SOLVED

PUBLIC PREVIEW: Announcing public preview of Azure AD joined VMs

%3CLINGO-SUB%20id%3D%22lingo-sub-2548605%22%20slang%3D%22en-US%22%3EPUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2548605%22%20slang%3D%22en-US%22%3E%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3EWe%20are%20excited%20to%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-virtual-desktop%2Fnew-ways-to-deliver-a-secure-hybrid-workplace-with-azure-virtual%2Fba-p%2F2547291%22%20target%3D%22_self%22%3Eannounce%3C%2FA%3E%20the%20public%20preview%20of%20Azure%20AD%20joined%20VMs%20support%20for%20Azure%20Virtual%20Desktop.%20This%20feature%20allows%20customers%20to%20easily%20deploy%20Azure%20AD%20joined%20session%20hosts%20from%20the%20Azure%20portal%20and%20access%20them%20from%20all%20clients.%20VMs%20can%20also%20be%20automatically%20enrolled%20in%20Intune%20for%20ease%20of%20management.%20Support%20for%20storing%20FSLogix%20profiles%20on%20Azure%20files%20will%20be%20available%20in%20a%20future%20update.%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%3CSPAN%20style%3D%22font-weight%3A%20bold%3B%22%3EGetting%20started%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3EThe%20documentation%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fvirtual-desktop%2Fdeploy-azure-ad-joined-vm%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Edeploy%20Azure%20AD%20joined%20session%20hosts%3C%2FA%3E%20will%20guide%20you%20through%20the%20key%20steps%20needed%20to%20enable%20this%20functionality.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2548605%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAVDUpdate%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2548804%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2548804%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F217952%22%20target%3D%22_blank%22%3E%40David%20Belanger%3C%2FA%3E%26nbsp%3BWohoo!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20does%20this%20fit%20with%20the%20recent%20announcement%20about%20Cloud%20PC%3F%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DV14Ia2uwrtk%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DV14Ia2uwrtk%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETrying%20to%20figure%20out%20if%20we%20are%20better%20off%20with%20AVD%20%22Personal%22%20machines.%20vs%20a%20CloudPC.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2550078%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2550078%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F217952%22%20target%3D%22_blank%22%3E%40David%20Belanger%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3ECan%20someone%20please%20explain%20this%20statement%20from%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fdeploy-azure-ad-joined-vm%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Edocumentation%3C%2FA%3E%3F%3CBR%20%2F%3E%3CEM%3E%3CSTRONG%3E%22Azure%20Virtual%20Desktop%20doesn't%20currently%20support%20single%20sign-on%20for%20Azure%20AD-joined%20VMs.%22%3C%2FSTRONG%3E%3C%2FEM%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3EThe%20whole%20point%20of%20setting%20up%20Azure%20AD%20Joined%20VM%20for%20me%20is%20to%20achieve%20single%20sign%20on%20end-to-end%20including%20my%20apps%20like%20Office%2C%20Teams%20etc.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFYI%20-%20SUPER%20DUPER%20Excited%20to%20get%20rid%20of%20domain%20controllers%20now%20!%20This%20is%20great%20progress.%20Loving%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2550122%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2550122%22%20slang%3D%22en-US%22%3EI%20believe%20the%20correct%20answer%20is%2C%20%22This%20preview%20version%20...%20Certain%20features%20might%20not%20be%20supported%20or%20might%20have%20constrained%20capabilities.%22%20when%20it%20leaves%20preview%2C%20or%20during%20the%20preview%20that%20capability%20might%20be%20added.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2548824%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2548824%22%20slang%3D%22en-US%22%3EI'm%20also%20interested%20to%20have%20a%20good%20story%20to%20consult%20customers%20to%20use%20AVD%20(Flexibility)%20and%20Windows365%20(Simplicity).%20I%20guess%20that%20one%20important%20point%20is%20the%20price%20of%20W365%20(which%20I%20don't%20know)%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2552304%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2552304%22%20slang%3D%22en-US%22%3EEnd-to-end%20single%20sign-on%20is%20definitely%20something%20we%20are%20working%20on%20but%20isn't%20available%20in%20the%20first%20release%20due%20to%20the%20protocol%20we%20are%20using.%20We%20know%20how%20important%20that%20feature%20it.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2552419%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2552419%22%20slang%3D%22en-US%22%3E%3CP%3EThat's%20pretty%20cool%20-%20even%20for%20cloud-only%20companies.%20I%20used%20the%20evening%20to%20build%20it%20into%20my%20community%20tool%20%3D)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22MarcelMeurerDE_0-1626356929817.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F296122iCF1A8E7646D2C162%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22MarcelMeurerDE_0-1626356929817.png%22%20alt%3D%22MarcelMeurerDE_0-1626356929817.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2552451%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2552451%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F217952%22%20target%3D%22_blank%22%3E%40David%20Belanger%3C%2FA%3E%26nbsp%3B%20Hi%2C%20I%20created%20a%20new%20host%20pool%20with%20AAD%2C%20it%20is%20a%20validation%20hostpool.%20I%20tried%20to%20access%20the%20AVD%20but%20getting%20error%20a%20%22login%20attempt%20failed%22%20error.%20I%20am%20trying%20with%20my%20UPN%20to%20login%20to%20the%20Azure%20AD%20VM.%20I%20have%20added%20myself%20as%20%22Virtual%20machine%20user%20login%22%20RBAC%20role%20but%20still%20no%20luck.%20Anyone%20experiencing%20the%20same%20issue%3F.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2552765%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2552765%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F378161%22%20target%3D%22_blank%22%3E%40amal_azurewvd%3C%2FA%3E%26nbsp%3BI%20have%20the%20same%20issue.%26nbsp%3B%20I%20followed%20all%20the%20steps%20at%20%3CA%20href%3D%22https%3A%2F%2Fxenithit.blogspot.com%2F2021%2F07%2Favd-and-azure-active-directory-domain.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ethis%3C%2FA%3E%20location%20and%20still%20got%20the%20error.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2552796%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2552796%22%20slang%3D%22en-US%22%3EI%20finally%20got%20it%20working%20from%20webclient.%20I%20added%20targetisaadjoined%3Ai%3A1%20into%20customrdpproperties%20and%20it%20started%20working.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2553048%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2553048%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F378161%22%20target%3D%22_blank%22%3E%40amal_azurewvd%3C%2FA%3E%26nbsp%3BI%20get%20this%20error%20in%20the%20web%20client%3A%26nbsp%3B%26nbsp%3B%3CSPAN%3EWe%20couldn't%20connect%20to%20the%20remote%20PC%20because%20of%20a%20security%20error.