Entra ID credentials in Azure Virtual Desktop

Question

Hello,&nbsp;When Entra ID users want to access their passwords in Chrome/Edge they get a Windows security prompt asking for their credentials.When they enter their Entra ID username and password, they get the notification that these are wrong.To test i tried to run a program as a specific Entra ID user and I get the same issue.What do Entra ID users enter for those login prompts?&nbsp;

kidd_ip · Answer

Please consider this:
&nbsp;

Correct Credentials: Entra ID users should enter their User Principal Name (UPN) (e.g., email address removed for privacy reasons) and the corresponding password. Ensure that the UPN matches the one configured in Microsoft Entra ID.
Hybrid Identity Considerations: If your AVD environment uses hybrid identities (e.g., synced from on-premises Active Directory), ensure that the UPN in Active Directory matches the UPN in Microsoft Entra ID. Mismatches can cause authentication failures.
Session Host Configuration: Verify that the session host is either Microsoft Entra joined or hybrid joined. If it's not properly joined, authentication issues can occur.
Multi-Factor Authentication (MFA): If MFA is enabled, users may need to complete an additional authentication step. Ensure that the Conditional Access policies are correctly configured.
Cached Credentials: Sometimes, cached credentials on the local machine can interfere. Clearing the credential cache or using a different device to test can help identify if this is the issue.

chris_toffer0707 · Answer

Are users cloud only Entra ID or hybrid identities from local Active Directory synced to Entra ID?

vincent_b · Answer

Users are cloud only Entra ID users.

chris_toffer0707 · Answer

I have a production AVD setup for a customer running Entra ID Joined session hosts and cloud only Entra ID Users.&nbsp;The user signs in to AVD session host and uses Microsoft Edge. Profil sync is enabled for the user.&nbsp;The user can access Paswords within Microsoft Edge to add new passwords, but accessing passwords already defines are showing the same behavior you are describing. So the issue is easy to reproduce.&nbsp;I will try to see if I can find a valid solution for this headache.&nbsp;

chris_toffer0707 · Answer

I have investigated this further.The lack on TPM chip in normal Azure SKUs (you can have vTPM using Azure Confidential SKUs), blocks the usage of Windows Hello for Business.&nbsp;Also, when logging into an AVD session host (either via WindowsApp or browser), Microsoft handles the authentication of the user and then passes a token to the session host, allowing the user to be signed in to the session host. Microsoft does not gather the password and forward to the session host.&nbsp;The lack of Kerberos tickets in a setup without Active Directory prevents us from authenticating towards Microsoft Edge Passwords. If Microsoft Edge Passwords did its authentication against Entra ID, it would work. Even then Profile sync including password sync are configured in the Microsoft Edge profile, still Microsoft asks for the password of the signed in user session.So bottomline is that you would need to implement a 3-party password manager solution like 1Password that supports Entra ID federated authentication.

Forum Discussion

Entra ID credentials in Azure Virtual Desktop

5 Replies