Public Preview - Azure AD & Intune join for AVD - Session host unavailable

Copper Contributor

Hi All - I am using a public preview feature on Azure Virtual Desktop to join AAD and Intune (Pls see below article), although the VM was AAD registered and Intune enrolled, the session host was unavailable (

SessionHost unhealthy: SessionHost is not joined to a domain). This is because of the fact that there was no AD join details available on the AVD deployment interface/UI. 
Does AVD need to be Domain joined as well for the session host to be available? A VM can either be joined to AAD or AD and hence i am bit stuck with the preview feature.
 

 

#AzureVirtualDesktop #AADJoin #Intune

9 Replies
Hi @Nikonline,
Did you put the Validation Environment to Yes?
Hi Johan, thanks for responding. well it did make the machine available, was able to login locally, however i am till unable to login with my AAD creds. When i checked locally i could see my AAD user account has rights to login remotely so not sure why the Authentication is failing. Does this machine need to be Azure ADDS joined (we dont have on prem AD)?
Error message -

We couldn't connect to the remote PC because your credentials did not work. The remote machine is AAD joined. If you are using your work account you must disable Network Level Authentication on the remote machine. If you are using a local account, verify your username and password.

Error code: 0x2607
Did you assign the user the virtual machine user login role on the resource group?
yes, assigned the role despite being Owner on the RG. Still the same error.
Is you local security policy disabled to allow cloud accounts to logon to the machine?
Able to login to standalone VM using Azure AD user account (after disabling CAPs) however still unable to login to the AVD session host. After checking the connection logs i see this error

AuthenticationLogonFailedAAD (9735) - User credentials did not work. Remote machine is AAD joined. If you are signing in to your work account, try using your work email address.
23

Checked on the host VM it does have remote login permission for the user however still failing to Authenticate.
Was able to login, good starting point https://docs.microsoft.com/en-us/azure/virtual-desktop/deploy-azure-ad-joined-vm
Summary - Enabled Validation environment, Disabled MFA, CAPs, RDP setting changes at hostpool level.
So now that makes me feel nervous and in search of securing AVD access... phew!
DO you have more details on this statement?
Summary - Enabled Validation environment, Disabled MFA, CAPs, RDP setting changes at hostpool level.

Understand the Validation environment, understand Disabled MFA

What are you referring to when you mention CAPs and what RDP Setting changes at hostpool level did you make?

@SamSpronk 

CAP changes to ensure Azure VM sign-ins are excluded (doesn't support MFA at the moment).

RDP settings at hostpool to include targetisaadjoined:i:1;