%20If%20this%20keeps%20happening%2C%20ask%20your%20admin%20or%20tech%20support%20for%20help.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2554921%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2554921%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%20the%20security%20error%20may%20be%20related%20to%20MFA.%20I%20was%20able%20to%20get%20around%20it%20in%20the%20desktop%20client%20by%20using%20a%20PIN%20to%20log%20in%20as%20advised%20in%20this%20link%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fhowto-vm-sign-in-azure-ad-windows%23using-conditional-access%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fhowto-vm-sign-in-azure-ad-windows%23using-conditional-access%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can't%20get%20in%20with%20the%20web%20client%20though%2C%20and%20have%20entered%26nbsp%3Btargetisaadjoined%3Ai%3A1%20in%20the%20RDP%20Properties%2C%20so%20not%20sure%20what%20the%20problem%20is.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2555740%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2555740%22%20slang%3D%22en-US%22%3EI%20have%20the%20same%20issue.%20I%20can%20use%20PIN%20with%20the%20Desktop%20Client%2C%20but%20cannot%20access%20the%20VM%20via%20Web.%20We%20do%20have%20%22MFA%20for%20everything%22%20set%20as%20a%20conditional%20access%2C%20and%20if%20I%20could%20identify%20which%20of%20the%20two%20Windows%20Virtual%20Desktop%20enterprise%20apps%20need%20to%20bypass%20this%20setting%2C%20I%20could%20put%20it%20in%20as%20an%20exception.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2557653%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2557653%22%20slang%3D%22en-US%22%3EI'm%20encountering%20%22The%20sign-in%20method%20you're%20trying%20to%20use%20isn't%20allowed.%20Try%20a%20different%20sign-in%20method%20or%20contact%20your%20administrator%22%20when%20attempting%20to%20authenticate%20with%20an%20M365%20user%20account%20to%20an%20AAD%20Joined%20Session%20Host.%20I'm%20able%20to%20click%20%22Ok%22%2C%20get%20back%20to%20the%20login%20prompt%20and%20log%20in%20with%20the%20local%20administrator%20account%2C%20though.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20also%20have%20targetisaadjoined%3Ai%3A1%20in%20the%20RDP%20Properties...%3CBR%20%2F%3E%3CBR%20%2F%3EAnyone%20encountering%20this%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2557677%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2557677%22%20slang%3D%22en-US%22%3EI%20believe%20I%20figured%20this%20out.%20We%20have%20a%20conditional%20access%20policy%20for%20all%20cloud%20apps%3A%20RequireDuoMFA.%20After%20removing%20the%20user%20account%20from%20the%20associated%20security%20group%20AND%20from%20the%20Duo%20Security%20console%2C%20I%20was%20able%20to%20authenticate.%3CBR%20%2F%3E%3CBR%20%2F%3EMicrosoft%2C%20can%20this%20be%20fixed%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2559903%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2559903%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F864517%22%20target%3D%22_blank%22%3E%40Chris_Gilles_1337%3C%2FA%3E%26nbsp%3BYou%20just%20need%20to%20exclude%20%E2%80%9EAzure%20Windows%20VM%20Sign-in%E2%80%9C%20from%20the%20CA%20policy%20requiring%20MFA%20beside%20the%20already%20mentioned%20RDP%20settings.%20At%20least%20this%20worked%20for%20me.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2559904%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2559904%22%20slang%3D%22en-US%22%3EDavid%2C%20I%20am%20looking%20to%20use%20AVD%20AAD%20joined%20as%20base%20for%20a%20secure%20virtual%20workstation.%20Would%20it%20be%20an%20appropriate%20secure%20setup%2C%20if%20admins%20will%20be%20asked%20for%20for%20MFA%20for%20all%20cloud%20apps%20excluding%20%E2%80%9EAzure%20Windows%20VM%20sign-in%E2%80%9C%3F%20Therefore%20would%20attacker%20be%20able%20to%20bypass%20MFA%20to%20access%20the%20virtual%20desktop%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2561403%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2561403%22%20slang%3D%22en-US%22%3EWill%20Intune%20now%20work%20with%20pooled%20host%20pools%20as%20well%3F%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Ffundamentals%2Fazure-virtual-desktop%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Ffundamentals%2Fazure-virtual-desktop%3C%2FA%3E%20states%20that%20only%20VMs%20setup%20as%20personal%20desktops%20can%20be%20managed%20with%20Intune.%20If%20pooled%20host%20pools%20are%20not%20supported%20what%20are%20the%20plans%20to%20support%20this%20configuration%20as%20well%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2561451%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2561451%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1033778%22%20target%3D%22_blank%22%3E%40Xandven_%3C%2FA%3E%26nbsp%3BYour%20source%20is%20at%20least%20outdated.%20Latest%20technical%20information%20about%20the%20public%20preview%20can%20be%20found%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fde-de%2Fazure%2Fvirtual-desktop%2Fdeploy-azure-ad-joined-vm%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fde-de%2Fazure%2Fvirtual-desktop%2Fdeploy-azure-ad-joined-vm%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20both%20personal%20and%20pooled%20VMs%20in%20my%20lab%20setup%20AAD%20joined%20and%20Intune%20managed.%20Compliance%20policies%20are%20applied%20to%20both%20types%20correctly%2C%20so%20that%20you%20can%20eval%20them%20in%20CA%20policies%20accordingly.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20my%20answer%20is%20not%20an%20official%20Microsoft%20one%2C%20but%20from%20all%20these%20observations%20I%20would%20say%3A%20Yes%2C%20host%20pools%20can%20be%20Intune%20managed%20in%20this%20public%20preview.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2562538%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2562538%22%20slang%3D%22en-US%22%3E%3CP%3Ehi%20guys%26nbsp%3B%3C%2FP%3E%3CP%3Eim%20experiencing%20an%20error%20when%20trying%20to%20connect%20to%20my%20AADJ%20VM%20using%20Remote%20Desktop%20app.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PaulGMVP_0-1626705620107.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F296785iD79448672C932579%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22PaulGMVP_0-1626705620107.png%22%20alt%3D%22PaulGMVP_0-1626705620107.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPrereqs%20are%20all%20met%20%3A%3C%2FP%3E%3CP%3E-%20device%20from%20which%20i%20try%20the%20connection%20is%20aadjoined%20to%20the%20same%20tenant.