Forum Discussion
Window 11 enterprise Entra id Joined Session host
Hello Everyone,
I hope someone can help me with the issue. We have an AVD environment with domain joined personal pools, everything works well. Now we want to deploy a personal pool with entra id joined session hosts with window 11 enterprise. I followed the instructions. But I can't login to the host due to the error: "The sign-in method you're trying to use isn't allowed. Try a different sign-in method or contact your system administrator."
It did let me log in to machine, but after like 10 seconds, it ended my sessions and when I reconnected to it, it showed that error.
We already have MFA in place for azure virtual desktop app, I add the "targetisaadjoined:i:1" to the pool setting to use username and password, as we don't have window hello business enabled.
The MS support guy asked us to enable the window hello business as that is the only way works for entra id Joined session host. but tbh, from the doc on ms site, it said the setting "targetisaadjoined:i:1" and excluding the app " Window virtual machine sign-in app" from the conditional access can skip the strong authentication require. So I'm not sure if the MS guy said that correctly.
But we still tried to enable window hello and still got that error or another error: "The username and password are incorrect"
I already add this role "Virtual Machine User Login" to users
I checked "Allow PKU2U authentication requests to this computer to use online identities" is enabled on both session host and local PC.
The pool with window 10 entra id joined works good with just this setting: "targetisaadjoined:i:1"
I'm lost now, so hope someone can help.
Thank you,
6 Replies
- It sounds like you're dealing with a frustrating issue regarding Entra ID-joined session hosts in your AVD setup. Based on what you’ve described, here are a few things you might want to try:
Windows Hello for Business:
It’s true that for Entra ID joined VMs, Windows Hello is often recommended. However, if you're sticking to username/password login, ensuring that "targetisaadjoined:i:1" is correctly configured across all Conditional Access policies should help.
Authentication Methods:
It’s worth double-checking whether your MFA settings or other conditional access policies are conflicting with the username/password method. Sometimes, Conditional Access can enforce more stringent policies for Entra ID-joined VMs.
User Role:
You've already added the Virtual Machine User Login role, which is great. Just ensure that this role is correctly propagated to all session hosts.
PKU2U Settings:
Since you mentioned the PKU2U authentication requests are enabled on both the session host and the local PC, I would recommend verifying once again that there’s no mismatch in their configurations.- We set "targetisaadjoined:i:1" in the pool settings. What do you mean this: "However, if you're sticking to username/password login, ensuring that "targetisaadjoined:i:1" is correctly configured across all Conditional Access policies should help." Is it something in the conditional access policy I should check?
- I tried to look at MFA, "Window virtual machine sign-in" app is excluded.
- the PKU2U is enabled and I can see it in the AVD client.
But the error still exists. I'm curious why it did let me signed in then it kicked me off after 5-10 seconds (whenever I reboot the session host). Then showed that error.
Thanks,
- Yes, I went through that article already, I excluded the app " Window virtual machine sign-in app" from the conditional access. But still see the error.
Thanks,
- did you already checked this:
https://cloudbrothers.info/en/the-case-of-signin-method-isnt-allowed/marc_kuhn Yes, I did, I also excluded the "Window virtual machine sign-in" app from the MFA to just use the username and password on the session host but I still got the error.
I'm curious why it did let me signed in then kicked me off after 5-10 seconds (whenever I reboot the session host). Then showed that error.
Thanks,
.
