AVD host Entra ID joined only - logon issues.

Copper Contributor

Hi all - I have an issue with AVD logon using the Remote Desktop client (the correct one - v1.2.4763).

The hosts are all accessible and it looks like a connection is going to happen when you click on the (Desktop) icon - however it prompts for logon and just gets stuck in a logon loop - asking for MFA each time.  Note this is entirely an AAD/Entra setup only - there is no domain sync/domain services.  Intune is connected - and is doing its thing,

 

The errors (warnings) on the host (eventlog) are:

RDP_SEC_RDSAADAUTH_SERVER: An error was encountered when transitioning from Processing Authentication Request in response to Failed to authenticate user (error code 0xD000006D).

 

Followed immediately by: 

RDP_SEC: An error was encountered when transitioning from FStateInRdsAadHandshake in response to FEventRdsAaadHandshakeFailed (error code 0x8007052E).

 

*** Is this being caused by MFA???  Or is that a historic issue?  If so, how do I un-do MFA??

 

I have pass through switched on in the host group settings.

Everything looks fine in terms of it being connected.

 

C:\Users\avdadmin>dsregcmd /status

+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+

AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : NO
Virtual Desktop : NOT SET
Device Name : AVDHost-0

 

The dumb thing is that it was working - I had to rebuild it all from scratch to get around an Azure subscription change/issue!!!

 

Any words of wisdom will be gratefully received.

 

Thanks, Aaron.

4 Replies

Hi @AaronE430,

I see you're facing a login loop issue with Azure Virtual Desktop (AVD). This problem is not uncommon, and there are several potential solutions based on the information I found:

  1. Conditional Access Sign-in Frequency:
    If you've set a sign-in frequency for conditional access, users might encounter issues when their session times out. The error code 70044 and the failure reason "The session has expired or is invalid due to sign-in frequency checks by conditional access" suggest this could be the issue.

  2. Client Version:
    Make sure you're using the latest version of the Remote Desktop app. If using the Microsoft Store version, consider uninstalling it and installing the latest version from the Microsoft website.

  3. Azure AD User License:
    Check and renew the Azure AD User License.

  4. Security Defaults in Azure AD:
    Consider disabling Security Defaults in Azure AD.

Regarding your question about MFA, it's challenging to determine if MFA is causing the problem without more information. If you wish to disable MFA, typically, you would do this through the Azure portal. However, be cautious, as it can impact account security.


Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

I'm unsure if this is your exact issue, but this worked for me:  Azure Virtual Desktop; "The sign-in method you’re using isn’t allowed" - Ciraltos

Many thanks for your replies.

 

I found the issue(s) - it was 2 fold:

1.  I disabled the default security in Entra and established specific CA policies to exclude MFA for VM logon.  This is definitely a 'must do'.

2. I added the IAM role on the resource group to allow virtual machine logon.  I expect this was the 'big one'.  I didnt think to reinstate it with the re-deployment.....

 

Thanks again.

 

Aaron

 

 

Hi - this was definately a factor (i.e. default requirement for MFA) - however, the symptoms were not the same. Many thanks.