%3C%2FP%3E%3CP%3E-%20remote%20desktop%20app%20user%20is%20added%20via%20IAM%20with%20AVD%20User%20Login%20role%3C%2FP%3E%3CP%3E-%20targetisaadjoined%3Ai%3A1%20added%20to%20rdp%20advanced%20properties%3C%2FP%3E%3CP%3E-%20validation%20env%20checked%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewhat%20else%20can%20be%20missing%20%3F%3C%2FP%3E%3CP%3Ei%20can%20only%20access%20my%20VM%20from%20the%20web%20client%20%2C%20there%20is%20no%20error%20there%20and%20it%20works%20from%20every%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDevice%20State%20%7C%3CBR%20%2F%3E%2B----------------------------------------------------------------------%2B%3C%2FP%3E%3CP%3EAzureAdJoined%20%3A%20YES%3CBR%20%2F%3EEnterpriseJoined%20%3A%20NO%3CBR%20%2F%3EDomainJoined%20%3A%20NO%3CBR%20%2F%3EDevice%20Name%20%3A%20VM-AzureAD-0%3C%2FP%3E%3CP%3E%2B----------------------------------------------------------------------%2B%3CBR%20%2F%3E%7C%20Device%20Details%20%7C%3CBR%20%2F%3E%2B----------------------------------------------------------------------%2B%3C%2FP%3E%3CP%3EDeviceId%20%3A%202b4f6a7b-02ab-4cb5-a220-1fdde507e7e4%3CBR%20%2F%3EThumbprint%20%3A%204C5F4A2D4D8D55093DDE48F7453621FE8382F2B9%3CBR%20%2F%3EDeviceCertificateValidity%20%3A%20%5B%202021-07-19%2011%3A01%3A49.000%20UTC%20--%202031-07-19%2011%3A31%3A49.000%20UTC%20%5D%3CBR%20%2F%3EKeyContainerId%20%3A%2021313e88-443a-4391-b4ca-dcdda5e9ee38%3CBR%20%2F%3EKeyProvider%20%3A%20Microsoft%20Software%20Key%20Storage%20Provider%3CBR%20%2F%3ETpmProtected%20%3A%20NO%3CBR%20%2F%3EDeviceAuthStatus%20%3A%20SUCCESS%3C%2FP%3E%3CP%3E%2B----------------------------------------------------------------------%2B%3CBR%20%2F%3E%7C%20Tenant%20Details%20%7C%3CBR%20%2F%3E%2B----------------------------------------------------------------------%2B%3C%2FP%3E%3CP%3ETenantName%20%3A%20xxxxxx%3CBR%20%2F%3ETenantId%20%3A%20xxxxxx%3CBR%20%2F%3EIdp%20%3A%20login.windows.net%3CBR%20%2F%3EAuthCodeUrl%20%3A%20%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Fxxx%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2Fxxx%3C%2FA%3E%3CBR%20%2F%3EAccessTokenUrl%20%3A%20%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Fxxxx%2Foauth2%2Ftoken%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2Fxxxx%2Foauth2%2Ftoken%3C%2FA%3E%3CBR%20%2F%3EMdmUrl%20%3A%20%3CA%20href%3D%22https%3A%2F%2Fenrollment.manage.microsoft.com%2Fenrollmentserver%2Fdiscovery.svc%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fenrollment.manage.microsoft.com%2Fenrollmentserver%2Fdiscovery.svc%3C%2FA%3E%3CBR%20%2F%3EMdmTouUrl%20%3A%20%3CA%20href%3D%22https%3A%2F%2Fportal.manage.microsoft.com%2FTermsofUse.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.manage.microsoft.com%2FTermsofUse.aspx%3C%2FA%3E%3CBR%20%2F%3EMdmComplianceUrl%20%3A%20%3CA%20href%3D%22https%3A%2F%2Fportal.manage.microsoft.com%2F%3FportalAction%3DCompliance%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.manage.microsoft.com%2F%3FportalAction%3DCompliance%3C%2FA%3E%3CBR%20%2F%3ESettingsUrl%20%3A%3CBR%20%2F%3EJoinSrvVersion%20%3A%202.0%3CBR%20%2F%3EJoinSrvUrl%20%3A%20%3CA%20href%3D%22https%3A%2F%2Fenterpriseregistration.windows.net%2FEnrollmentServer%2Fdevice%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fenterpriseregistration.windows.net%2FEnrollmentServer%2Fdevice%2F%3C%2FA%3E%3CBR%20%2F%3EJoinSrvId%20%3A%20urn%3Ams-drs%3Aenterpriseregistration.windows.net%3CBR%20%2F%3EKeySrvVersion%20%3A%201.0%3CBR%20%2F%3EKeySrvUrl%20%3A%20%3CA%20href%3D%22https%3A%2F%2Fenterpriseregistration.windows.net%2FEnrollmentServer%2Fkey%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fenterpriseregistration.windows.net%2FEnrollmentServer%2Fkey%2F%3C%2FA%3E%3CBR%20%2F%3EKeySrvId%20%3A%20urn%3Ams-drs%3Aenterpriseregistration.windows.net%3CBR%20%2F%3EWebAuthNSrvVersion%20%3A%201.0%3CBR%20%2F%3EWebAuthNSrvUrl%20%3A%20%3CA%20href%3D%22https%3A%2F%2Fenterpriseregistration.windows.net%2Fwebauthn%2Fxxx%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fenterpriseregistration.windows.net%2Fwebauthn%2Fxxx%2F%3C%2FA%3E%3CBR%20%2F%3EWebAuthNSrvId%20%3A%20urn%3Ams-drs%3Aenterpriseregistration.windows.net%3CBR%20%2F%3EDeviceManagementSrvVer%20%3A%201.0%3CBR%20%2F%3EDeviceManagementSrvUrl%20%3A%20%3CA%20href%3D%22https%3A%2F%2Fenterpriseregistration.windows.net%2Fmanage%2Fxxx%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fenterpriseregistration.windows.net%2Fmanage%2Fxxx%2F%3C%2FA%3E%3CBR%20%2F%3EDeviceManagementSrvId%20%3A%20urn%3Ams-drs%3Aenterpriseregistration.windows.net%3C%2FP%3E%3CP%3E%2B----------------------------------------------------------------------%2B%3CBR%20%2F%3E%7C%20User%20State%20%7C%3CBR%20%2F%3E%2B----------------------------------------------------------------------%2B%3C%2FP%3E%3CP%3ENgcSet%20%3A%20NO%3CBR%20%2F%3EWorkplaceJoined%20%3A%20NO%3CBR%20%2F%3EWamDefaultSet%20%3A%20YES%3CBR%20%2F%3EWamDefaultAuthority%20%3A%20organizations%3CBR%20%2F%3EWamDefaultId%20%3A%20%3CA%20href%3D%22https%3A%2F%2Flogin.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoft.com%3C%2FA%3E%3CBR%20%2F%3EWamDefaultGUID%20%3A%20%7Bxxxx%7D%20(AzureAd)%3C%2FP%3E%3CP%3E%2B----------------------------------------------------------------------%2B%3CBR%20%2F%3E%7C%20SSO%20State%20%7C%3CBR%20%2F%3E%2B----------------------------------------------------------------------%2B%3C%2FP%3E%3CP%3EAzureAdPrt%20%3A%20YES%3CBR%20%2F%3EAzureAdPrtUpdateTime%20%3A%202021-07-19%2014%3A45%3A18.000%20UTC%3CBR%20%2F%3EAzureAdPrtExpiryTime%20%3A%202021-08-02%2014%3A45%3A17.000%20UTC%3CBR%20%2F%3EAzureAdPrtAuthority%20%3A%20%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Fxxx%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2Fxxx%3C%2FA%3E%3CBR%20%2F%3EEnterprisePrt%20%3A%20NO%3CBR%20%2F%3EEnterprisePrtAuthority%20%3A%3C%2FP%3E%3CP%3E%2B----------------------------------------------------------------------%2B%3CBR%20%2F%3E%7C%20Diagnostic%20Data%20%7C%3CBR%20%2F%3E%2B----------------------------------------------------------------------%2B%3C%2FP%3E%3CP%3EAadRecoveryEnabled%20%3A%20NO%3CBR%20%2F%3EExecuting%20Account%20Name%20%3A%20xxxxx%3CBR%20%2F%3EKeySignTest%20%3A%20PASSED%3C%2FP%3E%3CP%3E%2B----------------------------------------------------------------------%2B%3CBR%20%2F%3E%7C%20IE%20Proxy%20Config%20for%20Current%20User%20%7C%3CBR%20%2F%3E%2B----------------------------------------------------------------------%2B%3C%2FP%3E%3CP%3EAuto%20Detect%20Settings%20%3A%20YES%3CBR%20%2F%3EAuto-Configuration%20URL%20%3A%3CBR%20%2F%3EProxy%20Server%20List%20%3A%3CBR%20%2F%3EProxy%20Bypass%20List%20%3A%3C%2FP%3E%3CP%3E%2B----------------------------------------------------------------------%2B%3CBR%20%2F%3E%7C%20WinHttp%20Default%20Proxy%20Config%20%7C%3CBR%20%2F%3E%2B----------------------------------------------------------------------%2B%3C%2FP%3E%3CP%3EAccess%20Type%20%3A%20DIRECT%3C%2FP%3E%3CP%3E%2B----------------------------------------------------------------------%2B%3CBR%20%2F%3E%7C%20Ngc%20Prerequisite%20Check%20%7C%3CBR%20%2F%3E%2B----------------------------------------------------------------------%2B%3C%2FP%3E%3CP%3EIsDeviceJoined%20%3A%20YES%3CBR%20%2F%3EIsUserAzureAD%20%3A%20YES%3CBR%20%2F%3EPolicyEnabled%20%3A%20NO%3CBR%20%2F%3EPostLogonEnabled%20%3A%20YES%3CBR%20%2F%3EDeviceEligible%20%3A%20NO%3CBR%20%2F%3ESessionIsNotRemote%20%3A%20NO%3CBR%20%2F%3ECertEnrollment%20%3A%20none%3CBR%20%2F%3EPreReqResult%20%3A%20WillNotProvision%3C%2FP%3E%3CP%3EFor%20more%20information%2C%20please%20visit%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Faadjerrors%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Faadjerrors%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2568518%22%20slang%3D%22zh-CN%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2568518%22%20slang%3D%22zh-CN%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F572606%22%20target%3D%22_blank%22%3E%40PaulGMVP%3C%2FA%3E%26nbsp%3BIs%20it%20possible%20that%20you%20are%20using%20Windows%20Hello%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2568885%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2568885%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F217952%22%20target%3D%22_blank%22%3E%40David%20Belanger%3C%2FA%3E%26nbsp%3BI%20failed%20to%20create%20hostpool%20with%20Azure%20AD%20joined%20VM.