Outlook displays "need password" authentication dialog isn't shown on Win10 Enterprise multi-session

Microsoft

Recently issues have been reported related to logon in Office ProPlus on Windows 10 Enterprise multi-session. One specific example is Outlook showing "need password" however the authentication prompts are never presented to the user.

 

This could be caused by VMs listed in a "registered" state. This can be observed in the Azure Portal -> Azure Active Directory -> Devices. 
VMs can get to this state when a user selects the "use this account everywhere" prompt from an Office app, this can be done by standard (non-admin) users

 

There are two ways of preventing this: 

  1. For AD joined VMs, follow this guidance on how to prevent the VMs from being registered. When using Azure AD DS, this is the only supported option.
  2. Configure hybrid Azure Active Directory join for managed domains (preferred)   

If a profile solution is used, this could require a reset of the users profile.

 

Registering is supposed to be done against another tenant. Registering to the same tenant as the device is AD joined can cause issues. We are making changes to the Windows 10 multi-session image in the Azure gallery to prevent users from registering VMs. 

7 Replies

Hi Pieter,

 

I'm currently deploying a WVD solution for a client using the Windows 10 Multi-session 1909 + M365 apps marketplace image + FSLogix. Our session hosts are joined to a Windows Server Active Directory Domain running in Azure (IaaS) which is in sync with Azure AD. When Outlook is launched from the desktop for the first time a user is prompted to enter their password instead of SSO. Is this by design? Do we need to Hybrid Azure AD Join our WVD sessions hosts in order to achieve SSO from within the desktop for M365 apps? 

 

Look forward to your response.

@PieterWigleven I know this has been mentioned on another thread but no harm mentioning it here too. Yesterday the following fixed it for a user of ours:

 

 

Add-AppxPackage -Register "C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Appxmanifest.xml" -DisableDevelopmentMode -ForceApplicationShutdown

 

 

@werdd Yes - for SSO the VM will have to be hybrid Azure AD Joined. Thanks 

Hi Pieter,

 

We've configured Hybrid Azure AD Joined and now all of our session hosts appear correctly under Azure Active Directory > Devices with the type of 'Hybrid Azure AD joined' and show a date timestamp under the registered column but we're are still experiencing SSO issues when launching any of the desktop Office applications as Teams will show the login page with the users email address and outlook will show a sign in to activate splash screen.

 

SSO is working via Microsoft Edge for any Office service (OWA/SharePoint). Below is an output of dsregcmd /status from a WVD session host:

 

werdd_0-1601513650123.png

werdd_1-1601513704163.png

 

Update:

 

Office won't activate on the first run, it requires the application to be closed and then re-opened before the office activation status shows as "Shared Computer Activation" once activation occurs the licensing keys show under %localappdata%\Microsoft\Officce\16.0\Licensing for the user. The policy setting for Use shared computer activation is configured and is present within the registry. 

 

Once the above is completed subsequent logins are fine for the user.

 

Are we missing any configuration that would be causing this behaviour?

 

 

@werdd The Hybrid Azure AD configuration looks good and you should have SSO to specific resources such as portal.office.com. I'm not sure what could cause Outlook to require a restart - it's outside of my expertise area. Do you feel the one-time restart of the program is a viable workaround?

Hi Pieter,

 

Thanks for getting back to me, appreciate your time. Yes SSO is working via the web for portal.office.com etc the issue is only present on the desktop office applications. Upon launching Outlook for the first time the user receives the below prompt to sign in and activate, I would have thought with SSO enabled it would silently complete the activation process in the background and show no prompts to the end user.