Forum Discussion
PUBLIC PREVIEW: Announcing public preview of Azure AD joined VMs
We are excited to announce the public preview of Azure AD joined VMs support for Azure Virtual Desktop. This feature allows customers to easily deploy Azure AD joined session hosts from the Azure portal and access them from all clients. VMs can also be automatically enrolled in Intune for ease of management. Support for storing FSLogix profiles on Azure files will be available in a future update.
Getting started:
The documentation to deploy Azure AD joined session hosts will guide you through the key steps needed to enable this functionality.
- End-to-end single sign-on is definitely something we are working on but isn't available in the first release due to the protocol we are using. We know how important that feature it.
- jonwbstr24Brass Contributor
DavidBelanger Wohoo!
How does this fit with the recent announcement about Cloud PC?
https://www.youtube.com/watch?v=V14Ia2uwrtk
Trying to figure out if we are better off with AVD "Personal" machines. vs a CloudPC.
- MarcelMeurerDECopper ContributorI'm also interested to have a good story to consult customers to use AVD (Flexibility) and Windows365 (Simplicity). I guess that one important point is the price of W365 (which I don't know)
- MarcelMeurerDECopper Contributor
That's pretty cool - even for cloud-only companies. I used the evening to build it into my community tool 😃
DavidBelanger
Can someone please explain this statement from the documentation?
"Azure Virtual Desktop doesn't currently support single sign-on for Azure AD-joined VMs."The whole point of setting up Azure AD Joined VM for me is to achieve single sign on end-to-end including my apps like Office, Teams etc.
FYI - SUPER DUPER Excited to get rid of domain controllers now ! This is great progress. Loving it.
- jonwbstr24Brass ContributorI believe the correct answer is, "This preview version ... Certain features might not be supported or might have constrained capabilities." when it leaves preview, or during the preview that capability might be added.
- DavidBelangerMicrosoftEnd-to-end single sign-on is definitely something we are working on but isn't available in the first release due to the protocol we are using. We know how important that feature it.
- Peter MeuserCopper ContributorDavid, I am looking to use AVD AAD joined as base for a secure virtual workstation. Would it be an appropriate secure setup, if admins will be asked for for MFA for all cloud apps excluding „Azure Windows VM sign-in“? Therefore would attacker be able to bypass MFA to access the virtual desktop?
- Jace_ACopper Contributor
JasjitChopraI think it means that users will get promoted to login twice ..one to the service, one to the VM
- amal_azurewvdCopper Contributor
DavidBelanger Hi, I created a new host pool with AAD, it is a validation hostpool. I tried to access the AVD but getting error a "login attempt failed" error. I am trying with my UPN to login to the Azure AD VM. I have added myself as "Virtual machine user login" RBAC role but still no luck. Anyone experiencing the same issue?.
- patrickhurtCopper Contributor
amal_azurewvd I have the same issue. I followed all the steps at this location and still got the error.
- amal_azurewvdCopper ContributorI finally got it working from webclient. I added targetisaadjoined:i:1 into customrdpproperties and it started working.
- Chris_Gilles_1337Copper ContributorI'm encountering "The sign-in method you're trying to use isn't allowed. Try a different sign-in method or contact your administrator" when attempting to authenticate with an M365 user account to an AAD Joined Session Host. I'm able to click "Ok", get back to the login prompt and log in with the local administrator account, though.
I also have targetisaadjoined:i:1 in the RDP Properties...
Anyone encountering this?- Chris_Gilles_1337Copper ContributorI believe I figured this out. We have a conditional access policy for all cloud apps: RequireDuoMFA. After removing the user account from the associated security group AND from the Duo Security console, I was able to authenticate.
Microsoft, can this be fixed?- Peter MeuserCopper Contributor
Chris_Gilles_1337 You just need to exclude „Azure Windows VM Sign-in“ from the CA policy requiring MFA beside the already mentioned RDP settings. At least this worked for me.
- Xandven_Copper ContributorWill Intune now work with pooled host pools as well? https://docs.microsoft.com/en-us/mem/intune/fundamentals/azure-virtual-desktop states that only VMs setup as personal desktops can be managed with Intune. If pooled host pools are not supported what are the plans to support this configuration as well?
- Peter MeuserCopper Contributor
Xandven_ Your source is at least outdated. Latest technical information about the public preview can be found here: https://docs.microsoft.com/de-de/azure/virtual-desktop/deploy-azure-ad-joined-vm
I have both personal and pooled VMs in my lab setup AAD joined and Intune managed. Compliance policies are applied to both types correctly, so that you can eval them in CA policies accordingly.
So, my answer is not an official Microsoft one, but from all these observations I would say: Yes, host pools can be Intune managed in this public preview.
- PaulGMVPSteel Contributor
hi guys
im experiencing an error when trying to connect to my AADJ VM using Remote Desktop app.
Prereqs are all met :
- device from which i try the connection is aadjoined to the same tenant.
- remote desktop app user is added via IAM with AVD User Login role
- targetisaadjoined:i:1 added to rdp advanced properties
- validation env checked
what else can be missing ?
i can only access my VM from the web client , there is no error there and it works from every device.