%20Every%20time%20I%20got%20the%20message%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%7B%22code%22%3A%22DeploymentFailed%22%2C%22message%22%3A%22At%20least%20one%20resource%20deployment%20operation%20failed.%20Please%20list%20deployment%20operations%20for%20details.%20Please%20see%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FDeployOperations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FDeployOperations%3C%2FA%3E%20for%20usage%20details.%22%2C%22details%22%3A%5B%7B%22code%22%3A%22VMExtensionProvisioningError%22%2C%22message%22%3A%22VM%20has%20reported%20a%20failure%20when%20processing%20extension%20'AADLoginForWindows'.%20Error%20message%3A%20%5C%22AAD%20Join%20failed.%5C%22%5Cr%5Cn%5Cr%5CnMore%20information%20on%20troubleshooting%20is%20available%20at%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fvmextensionwindowstroubleshoot%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fvmextensionwindowstroubleshoot%3C%2FA%3E%20%22%7D%5D%7D%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20tried%20on%202%20different%20Azure%20tenants%20and%20from%20different%20PCs%20and%20got%20the%20same%20result.%26nbsp%3B%20What%20did%20I%20miss%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2569925%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2569925%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F434171%22%20target%3D%22_blank%22%3E%40tch0704%3C%2FA%3E%26nbsp%3BI%20had%20the%20same%20problem.%20This%20issue%20was%2C%20that%20enabled%20the%20option%20to%20use%20Intune%20device%20management%20without%20having%20an%20Intune%20license%20in%20place.%20Disabling%20the%20option%20solved%20it.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2573621%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2573621%22%20slang%3D%22en-US%22%3EYes%20it%20works%20after%20I%20turn%20off%20the%20Intune%20option.%20However%2C%20the%20user%20accounts%20actually%20have%20Enterprise%20Mobility%20%2B%20E5%20license.%20Can%20I%20enable%20Intune%20after%20the%20host%20pool%20is%20created%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2575134%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2575134%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F217952%22%20target%3D%22_blank%22%3E%40David%20Belanger%3C%2FA%3E%20perhaps%20need%20to%20highlight%20the%20users%20that%20this%20solution%20doesn't%20support%20MFA%2C%20which%20to%20me%20is%20major%20blocker.%20I%20had%20to%20disable%20MFA%20related%20CA%20Policies%20(%20organisation%20wide)%20to%20leverage%20AAD%20joining%20and%20Intune%20enrolment%20at%20the%20time%20of%20deployment.%20Any%20advice%20on%20security%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2575152%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2575152%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F883446%22%20target%3D%22_blank%22%3E%40Nikonline%3C%2FA%3E%20You%20should%20be%20able%20to%20switch%20from%20the%20global%20setting%20%22Require%20Multi-Factor%20Authentication%20to%20register%20or%20join%20devices%20with%20Azure%20AD%22%20to%20a%20more%20recent%20approach%20based%20on%20a%20targeted%20CA%20policy%20for%20%22Microsoft%20Intune%20Enrollment%22%2C%20that%20enforces%20MFA%20without%20scarifying%20security.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2575497%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2575497%22%20slang%3D%22en-US%22%3EI%20am%20currently%20designing%20secure%20access%20to%20VMs%20this%20way%3A%3CBR%20%2F%3E1.%20Session%20VMs%20can't%20be%20accessed%20directly%20from%20Internet%20(e.g.%20using%20RDP%2C%20would%20be%20a%20bad%20security%20design%2C%20anyway)%3CBR%20%2F%3E2.%20Sign-in%20to%20VMs%20is%20excluded%20from%20MFA%3CBR%20%2F%3E3.%20Access%20to%20Azure%20Virtual%20Desktop%20requires%20MFA%20(AVD%20is%20the%20inbound%20gateway%20to%20session%20VMs)%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20inspected%20the%20sign-in%20logs%20in%20detail%20and%20behavior%20is%20as%20expected.%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20overall%20MFA%20will%20be%20required%20first%20to%20get%20inside%20your%20virtual%20networks%2C%20but%20then%20inside%20the%20networks%20password%20authentication%20is%20enough.%3CBR%20%2F%3E%3CBR%20%2F%3EWould%20this%20fit%20for%20the%20security%20level%20of%20your%20use%20case%3F%20Of%20course%2C%20to%20follow%20a%20strict%20Zero%20Trust%20approach%2C%20Microsoft%20needs%20to%20deliver%20enforced%20MFA%20for%20VM%20sign-in%20at%20a%20later%20stage.%20As%20of%20my%20understanding%2C%20this%20is%20in%20scope.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2575841%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2575841%22%20slang%3D%22en-US%22%3EThat%20is%20a%20good%20summary%20Peter.%3CBR%20%2F%3E%3CBR%20%2F%3EJust%20to%20make%20you%20aware%20for%20Point%202%2C%20instead%20of%20using%20%22Sign-in%20to%20VM's%20is%20excluded%20from%20MFA%22%20you%20could%20directly%20exclude%20the%20Azure%20AD%20Computer%20Object%20instead.%20Useful%20in%20situations%20like%20this%20where%20you%20need%20it%20to%20apply%20to%20only%20the%20VM's%20you%20want%20to%20access%20through%20the%20Web%20Client%2C%20but%20not%20every%20VM%20you%20have%20in%20Azure.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2578558%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2578558%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1110258%22%20target%3D%22_blank%22%3E%40RobHyde%3C%2FA%3E%20This%20sounds%20promising.%20You%20mean%2C%20it%20is%20possible%20to%20exclude%20the%20managed%20identity%20of%20a%20VM%20(as%20%22cloud%20app%22)%20from%20CA%20policy%20requiring%20MFA%3F%20In%20my%20first%20test%20this%20does%20not%20work%20out%3A%20If%20I%20exclude%20a%20VM%20(managed%20identity)%20from%20cloud%20apps%2C%20sign-in%20is%20not%20possible%2C%20if%20I%20assign%20MFA%20to%20a%20specific%20VM%20same%20way%2C%20sign%20still%20works%20(expectation%3A%20fails%20because%20of%20MFA%20requirement).%3CBR%20%2F%3ECan%20you%20elaborate%20on%20the%20procedure%20you%20have%20in%20mind%3F%20Thanks%20a%20lot!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2579111%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2579111%22%20slang%3D%22en-US%22%3E%3CP%3EMorning%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F220042%22%20target%3D%22_blank%22%3E%40Peter%20Meuser%3C%2FA%3E%2C%20Sorry%2C%20should%20probably%20of%20been%20more%20descriptive%20in%20my%20reply.