A long time WVD/AVD administrator here and we're now picking up on some oddities:

First of all mentioning what has and does work perfectly:
AVD VM's are not WorkPlaceJoined like the initial problem in this thread
SSO works for the user logging on
MFA works as expected
FSLogix roaming handles logging on to multiple machines

The problems start when due to business needs a 2nd O365 account gets added to outlook or teams. Especially if that second O365 account is not within the same tenant of the user logging on (the user logging on handles the Windows/Office licensing as required). Another way to make sure it breaks is by adding only a foreign O365 account to Outlook and then logging on to another VM. 

The only "fix" we've found so far is to disable WAM and re-enable ADAL. That fixes the issues but isn't recommended or desired in the long run.

Is anyone able to confirm they have a setup like this working with email/Teams accounts other than the logged in user? Or does adding other accounts to Outlook with MFA simply break SSO on AVD/FSlogix setups? The problem persists over multiple different AVD setups

@KevinDeSchrijver 

We have the same Setup on Terminalserver 2019 with FSLogix and from time to time, the login breaks. 

We did not test to disable ADAL or something. 

We log the User off, let him login on another Terminalserver (It's a Broker Setup with 2 Terminalservers in it) and then the outlook runs fine on the other server. 

On the next day it doesn't matter which terminalserver the user is working on.

We did not found any other solution yet. 

@KevinDeSchrijver 

Same issue only with RDS. Latest FSLogix installed but when they change password they loose connection with Office365 and password needed is showing. Prompt wont pop-up and seems to happen with the users that got multiple accounts added from different tenants.

We use DUO as MFA. They will force modern authentication soon so disable this wont help.

Solution what seems to work is logging them off in outlook and sign back in and approve with MFA again.

@KBanko 

We have the exact same Problem since last week. FSlogix on Terminalserver 2019 with one broker and two Sessionhosts. Did you find any ohter solution than loggin the user on the other server and keep waiting?

@Uli990 

Nope, still no fix. 

Really annoying.

Following fix in place at the moment:

Create GPO to add the following Registry key or manually create:
HKEY_LOCAL_MACHINE\Software\FSlogix\Profiles
KeepLocalDir DWORD 1

Then add a "redirections.xml" file in the following location of each user:
c:\users\%username%\AppData\Local\FSLogix

The redirection only works when the file is present upon logon so do a logoff/logon afterwards or inject into the dormant profile.

Contents of redirections.xml file:
<?xml version="1.0" encoding="UTF-8"?><FrxProfileFolderRedirection>
<Excludes>
<Exclude Copy="0">AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy</Exclude>
<Exclude Copy="0">AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy</Exclude>
<Exclude Copy="0">AppData\Local\Microsoft\TokenBroker</Exclude>
</Excludes>
</FrxProfileFolderRedirection>

You will have to enter credentials on EACH Session Host ONCE but after that you can move between hosts without any issue.

The theory of this fix:
Modern Authentication works with Tokens. Those tokens contain the Device ID. Storing them in FSLogix breaks them because the Device ID contained in them no longer matches. The fix pushes those tokens out of the FSLogix container to a local_username folder and no longer deletes that folder upon logoff from the machine. Once you have a working token on each host it will refresh if needed but it no longer breaks. Hope this helps because MS was clueless after spending a few weeks with the FSLogix/Office teams.

There are more than 1 reason why Modern Authentication can break. My situation and the fix is very specific:
The use-case is multiple Hosts AND multiple O365 accounts (or an O365 account that isn't covered by SSO)

In VDI and almost any setup you should have SSO configured which handles the primary O365 account. If it "breaks" by moving to another VM, SSO kicks in and repairs it without the user ever noticing.

My fix is only intended if both conditions are met: Multiple hosts and multiple O365 accounts.

If you are having issues with Modern Auth and those conditions are not met I suggest looking at SSO which may not be configured or may not function as desired. Seems like the case with the changing password issue. Your local AD may not be in sync with AAD.

@KevinDeSchrijver Wont you have an issue when you re-image the host-pool? Everyone will have to sign in to the new hosts again or am I missing something here.

This is indeed the case. No solution for that I'm afraid.

The solution I posted only applies to the specific case and I only created it myself after hitting a dead wall with MS support who started opening their umbrella with statements like: Indeed, having more then one O365 account (Hello, mailaccounts?) is not supported with FSLogix on multiple hosts.

I based my solution on this:
https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-device-identity-virtual-deskt...

Thank you for the heads up on the new fslogix issue. I cant tell if this known issue is a bug or just how Microsoft intends to treat AADDS joined machines in the future.

The problem is wider then that. My machines ARE Hybrid joined. Even if they're Hybrid joined, you will be prompted every single logon for O365 credentials for SECONDARY (mail) O365 accounts. Granted, that's not a very common use-case but still.

My fix doesn't work for 2210 either. It looks like you can redirect those folders out of FSLogix as much as you want to, FSLogix will still "ignore" them. Obviously they changed something in the behaviour there. Still awaiting MS response on the open Case.

Does the change of basic authentication to modern authentication anything to do with it? Microsoft is forcing modern authentication for tenants now.

Ofcourse. With Basic Auth you don't/didn't have any of these issues. It's the way Modern Auth works (token based with Device ID) that's breaking things.

Modern Auth is a good thing, it just creates issues for AVD/VDI that haven't been properly vetted out yet.