Device State |
+----------------------------------------------------------------------+AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : NO
Device Name : VM-AzureAD-0+----------------------------------------------------------------------+
| Device Details |
+----------------------------------------------------------------------+DeviceId : 2b4f6a7b-02ab-4cb5-a220-1fdde507e7e4
Thumbprint : 4C5F4A2D4D8D55093DDE48F7453621FE8382F2B9
DeviceCertificateValidity : [ 2021-07-19 11:01:49.000 UTC -- 2031-07-19 11:31:49.000 UTC ]
KeyContainerId : 21313e88-443a-4391-b4ca-dcdda5e9ee38
KeyProvider : Microsoft Software Key Storage Provider
TpmProtected : NO
DeviceAuthStatus : SUCCESS+----------------------------------------------------------------------+
| Tenant Details |
+----------------------------------------------------------------------+TenantName : xxxxxx
TenantId : xxxxxx
Idp : login.windows.net
AuthCodeUrl : https://login.microsoftonline.com/xxx
AccessTokenUrl : https://login.microsoftonline.com/xxxx/oauth2/token
MdmUrl : https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
MdmTouUrl : https://portal.manage.microsoft.com/TermsofUse.aspx
MdmComplianceUrl : https://portal.manage.microsoft.com/?portalAction=Compliance
SettingsUrl :
JoinSrvVersion : 2.0
JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/
JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net
KeySrvVersion : 1.0
KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/
KeySrvId : urn:ms-drs:enterpriseregistration.windows.net
WebAuthNSrvVersion : 1.0
WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/xxx/
WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net
DeviceManagementSrvVer : 1.0
DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/xxx/
DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+NgcSet : NO
WorkplaceJoined : NO
WamDefaultSet : YES
WamDefaultAuthority : organizations
WamDefaultId : https://login.microsoft.com
WamDefaultGUID : {xxxx} (AzureAd)+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+AzureAdPrt : YES
AzureAdPrtUpdateTime : 2021-07-19 14:45:18.000 UTC
AzureAdPrtExpiryTime : 2021-08-02 14:45:17.000 UTC
AzureAdPrtAuthority : https://login.microsoftonline.com/xxx
EnterprisePrt : NO
EnterprisePrtAuthority :+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+AadRecoveryEnabled : NO
Executing Account Name : xxxxx
KeySignTest : PASSED+----------------------------------------------------------------------+
| IE Proxy Config for Current User |
+----------------------------------------------------------------------+Auto Detect Settings : YES
Auto-Configuration URL :
Proxy Server List :
Proxy Bypass List :+----------------------------------------------------------------------+
| WinHttp Default Proxy Config |
+----------------------------------------------------------------------+Access Type : DIRECT
+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+IsDeviceJoined : YES
IsUserAzureAD : YES
PolicyEnabled : NO
PostLogonEnabled : YES
DeviceEligible : NO
SessionIsNotRemote : NO
CertEnrollment : none
PreReqResult : WillNotProvisionFor more information, please visit https://www.microsoft.com/aadjerrors
- tch0704Copper Contributor
DavidBelanger I failed to create hostpool with Azure AD joined VM. Every time I got the message:
{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"VMExtensionProvisioningError","message":"VM has reported a failure when processing extension 'AADLoginForWindows'. Error message: \"AAD Join failed.\"\r\n\r\nMore information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot "}]}
I tried on 2 different Azure tenants and from different PCs and got the same result. What did I miss?
- munich0815Copper Contributor
tch0704 I had the same problem. This issue was, that enabled the option to use Intune device management without having an Intune license in place. Disabling the option solved it.
- tch0704Copper ContributorYes it works after I turn off the Intune option. However, the user accounts actually have Enterprise Mobility + E5 license. Can I enable Intune after the host pool is created?
- NikonlineCopper ContributorDavidBelanger perhaps need to highlight the users that this solution doesn't support MFA, which to me is major blocker. I had to disable MFA related CA Policies ( organisation wide) to leverage AAD joining and Intune enrolment at the time of deployment. Any advice on security?
- Peter MeuserCopper ContributorNikonline You should be able to switch from the global setting "Require Multi-Factor Authentication to register or join devices with Azure AD" to a more recent approach based on a targeted CA policy for "Microsoft Intune Enrollment", that enforces MFA without scarifying security.
- NikonlineCopper ContributorAs i mentioned had to disable CA Policies that involved MFA. How can we secure access to VMs without MFA? unless there is something that i am missing
- Richard HarrisonCopper Contributor
DavidBelanger We've managed to set this up with pin access just fine - everything looks good. However when using username/password it just won't work. I've read all the stuff around CA policies potentially causing this but adding the users to CA exclusion groups has no effect and there is no kind of error/failure logged at all in AAD sign in logs. Is there any other potential cause here? - can i get more debug out of the sign in process to see where the issue actually lies?
So to confirm username/password gets message below - pin works fine
Thanks,
Rich
- Richard HarrisonCopper ContributorOh - and to confirm we do have targetisaadjoined:i:1 set in rdp properties
- DavidBelangerMicrosoft
Richard Harrison looks like the CA policy is still triggering. Have you tried adding the "Azure Windows VM Sign-In" app to the Exclusion list to confirm you can get passed the issue? Once confirmed, we can review why adding the users to the exclusion list isn't working.
- nbird22Iron Contributor
I have the same issue as other's here where I simply cannot login to the VM - Sign-In method not allowed. I've followed the guidance to the letter. Validation HostPool, PKU2U Setting is Enabled, RDP Properties updated, all my CA Policies have been disabled to rule it out, the correct Azure roles are assigned. I've tried this with 20H2 and 21H1 images, i've tried it with Intune enrolment on and Intune enrolment off. I'm out of ideas.
Is there a log/event somewhere that can nail down this issue further rather than the generic sign-in method not allowed error?