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20our%20environment%20we%20have%20a%20Conditional%20Access%20Rule%20that%20captures%20%22All%20users%22%20and%20%22All%20Cloud%20Apps%22%20to%20enforce%20MFA%2C%20setup%20pretty%20much%20as%20documented%20here%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fhowto-conditional-access-policy-all-users-mfa%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConditional%20Access%20-%20Require%20MFA%20for%20all%20users%20-%20Azure%20Active%20Directory%20%7C%20Microsoft%20Docs%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EHaving%20this%20set%20enforces%20MFA%20when%20a%20User%20tries%20to%20login%20to%20an%20Azure%20Virtual%20Desktop%20via%20the%20Web%20Client%2C%20giving%20this%20error%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RobHyde_1-1627034636096.jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F297949iA9CAA315958AC92C%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RobHyde_1-1627034636096.jpeg%22%20alt%3D%22RobHyde_1-1627034636096.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20our%20case%20%2C%20editing%20the%20%22All%20User%22%20Conditional%20Access%20Rule%20and%20either%20a)%20excluding%20the%26nbsp%3B%3C%2FP%3E%3CDIV%3E%22Azure%20Windows%20VM%20Sign-In%22%20or%20b)%20excluding%20the%20Virtual%20Machine%20Azure%20AD%20Object%20Cloud%20App%20seems%20to%20make%20it%20work%2C%20at%20least%20in%20our%20test%20environment.%20Was%20just%20pointing%20out%20you%20could%20use%20the%20VM%20Object%20if%20wanted%20to%20keep%20MFA%20Sign-on%20protection%20for%20non-Azure%20Virtual%20Desktop%20machines%20in%20place.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EIn%20your%20environment%20you%20might%20need%20to%20investigate%20the%20Sign-In%20log%20and%20see%20what%20Conditional%20Access%20Policy%20is%20enforcing%20MFA%20and%20then%20add%20the%20VM%20as%20an%20exception%20in%20there.%20Also%2C%20as%20you%20mention%20in%20point%201)%20of%20your%20post%2C%20all%20your%20VM's%20are%20protected%20from%20external%20access%20from%20the%20Internet%20so%20using%20%22Azure%20Windows%20VM%20Sign-In%22%20is%20not%20a%20security%20risk%20and%20perfectly%20valid.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EHope%20that%20is%20clearer%20and%20helps%20a%20bit.%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2579311%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2579311%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1110258%22%20target%3D%22_blank%22%3E%40RobHyde%3C%2FA%3E%20it%20looks%20like%20we%20are%20on%20the%20same%20page.%20As%20mentioned%2C%20explicitly%20excluding%20VMs%20from%20CA%20policy%20does%20not%20work%20out%20in%20my%20tests.%20Maybe%20someone%20from%20the%20product%20team%20can%20set%20the%20expectations%20here.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2581682%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2581682%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F220042%22%20target%3D%22_blank%22%3E%40Peter%20Meuser%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1110258%22%20target%3D%22_blank%22%3E%40RobHyde%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F883446%22%20target%3D%22_blank%22%3E%40Nikonline%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F271666%22%20target%3D%22_blank%22%3E%40jmh_7%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1096790%22%20target%3D%22_blank%22%3E%40PhillipHamlyn%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F864517%22%20target%3D%22_blank%22%3E%40Chris_Gilles_1337%3C%2FA%3E%26nbsp%3BI%20see%20that%20you've%20all%20been%20discussing%20MFA%20for%20this%20solution.%20First%2C%20appreciate%20the%20discussion%20and%20feedback.%20I%20will%20be%20updating%20the%20main%20documentation%20to%20call%20out%20how%20to%20configure%20MFA%20which%20is%20essentially%20what%20you've%20figured%20out.%20The%20general%20recommendation%20is%20to%20enable%20the%20CA%20policy%20on%20the%20%3CSTRONG%3EWindows%20Virtual%20Desktop%3C%2FSTRONG%3E%20app%20and%20disable%20it%20from%20the%20%3CSTRONG%3EAzure%26nbsp%3B%3C%2FSTRONG%3E%3CSPAN%3E%3CSTRONG%3EWindows%20VM%20Sign-In%3C%2FSTRONG%3E%20app.%20MFA%20will%20still%20be%20triggered%20as%20needed%20when%20traversing%20the%20gateway.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ERob's%20method%20to%20exclude%20specific%20VMs%20might%20work%20but%20I%20haven't%20tested%20it%20yet%20so%20can't%20officially%20recommend%20it.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2581737%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2581737%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F378161%22%20target%3D%22_blank%22%3E%40amal_azurewvd%3C%2FA%3E%20were%20you%20able%20to%20connect%20from%20the%20Windows%20client%20or%20are%20you%20still%20seeing%20the%20Login%20attempt%20failed%20error%3F%20I'd%20recommend%20starting%20with%20the%20information%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Ftroubleshoot-azure-ad-connections%23the-logon-attempt-failed%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Ftroubleshoot-azure-ad-connections%23the-logon-attempt-failed%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2581756%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2581756%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1033778%22%20target%3D%22_blank%22%3E%40Xandven_%3C%2FA%3E%26nbsp%3BAs%20Peter%20mentioned%2C%20information%20on%20Intune%20support%20for%20multi-session%20is%20available%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Ffundamentals%2Fazure-virtual-desktop-multi-session%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Ffundamentals%2Fazure-virtual-desktop-multi-session%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2581772%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2581772%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F572606%22%20target%3D%22_blank%22%3E%40PaulGMVP%3C%2FA%3E%26nbsp%3BAre%20you%20trying%20to%20use%20the%20Windows%20client%20from%20the%20Windows%20Store%3F%20We%20noticed%20that%20there%20is%20currently%20an%20issue%20with%20this%20client%20and%20you%20should%20use%20the%20Windows%20Desktop%20client%20for%20now.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fvirtual-desktop%2Fuser-documentation%2Fconnect-windows-7-10%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fvirtual-desktop%2Fuser-documentation%2Fconnect-windows-7-10%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2582293%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2582293%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F217952%22%20target%3D%22_blank%22%3E%40David%20Belanger%3C%2FA%3E%26nbsp%3BWe've%20managed%20to%20set%20this%20up%20with%20pin%20access%20just%20fine%20-%20everything%20looks%20good.%20However%20when%20using%20username%2Fpassword%20it%20just%20won't%20work.%20I've%20read%20all%20the%20stuff%20around%20CA%20policies%20potentially%20causing%20this%20but%20adding%20the%20users%20to%20CA%20exclusion%20groups%20has%20no%20effect%20and%20there%20is%20no%20kind%20of%20error%2Ffailure%20logged%20at%20all%20in%20AAD%20sign%20in%20logs.%20Is%20there%20any%20other%20potential%20cause%20here%3F%20-%20can%20i%20get%20more%20debug%20out%20of%20the%20sign%20in%20process%20to%20see%20where%20the%20issue%20actually%20lies%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20to%20confirm%20username%2Fpassword%20gets%20message%20below%20-%20pin%20works%20fine%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RichardHarrison_0-1627118723182.