User Profile
KevinDeSchrijver
Copper Contributor
Joined Aug 02, 2022
User Widgets
Recent Discussions
Re: Outlook login issues with WVD - FSLogix
Sepp2 As far as I know the issue is still present. The fix I noted is still valid though. We still use it in all our RDS Farms under the conditions I mentioned: - For accounts where SSO does not work or apply (i.e. for all secondary mail accounts) - You are required to enter your credentials once on every RDS Host. After that logon on each VM you should be fine. It's unclear from your problem description if you are experiencing this issue for accounts that are expected not to have SSO or not. Because many admins simply have issues getting SSO working which is a requirement for your primary account. The problem itself will remain for quite some time I guess. Microsoft only officially supports SSO accounts for usage in AVD. This is just a bandaid solution to work around that designflaw.2.9KViews0likes2CommentsRe: AVD - Pooled VM's - Outlook Authentication issue
You can find a band-aid solution in the following thread: https://techcommunity.microsoft.com/t5/azure-virtual-desktop/outlook-login-issues-with-wvd-fslogix/m-p/1024998/page/11 It works fine as long as you don't upgrade to the latest version of FSLogix. The team is contemplating running my fix into the next version but no decision yet. The fix is only a stop-gap too depending on how many VM's in your pool. Users will still be required to log on once on every VM but will no longer be prompted after that initial login on each VM.3.7KViews0likes0CommentsRe: Outlook login issues with WVD - FSLogix
Depends on what you call "this problem". The problem this case was started for is defined as losing credential info for O365 services on a multihost AVD with accounts that are not SSO-enabled (secondary accounts). The AVD's need to be persistent. The solution is mentioned in the thread: using redirections.xml to redirect certain folders out of the FSLogix profile and retaining the local_%username% folder on logoff. That solution still works on 2201 FSLogix and prior and is the advised solution by MS for the situation described. They are still debating internally on how to proceed with further versions of FSLogix as 2210 breaks this solution.11KViews2likes0CommentsRe: Outlook login issues with WVD - FSLogix
I have. Still in talks with MS regarding a fix or at the very least a switch to control the behaviour in 2210+. From 2210+ those 3 folder locations "no longer roam" with FSLogix. The manner in how they do that is unknown to me at the moment. You can still redirect those folders to the local disk and they actually get populated. But it looks like 2210 just ignores them altogether. My way (only works 2201 and before) is better for persistent VM's: Just use the Microsoft Azure AD broker plugin and dump that info local to the host. Their way requires the user to login everytime on every O365 app. Unworkable in my opinion. But my way only works with persistent hosts so both have their flaws I guess. Will keep the post live with updates from the case. It's being escalated...again.11KViews0likes1CommentRe: Outlook login issues with WVD - FSLogix
Ofcourse. With Basic Auth you don't/didn't have any of these issues. It's the way Modern Auth works (token based with Device ID) that's breaking things. Modern Auth is a good thing, it just creates issues for AVD/VDI that haven't been properly vetted out yet.7.4KViews0likes0CommentsRe: Outlook login issues with WVD - FSLogix
The problem is wider then that. My machines ARE Hybrid joined. Even if they're Hybrid joined, you will be prompted every single logon for O365 credentials for SECONDARY (mail) O365 accounts. Granted, that's not a very common use-case but still. My fix doesn't work for 2210 either. It looks like you can redirect those folders out of FSLogix as much as you want to, FSLogix will still "ignore" them. Obviously they changed something in the behaviour there. Still awaiting MS response on the open Case.8.2KViews0likes5CommentsRe: Outlook login issues with WVD - FSLogix
This is indeed the case. No solution for that I'm afraid. The solution I posted only applies to the specific case and I only created it myself after hitting a dead wall with MS support who started opening their umbrella with statements like: Indeed, having more then one O365 account (Hello, mailaccounts?) is not supported with FSLogix on multiple hosts. I based my solution on this: https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-device-identity-virtual-desktop-infrastructure7.7KViews0likes0CommentsRe: Outlook login issues with WVD - FSLogix
There are more than 1 reason why Modern Authentication can break. My situation and the fix is very specific: The use-case is multiple Hosts AND multiple O365 accounts (or an O365 account that isn't covered by SSO) In VDI and almost any setup you should have SSO configured which handles the primary O365 account. If it "breaks" by moving to another VM, SSO kicks in and repairs it without the user ever noticing. My fix is only intended if both conditions are met: Multiple hosts and multiple O365 accounts. If you are having issues with Modern Auth and those conditions are not met I suggest looking at SSO which may not be configured or may not function as desired. Seems like the case with the changing password issue. Your local AD may not be in sync with AAD.8KViews0likes1CommentRe: Outlook login issues with WVD - FSLogix
