. network) and the remote user end-points are hybrid Domain joined (can be connected to Corp. network, offsite direct to Internet, or offsite with FortiClient VPN to Corp.network).
This issue does not seem to affect users who wholly work offsite (and always hit the conditional access policy for MFA?). But, it does affect our users who access the AVD System from both onsite and offsite.
It happened to me yesterday when I was onsite (so I was not being prompted for MFA), so I disconnected from the Corp. network and connected via my Mobile Phone Hotspot (to force MFA prompt) - and the login ran through fine, and when I then connected back to the Corp network, I could login fine.
What confuses me, is that being onsite on the Corp. network should not require an MFA, so why does disconnecting from the Corp. network and forcing the MFA prompt fix the issue - MFA should not come into things when accessing from onsite, surely?
One thing comes to mind - that MFA uses a 90 day token so you don't get prompted all the time, I wonder if this token has expired (and hence is not renewed as you are logging in from onsite with no requirement for MFA), and that this expired MFA token is preventing the login until it is forcibly renewed by performing and MFA login?
It also seems to be specific to a session host - whilst I get the login loop trying to login to one AVD Host Pool/Session Host, I can login perfectly fine to others. So, does the Session Host cache the MFA token that has perhaps expired?
I think I may have seen situations with users, where this login loop occurs and if you then just leave it and then try and re-connect a few hours later, you can then login again fine (so maybe it is to do with AD / Entra Connect Sync delays)?
Any ideas or suggestions why this is happening and how to fix it would be greatly appreciated - as trying to run an Enterprise AVD System that every now and then users cannot get into is far from ideal!
Regards
Gary
10 Replies
I know this is an old post but I wanted to share what we found in case someone looks here.
We had this issue with session hosts that were created from an image where the imaging vm had entra authentication enabled. We had to go back to an older version of the image and redo the changes without it touching entra. Building any session host would cause that endless loop login for a lot of users.
While browsing the internet, stumbled upon this page, which points the finger to protected built-in AD groups:
https://www.detechnischejongens.nl/actueel/resolving-authentication-loop-with-single-sign-on-for-azure-virtual-desktop-using-microsoft-entra-id-authentication#:~:text=To%20resolve%20the%20authentication%20loop%20issue%2C%20the%20solution,list%20all%20protected%20accounts%20in%20your%20Active%20Directory.The troubled user that I have did have a Account Operators membership. We removed the group membership, and waiting for user feedback.
I was really hopeful that this might be the cause of my issue, but after further investigation neither my own, nor some other normal user accounts that I have seen this occur with are in Protected Groups. Thinking on it further - the fact that it is intermittently rather than always suffering the logging loop probably also discounts this.
Very much appreciate you posting to the thread - it might be useful to others.
garymansell I had a similar problem. Try to disable legacy user MFA settings if you are using conditional access rules for mfa.
https://entra.microsoft.com/#view/Microsoft_AAD_IAM/MultifactorAuthenticationConfig.ReactView/tabId/users
I have conditial access rules and bevor i disabled user mfa i had the same error.Best Regards Michael
- Hi Michael, thanks for getting back to me, This is a very good point, and I agree that this is an area to be considered as possible cause and I have looked into it previously, but...
For my account, which suffers the issue, my legacy user MFA setting is set to "enabled" but never switches to "enforced" - so I don't think it is triggered or used (as otherwise it would be switched from enabled to enforced).
But more clearly - numerous other colleagues who experience this definitely have their MFA setting as "disabled"
So, I don't think it can be this (but it seemed a likely candidate to me too).garymansell Did you exclude the App "Microsoft Azure Windows Virtual Machine Sign-in" in your Conditional Access Policy? (The App may also be named as Azure Windows or only Windows Virtual Machine Sign-in. ) If you don't exclude this, you may have Problems with reading a Password from Edge Browser Password Store. I just want to mention this. 🙂
https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies/fromNav/IdentityIf you are using Conditional Access Policies, you have to disable every single User MFA Setting. From my knowledge this settings inteferences with Conditional Access in various ways.
Beside this i'm sorry but i have no other idea.
Best Regards
Michael
- Bump...
garymansell I'm not entirely sure this is the same case, but in my scenario, we had to Hybrid Join the AVDs (where clients have on-prem AD). This fixed the sign in issues for us. Apparently MS changed the way AVDs authenticate, but I can't find the documentation here, sorry.
- Hi, thanks for getting back to me, but these AVD Session Hosts cannot be Hybrid joined as they don't have line of sight to an on-prem DC.
It is my understanding (and this works fine 99% of the time) that Hybrid joined end-points can AVD to EntraID (only) joined Session Hosts...