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F298145i98A184BA7490B4A2%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RichardHarrison_0-1627118723182.png%22%20alt%3D%22RichardHarrison_0-1627118723182.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3ERich%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2582523%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2582523%22%20slang%3D%22en-US%22%3EOh%20-%20and%20to%20confirm%20we%20do%20have%20targetisaadjoined%3Ai%3A1%20set%20in%20rdp%20properties%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2575381%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2575381%22%20slang%3D%22en-US%22%3EAs%20i%20mentioned%20had%20to%20disable%20CA%20Policies%20that%20involved%20MFA.%20How%20can%20we%20secure%20access%20to%20VMs%20without%20MFA%3F%20unless%20there%20is%20something%20that%20i%20am%20missing%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2587279%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2587279%22%20slang%3D%22en-US%22%3EYou%20put%20a%20lot%20of%20effort%20into%20pointing%20out%20that%20MFA%20is%20something%20Microsoft%20wants%20everyone%20to%20use.%3CBR%20%2F%3EI'm%20not%20David%20but%20can%20assure%20you%20that%3A%3CBR%20%2F%3EYes%2C%20Microsoft%20wants%20everyone%20to%20use%20MFA%20and%20that%20is%20probably%20one%20of%20the%20big%20reasons%20the%20feature%20is%20not%20intended%20for%20production%20use%20at%20this%20time.%3CBR%20%2F%3EYes%20it%20will%20support%20MFA%20when%20it%20is%20production%20ready.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2588358%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2588358%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64296%22%20target%3D%22_blank%22%3E%40Richard%20Harrison%3C%2FA%3E%26nbsp%3Blooks%20like%20the%20CA%20policy%20is%20still%20triggering.%20Have%20you%20tried%20adding%20the%20%22%3CSPAN%3EAzure%20Windows%20VM%20Sign-In%22%20app%20to%20the%20Exclusion%20list%20to%20confirm%20you%20can%20get%20passed%20the%20issue%3F%20Once%20confirmed%2C%20we%20can%20review%20why%20adding%20the%20users%20to%20the%20exclusion%20list%20isn't%20working.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2585044%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2585044%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F217952%22%20target%3D%22_blank%22%3E%40David%20Belanger%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDavid%2C%20this%20solution%20doesn%E2%80%99t%20seem%20to%20comply%20with%20the%20Microsoft%20Partner%20Agreement%20security%20standards.%3C%2FP%3E%3CP%3EI%20didn't%20have%20the%20time%20to%20test%20the%20solution%20on%20my%20end%20yet%2C%20but%20this%20a%20long-waited%20feature%20that%20we%20will%20start%20to%20deploy%20as%20soon%20it%20is%20GA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20stated%20in%20this%20article%2C%20all%20sign-ins%20must%20be%20MFA%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpartner-center%2Fpartner-security-requirements-faq%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpartner-center%2Fpartner-security-requirements-faq%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3ECan%20conditional%20access%20be%20used%20to%20meet%20the%20MFA%20requirement%3F%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EYes%2C%20you%20can%20use%20conditional%20access%20to%20enforce%20MFA%20for%20each%20user%2C%20including%20service%20accounts%2C%20in%20your%20partner%20tenant.%20However%2C%20given%20the%20highly%20privileged%20nature%20of%20being%20a%20partner%20we%20need%20to%20ensure%20that%20each%20%3CSTRONG%3Euser%20has%20an%20MFA%20challenge%20for%20every%20single%20authentication%3C%2FSTRONG%3E.%20This%20means%20you%20won't%20be%20able%20to%20use%20the%20feature%20of%20conditional%20access%20that%20circumvents%20the%20requirement%20for%20MFA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20confirm%20that%20you%20have%20any%20plans%20to%20support%20Windows%20Hello%2FFull%20SSO%20support%20without%20MFA%20exceptions%3F%20If%20the%20only%20way%20planned%20to%20sign-in%20is%20to%20exclude%20the%20app%20in%20the%20conditional%20access%2C%20are%20we%20still%20compliant%20as%20a%20Microsoft%20Partner%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2593678%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2593678%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20the%20same%20issue%20as%20other's%20here%20where%20I%20simply%20cannot%20login%20to%20the%20VM%20-%20Sign-In%20method%20not%20allowed.%20I've%20followed%20the%20guidance%20to%20the%20letter.%20Validation%20HostPool%2C%20PKU2U%20Setting%20is%20Enabled%2C%20RDP%20Properties%20updated%2C%20all%20my%20CA%20Policies%20have%20been%20disabled%20to%20rule%20it%20out%2C%20the%20correct%20Azure%20roles%20are%20assigned.%20I've%20tried%20this%20with%2020H2%20and%2021H1%20images%2C%20i've%20tried%20it%20with%20Intune%20enrolment%20on%20and%20Intune%20enrolment%20off.%20I'm%20out%20of%20ideas.%3CBR%20%2F%3EIs%20there%20a%20log%2Fevent%20somewhere%20that%20can%20nail%20down%20this%20issue%20further%20rather%20than%20the%20generic%20sign-in%20method%20not%20allowed%20error%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2595087%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2595087%22%20slang%3D%22en-US%22%3EOk%20so%20I'm%20in%20the%20same%20boat%20with%20the%20'security%20error'.%20I'm%20using%20an%20account%20that%20is%20excluded%20from%20MFA%20but%20no%20dice.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2595096%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2595096%22%20slang%3D%22en-US%22%3ESo%20after%20exempting%20Azure%20Windows%20VM%20Sign-In%20from%20our%20CA%20MFA%20policy%20I'm%20still%20seeing%20the%20security%20error%20when%20using%20the%20web%20login%20as%20well%20as%20the%20'error'%20using%20the%20windows%20desktop%20app.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2595333%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2595333%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20I%20finally%20got%20in%20using%20the%20Windows%2010%20desktop%20app%2C%20exempting%20the%20vm%20login%20app%20from%20mfa%20AND%20using%20an%20account%20that%20is%20exempt%20from%20MFA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20like%20where%20this%20is%20going%20for%20sure.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2601156%22%20slang%3D%22en-US%22%3ERe%3A%20PUBLIC%20PREVIEW%3A%20Announcing%20public%20preview%20of%20Azure%20AD%20joined%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2601156%22%20slang%3D%22en-US%22%3EHi%20folks%2C%20are%20some%20of%20you%20still%20hitting%20the%20security%20prompt%20after%20disabling%20MFA%20on%20the%20Azure%20Windows%20VM%20sign-in%3F%20If%20so%2C%20anyone%20interested%20in%20filing%20a%20support%20request%20for%20it%20so%20we%20can%20engage%20and%20investigate%3F%20If%20you%20do%2C%20please%20send%20me%20the%20support%20ticket%20number.%3C%2FLINGO-BODY%3E
Microsoft

