Forum Discussion
AVD Logins get stuck in loop
We have been suffering intermittent AVD Auth/Login issues to multiple Host Pools for multiple users - the login gets stuck and just loops continually between the Authentication "Just a moment" screen...
Hi Michael, thanks for getting back to me, This is a very good point, and I agree that this is an area to be considered as possible cause and I have looked into it previously, but...
For my account, which suffers the issue, my legacy user MFA setting is set to "enabled" but never switches to "enforced" - so I don't think it is triggered or used (as otherwise it would be switched from enabled to enforced).
But more clearly - numerous other colleagues who experience this definitely have their MFA setting as "disabled"
So, I don't think it can be this (but it seemed a likely candidate to me too).
For my account, which suffers the issue, my legacy user MFA setting is set to "enabled" but never switches to "enforced" - so I don't think it is triggered or used (as otherwise it would be switched from enabled to enforced).
But more clearly - numerous other colleagues who experience this definitely have their MFA setting as "disabled"
So, I don't think it can be this (but it seemed a likely candidate to me too).
garymansell Did you exclude the App "Microsoft Azure Windows Virtual Machine Sign-in" in your Conditional Access Policy? (The App may also be named as Azure Windows or only Windows Virtual Machine Sign-in. ) If you don't exclude this, you may have Problems with reading a Password from Edge Browser Password Store. I just want to mention this. 🙂
https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies/fromNav/Identity
If you are using Conditional Access Policies, you have to disable every single User MFA Setting. From my knowledge this settings inteferences with Conditional Access in various ways.
Beside this i'm sorry but i have no other idea.
Best Regards
Michael
- So, for our conditional access policy, we don't have a separate one for AVD - instead we have a single CAP for ALL apps (so AVD App is implicitly included), when the access is from an untrusted network (i.e. not on the corp network) - as the corp policy is for MFA for ALL apps (no exclusions) when accessed externally. My understanding is that for Azure AD joined machines, this should be fine and is needed for SSO into the VM (it certainly works 95% of the time, apart from these occasional glitches).
My best guess is it might be to do with the user MFA settings (as you suggest) as we do still have some set (although not for users that use/have problems with AVD sign-ins).
Thanks for stopping by and taking the time to help, much appreciated/