Following fix in place at the moment: Create GPO to add the following Registry key or manually create: HKEY_LOCAL_MACHINE\Software\FSlogix\Profiles KeepLocalDir DWORD 1 Then add a "redirections.xml" file in the following location of each user: c:\users\%username%\AppData\Local\FSLogix The redirection only works when the file is present upon logon so do a logoff/logon afterwards or inject into the dormant profile. Contents of redirections.xml file: <?xml version="1.0" encoding="UTF-8"?><FrxProfileFolderRedirection> <Excludes> <Exclude Copy="0">AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy</Exclude> <Exclude Copy="0">AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy</Exclude> <Exclude Copy="0">AppData\Local\Microsoft\TokenBroker</Exclude> </Excludes> </FrxProfileFolderRedirection> You will have to enter credentials on EACH Session Host ONCE but after that you can move between hosts without any issue. The theory of this fix: Modern Authentication works with Tokens. Those tokens contain the Device ID. Storing them in FSLogix breaks them because the Device ID contained in them no longer matches. The fix pushes those tokens out of the FSLogix container to a local_username folder and no longer deletes that folder upon logoff from the machine. Once you have a working token on each host it will refresh if needed but it no longer breaks. Hope this helps because MS was clueless after spending a few weeks with the FSLogix/Office teams.8.4KViews0likes21CommentsAVD - Pooled VM's - Outlook Authentication issue
Setup: Latest Gallery image Win10+O365 Apps. A few older AVD setups as well but all with the preset Registry setting to block WorplaceJoin which used to give the same result as this case for any setup basically. Azure AD Hybrid Joined Devices Single-Sign On Configured and working FSLogix implemented and working MFA implemented and working What does work? As long as you restrict yourself in Outlook to the signed-in user everthying works fine. You are never presented with requirements to login when you roam to another VM. Seems logic as SSO kicks in if Outlook should need authentication. What doesn't work? The trouble starts when you add a second O365 account to Outlook. This can be simply another account in the same tenant or an account in a totally different tenant. Doesn't make a difference. For this account SSO doesn't kick in and it shouldn't. Doesn't cause any issues we can detect within Office apps such as Word/Excel/PowerPoint. As in: accounts appear to be active within those apps and we can still access the OneDrive/Sharepoint locations. The problem is Outlook when you roam to another VM after a given amount of time. We get the notorious "Need password" and the authentication window breefly pops-up but disappears and remains in this state. No way to get the Modern Authentication handled from within Outlook anymore on any VM except the VM used when the second account was first added (more on that later) What are stop-gaps that do "fix" it? Two things "fix" it: 1) Sign out from the non-SSO account in Word/Excel/PowerPoint and then sign back in from that app. When you open Outlook afterwards no passwords prompt and everything works as expected for a few hours/days. 2) Force log on to the VM used for the very first log on performed for the non-SSO user. Then everything starts working again without performing procedure in step 1. If you log back out from that "original" VM everything works on all VM's again. That works again for a couple of hours/days and then breaks again. A hypothesis: The token you get after doing a Modern Authentication and should prevent future prompts contains the device ID. This roams along with FSLogix to another VM but breaks as the device ID is no longer the same. As long as the broken auth token is for the SSO user this doesn't matter as SSO kicks in and performs a completely new auth. If this is the case I don't see any resolution other than a design change from MS. But the question is if the setup IS the problem. Does anyone else have a pooled AVD setup with multiple VM's AND external O365 mail accounts added to Outlook? Or is this simply "not supported". If someone wants to test it out: It works for a day or two after adding the second account. It breaks if you haven't logged on to the initial VM in a while. Naturally this problem gets worse as you add more and more VM's to the pool as the likelihood of you logging on to that original VM gets less and less.4.9KViews0likes4CommentsRe: Outlook login issues with WVD - FSLogix
A long time WVD/AVD administrator here and we're now picking up on some oddities: First of all mentioning what has and does work perfectly: AVD VM's are not WorkPlaceJoined like the initial problem in this thread SSO works for the user logging on MFA works as expected FSLogix roaming handles logging on to multiple machines The problems start when due to business needs a 2nd O365 account gets added to outlook or teams. Especially if that second O365 account is not within the same tenant of the user logging on (the user logging on handles the Windows/Office licensing as required). Another way to make sure it breaks is by adding only a foreign O365 account to Outlook and then logging on to another VM. The only "fix" we've found so far is to disable WAM and re-enable ADAL. That fixes the issues but isn't recommended or desired in the long run. Is anyone able to confirm they have a setup like this working with email/Teams accounts other than the logged in user? Or does adding other accounts to Outlook with MFA simply break SSO on AVD/FSlogix setups? The problem persists over multiple different AVD setups8.7KViews0likes26Comments
Recent Blog Articles
No content to show