We are excited to announce the public preview of Azure AD joined VMs support for Azure Virtual Desktop. This feature allows customers to easily deploy Azure AD joined session hosts from the Azure portal and access them from all clients. VMs can also be automatically enrolled in Intune for ease of management. Support for storing FSLogix profiles on Azure files will be available in a future update.

 

Getting started:

 

The documentation to deploy Azure AD joined session hosts will guide you through the key steps needed to enable this functionality.

64 Replies

@David Belanger Wohoo!

 

How does this fit with the recent announcement about Cloud PC?

https://www.youtube.com/watch?v=V14Ia2uwrtk

 

Trying to figure out if we are better off with AVD "Personal" machines. vs a CloudPC.

I'm also interested to have a good story to consult customers to use AVD (Flexibility) and Windows365 (Simplicity). I guess that one important point is the price of W365 (which I don't know)

@David Belanger 
Can someone please explain this statement from the documentation?
"Azure Virtual Desktop doesn't currently support single sign-on for Azure AD-joined VMs."

The whole point of setting up Azure AD Joined VM for me is to achieve single sign on end-to-end including my apps like Office, Teams etc.

 

FYI - SUPER DUPER Excited to get rid of domain controllers now ! This is great progress. Loving it.

I believe the correct answer is, "This preview version ... Certain features might not be supported or might have constrained capabilities." when it leaves preview, or during the preview that capability might be added.
best response confirmed by Jasjit Chopra (MVP)
Solution
End-to-end single sign-on is definitely something we are working on but isn't available in the first release due to the protocol we are using. We know how important that feature it.

