macOS: SSO no longer fully functional on AVD (Win11 25H2)
Hello everyone, Since updating our Test Azure Virtual Desktop Session Hosts from Windows 11 23h2 to 25H2 (26200.7462) , we've been experiencing an SSO issue that exclusively affects macOS clients. Symptoms For macOS users (Windows App), the following issues occur: Example Teams Teams shows the user as "Unknown User" Chat and collaboration features fail to load Error message: "You need to sign in again. This may be a requirement from your IT department or Teams, or the result of a password update. - Sign in" After clicking "Sign in," only a window appears with "Continue with sign-in" (no PW/MFA prompt) After this, all other applications work without further authentication Technical Details macOS Device: AppleM4 Pro macOS Tahoe 26.2 Installed WindowsApp version: 11.3.2 (2848) dsregcmd /status: No errors detected PRT is active and was updated for sign-in Entra Sign-In Logs: Error code: 9002341 EventLog on Session Host (AAD-Operational): Event ID: 1098 Error: 0xCAA2000C The request requires user interaction. Code: interaction_required Description: AADSTS9002341: User is required to permit SSO. Event ID: 1097 Error: 0xCAA90056 Renew token by the primary refresh token failed. Logged at RefreshTokenRequest.cpp, line: 148, method: RefreshTokenRequest::AcquireToken. Observations Affects: Both managed (internal) and unmanaged (external) macOS devices Does NOT affect: Windows clients connecting via Windows App Interesting: If a macOS user starts the session (with the error) and then reconnects on a Windows device, authentication works automatically there Workaround The issue can be resolved for macOS clients by removing the "DE" flag from "Automatic app sign-in" in the following file: C:\Windows\System32\IntegratedServicesRegionPolicySet.json Questions Is this a known issue? Has anyone experienced similar issues with macOS clients after the 25H2 update? Why does this issue only occur with macOS clients? Why does SSO only work after removing the "DE" flag for macOS devices, and why are Windows devices not affected? I would appreciate any insights or confirmation of this issue! Thank you and greetings FT_1
AVD SSO with Internal Certificates?
I am helping another team set up AVD SSO and I noticed that its using a self-signed certificate. I've been searching around for information on using an internal CA for the certificate since it is trusted and also available to use. Does any one have any documentation or information I can be pointed to regarding using the internal CA for the certificates instead of the self-signed ones? Just to note, we do not want to use ADFS at all on this setup. I did see some articles about setting up SSO with ADFS and that wouldnt apply to me. thanks in advance! Chris
Azure Files with adfs
Hello guys I have a case study to replace a NAS server. One of my option would be to use Azure Files. Currently, I already have an ADFS platform in place for my 0365 access. Do you know if it's possible to use my ADFS to access a share on Azure Files ? According to the online documentation, I must use Azure AD. In the end, it could be a constraint to have to use a supplementary auth/IAM platform to access the service. Thanks for the help.
SSO with Oracle Fusion Cloud (as SP)
We are configuring SSO with Oracle Fusion ERP (as SP) from Azure Applications Gallery (as IdP), After updating Fusion details in Azure application gallery we downloaded the metadata file from here. While uploading this metadata file into Oracle Fusion ERP, we are getting the following error - "You must enter valid identity provider metadata. Ensure the metadata conforms to the SAML version 2.0 or higher standard.: schema_reference.4: Failed to read schema document 'http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd', because 1) could not find the document; 2) the document could not be read; 3) the root element of the document is not xsd:schema." Any pointers on this error, and how can we resolve it.
Third party Login - SSO
I want to configure a federation between an identity provider and azure's portal, so when an user want to access to the portal they are redirected to the identity provider and once they've successfully logged in, they access to the portal. In other words, i want to set up portal.azure.com as a Service Provider. Is there any documentation on how to do this? Thanks in advace and my apologizes for the bad english.