Forum Discussion
"Your credentials did not work" AVD Azure AD joined
I'm trying to test AVD Azure AD-joined only. I've met all the requirements here - Deploy Azure AD joined VMs in Azure Virtual Desktop - Azure | Microsoft Docs. The PC I'm connecting from is running Windows 10 21H2 and is Azure AD registered to the same AAD as the AVD VM. I've enabled PKU2U on both the local PC and AVD VM, and tried it both with and without targetisaadjoined:i:1 in the host pool config.
When I try to log in via the Remote Desktop Client (the MSI one, not Store), I enter my UPN prefixed by AzureAD\ as required. I always get "Your credentials did not work". The web client doesn't work either. The security log on the AVD VM shows ID 4625 - "Unknown user name or bad password."
I can log in without any issues to the same AVD VM from a PC that is Azure AD-joined and using Windows Hello for Business, so I know AVD works.
The only thing I'm not sure of is MFA. My account has MFA enabled, but from what I understand that should not be an issue as I'm not using the legacy per-user MFA that the article says isn't supported.
- Johan_VanneuvilleIron ContributorHi,
Can you try with your upn without AzureAD\ infront? Just login in email format.- PeteMitchellBrass ContributorThanks. I already tried that and get the same error.
- DavidBelangerMicrosoftPeteMitchell MFA quite possibly the culprit here. You must ensure to add "Azure Windows VM sign in" to the Exclusion list for MFA. You can start by reviewing the following info: https://docs.microsoft.com/en-us/azure/virtual-desktop/troubleshoot-azure-ad-connections#i-cant-sign-in-even-though-im-using-the-right-credentials
- G_Davidson1975Copper ContributorHi Pete, did you get to the bottom of this issue, I too have the same issue where I cannot log into a AD-joined AVD machine but can log into a Laptop ad-joined machine.
- rePellCopper Contributor
I am having an issue exactly matching your description. I have no idea what I did. It worked last week.
- kduriganCopper Contributor
rePell, in case anyone runs into this thread, if you have host pools with AAD joined machines then you have to set the following RDP Advanced property in the host pool: enablerdsaadauth:i:1. This can also be set in Nerdio's RDP host pool "All" properties if you are using Nerdio. Make sure you refresh the policy for each changed host pool in the Azure Virtual Desktop (Preview) client by clicking the ... and selecting Refresh.