That's pretty cool - even for cloud-only companies. I used the evening to build it into my community tool =)

 

MarcelMeurerDE_0-1626356929817.png

 

@David Belanger  Hi, I created a new host pool with AAD, it is a validation hostpool. I tried to access the AVD but getting error a "login attempt failed" error. I am trying with my UPN to login to the Azure AD VM. I have added myself as "Virtual machine user login" RBAC role but still no luck. Anyone experiencing the same issue?.

@amal_azurewvd I have the same issue.  I followed all the steps at this location and still got the error.

I finally got it working from webclient. I added targetisaadjoined:i:1 into customrdpproperties and it started working.

@amal_azurewvd I get this error in the web client:  We couldn't connect to the remote PC because of a security error. If this keeps happening, ask your admin or tech support for help.

I think the security error may be related to MFA. I was able to get around it in the desktop client by using a PIN to log in as advised in this link: 

 

https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows#us...

 

I can't get in with the web client though, and have entered targetisaadjoined:i:1 in the RDP Properties, so not sure what the problem is.

I have the same issue. I can use PIN with the Desktop Client, but cannot access the VM via Web. We do have "MFA for everything" set as a conditional access, and if I could identify which of the two Windows Virtual Desktop enterprise apps need to bypass this setting, I could put it in as an exception.
I'm encountering "The sign-in method you're trying to use isn't allowed. Try a different sign-in method or contact your administrator" when attempting to authenticate with an M365 user account to an AAD Joined Session Host. I'm able to click "Ok", get back to the login prompt and log in with the local administrator account, though.

I also have targetisaadjoined:i:1 in the RDP Properties...

Anyone encountering this?
I believe I figured this out. We have a conditional access policy for all cloud apps: RequireDuoMFA. After removing the user account from the associated security group AND from the Duo Security console, I was able to authenticate.

Microsoft, can this be fixed?

@Chris_Gilles_1337 You just need to exclude „Azure Windows VM Sign-in“ from the CA policy requiring MFA beside the already mentioned RDP settings. At least this worked for me.

David, I am looking to use AVD AAD joined as base for a secure virtual workstation. Would it be an appropriate secure setup, if admins will be asked for for MFA for all cloud apps excluding „Azure Windows VM sign-in“? Therefore would attacker be able to bypass MFA to access the virtual desktop?
Will Intune now work with pooled host pools as well? https://docs.microsoft.com/en-us/mem/intune/fundamentals/azure-virtual-desktop states that only VMs setup as personal desktops can be managed with Intune. If pooled host pools are not supported what are the plans to support this configuration as well?

@Xandven_ Your source is at least outdated. Latest technical information about the public preview can be found here: https://docs.microsoft.com/de-de/azure/virtual-desktop/deploy-azure-ad-joined-vm

 

I have both personal and pooled VMs in my lab setup AAD joined and Intune managed. Compliance policies are applied to both types correctly, so that you can eval them in CA policies accordingly.

 

So, my answer is not an official Microsoft one, but from all these observations I would say: Yes, host pools can be Intune managed in this public preview.

hi guys 

im experiencing an error when trying to connect to my AADJ VM using Remote Desktop app.

PaulGMVP_0-1626705620107.png

 

Prereqs are all met :

- device from which i try the connection is aadjoined to the same tenant.

- remote desktop app user is added via IAM with AVD User Login role

- targetisaadjoined:i:1 added to rdp advanced properties

- validation env checked

 

what else can be missing ?

i can only access my VM from the web client , there is no error there and it works from every device.

 

Device State |
+----------------------------------------------------------------------+

AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : NO
Device Name : VM-AzureAD-0

+----------------------------------------------------------------------+
| Device Details |
+----------------------------------------------------------------------+

DeviceId : 2b4f6a7b-02ab-4cb5-a220-1fdde507e7e4
Thumbprint : 4C5F4A2D4D8D55093DDE48F7453621FE8382F2B9
DeviceCertificateValidity : [ 2021-07-19 11:01:49.000 UTC -- 2031-07-19 11:31:49.000 UTC ]
KeyContainerId : 21313e88-443a-4391-b4ca-dcdda5e9ee38
KeyProvider : Microsoft Software Key Storage Provider
TpmProtected : NO
DeviceAuthStatus : SUCCESS

+----------------------------------------------------------------------+
| Tenant Details |
+----------------------------------------------------------------------+

TenantName : xxxxxx
TenantId : xxxxxx
Idp : login.windows.net
AuthCodeUrl : https://login.microsoftonline.com/xxx
AccessTokenUrl : https://login.microsoftonline.com/xxxx/oauth2/token
MdmUrl : https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
MdmTouUrl : https://portal.manage.microsoft.com/TermsofUse.aspx
MdmComplianceUrl : https://portal.manage.microsoft.com/?portalAction=Compliance
SettingsUrl :
JoinSrvVersion : 2.0
JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/
JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net
KeySrvVersion : 1.0
KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/
KeySrvId : urn:ms-drs:enterpriseregistration.windows.net
WebAuthNSrvVersion : 1.0
WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/xxx/
WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net
DeviceManagementSrvVer : 1.0
DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/xxx/
DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net

+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+

NgcSet : NO
WorkplaceJoined : NO
WamDefaultSet : YES
WamDefaultAuthority : organizations
WamDefaultId : https://login.microsoft.com
WamDefaultGUID : {xxxx} (AzureAd)

+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+

AzureAdPrt : YES
AzureAdPrtUpdateTime : 2021-07-19 14:45:18.000 UTC
AzureAdPrtExpiryTime : 2021-08-02 14:45:17.000 UTC
AzureAdPrtAuthority : https://login.microsoftonline.com/xxx
EnterprisePrt : NO
EnterprisePrtAuthority :

+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+

AadRecoveryEnabled : NO
Executing Account Name : xxxxx
KeySignTest : PASSED

+----------------------------------------------------------------------+
| IE Proxy Config for Current User |
+----------------------------------------------------------------------+

Auto Detect Settings : YES
Auto-Configuration URL :
Proxy Server List :
Proxy Bypass List :

+----------------------------------------------------------------------+
| WinHttp Default Proxy Config |
+----------------------------------------------------------------------+

Access Type : DIRECT

+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+

IsDeviceJoined : YES
IsUserAzureAD : YES
PolicyEnabled : NO
PostLogonEnabled : YES
DeviceEligible : NO
SessionIsNotRemote : NO
CertEnrollment : none
PreReqResult : WillNotProvision

For more information, please visit https://www.microsoft.com/aadjerrors