Can anyone at MS clear up things?

It can't be that we need to disable modern authentication because if fails to connect for multiple users.

I deployed a new WVD pool this weeknd and already experienced disconnected users in Outlook after x amount of time. Setting EnableADAL to 0 forces the applications back to basic authentication.

Experienced these issues before on local clients so it is not WVD related at all.

When forcing everyone to use MFA we simply cannot disable Modern Auth!

Removing the user profile completely resolves the issue but is very cumbersome for the end-user.

Is there a problem with permissions in the credential manager? Because it contains a lot of entries for ADAL, almost seems like it cannot update the 1 existing entry and goes haywire after x amount of time.

Thanks in advance!

@ritchnet unfortunately this issue is not resolved. i have tried many things mentioned here and other sites and have no concrete resolution or reason why it occurs.

@DAsnow

we also get this issue by disabling modern auth it stops users outlooks from disconnecting every hour or so however when there password expires thats when it really becomes an issue. Due to our users making use of SharePoint and Onedrive we are unable to make use of the basic auth functions due to modern authentication being required to access these services. I can get it to open a new window if i put in something similar like a .onmicrosoft.com and then change the address after however this doesnt always work.

I've given MS a nudge with a support ticket that i have open with them regarding a few outstanding bits. 

This is helpful, thank you. One question for @WillSomerville are you using onPren AD connect or Cloud AD to Azure AD? 

Hi @DAsnow 

we have currently setup 2 DC's in the Azure Datacenters we operate out off. one of which has AD connect. we also have however on premise DCs with one of those with AD connect. One of the Azure DC's is the PDC now which has AD connect running on it.  

It shouldn't matter however where you have AD connect running from as long as it has line of sight of the domain controllers to be able to read and sync the relevant changes to and from ADDS to Azure ADDS.

cheers

Will 

@knowlite  any news on this issue? Still having same problem no resolution yet.

@DAsnow can you try to manually register the AADBroker plug in on the user session that is experiencing this issue? 

From Powershell, first verify if it's installed:
Get-AppxPackage Microsoft.AAD.BrokerPlugin

I would it expect that the ADDBrokerPlugin isn't installed, if so, try to manually register the app:
Add-AppxPackage -Register "C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Appxmanifest.xml" -DisableDevelopmentMode

Appreciate you may have looked at this already, but I had exactly the same issue - Outlook password box not surfacing correctly to the user in a WVD Win10 session with FSLogix configured. User's shouldn't have been challenged for a password at all.

For me, the issue was that the WVD session host OU was excluded from synchronisation in the AD Connect console. As soon as I enabled synchronisation for the OU, the problem went away. Transparent sign in, no password prompts.

@Tom_A_MSFT activating the aad brokerplugin in a user session doesn't appear to persist.  i logged out and back in and i'm back to the same problem i had before.

@Tom_A_MSFT 
The command to register the AAD Broker plugin works but does not persist after logoff/logon.  Additionally, all new profiles need this command to be ran.  We have implemented a login script that runs the AAD Broker plugin registration command which is keeping Modern Auth working for all users at this point but we cannot seem to get to the root cause.  We have engaged Microsoft support and our partner resources but the issue doesn't seem to be able to be replicated with a standard gallery image.  

I'm suspicious of FSLogix.  I'm going to test disabling FS Logix and see if local profiles do not have the issue.  However, we've simply set everything up per MS documentation on our Win 10 multi-session image, installed Office in shared activation mode per the WVD documentation, then snapshot, sysprep, and re-deployed using the WVD deployment template and our custom/sysprep image.  We've also gone back to the bare basics in terms of the FS Logix GPO after tinkering with various settings.  

I will update this thread as we learn more but any new information would certainly be appreciated.  I'll just state the obvious here but turning off modern authentication through the registry is not an option for our MFA enabled accounts.

I've also found a past issue where FSLogix was having issues with edge and the solution was to register the appx package for edge. 
Article on FSLogix forum here:
https://social.msdn.microsoft.com/Forums/windowsserver/en-US/d18184fe-a703-44e8-a4d3-f824ed10eeb6/ed...
I'm not sure if anyone else has noticed additional appx package issues.  We also see a black screen at login for users due to app readiness service.  We are also seeing failures for some of these additional appx packages (which can be temporarily fixed by registering again in PowerShell).

Faulting application path:

ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe
microsoft.windowscommunicationsapps_16005.11029.20108.0_x64__8wekyb3d8bbwe
Microsoft.WindowsStore_11811.1001.18.0_x64__8wekyb3d8bbwe

@Deanbostedor I'm having the exact issue you described and also believe it's an FSLogix problem.  Have you made any progress troubleshooting? I've gone through the same steps you described. 

I can easily reproduce the issue when using the FSLogix profile service and logging in to the brokered WVD service with the Remote Desktop app, but if I login to the WVD hosts directly using MSTSC, and get a local profile, the issue cannot be reproduced.

@Rob Blankers - We currently have a Sev B ticket open and the FSLogix team is looking into it.

We rebuilt the entire host pool using a method given to us directly from a WVD Architect.  We configured a new profile UNC path and the issue is back 3-4 days later.  We went from 60+ registered Appx packages to maybe a dozen or more.  The strange thing now is that the Azure AD Broker plugin is registered but we're seeing the following Azure AD Broker error in the event viewer (see screenshot):

Error: 0xCAA5001C Token broker operation failed.
Operation name: GetTokenSilently, Error: -2147024893 (0x80070003), Description: The system cannot find the path specified.

The system cannot find the path specified.

Logged at webaccountprocessor.cpp, line: 593, method: AAD::Core::WebAccountProcessor::ReportOperationError.