We have been suffering intermittent AVD Auth/Login issues to multiple Host Pools for multiple users – the login gets stuck and just loops continually between the Authentication “Just a moment” screen, and then initiating/configuring/securing remote connection dialog box.

It occurs on a per user basis (others can login to the same VM’s perfectly fine) and it seems to be related to Entra MFA (we have a conditional access policy to enforce MFA for users when not on Corp. network). We use EntraID joined AVD Session Hosts (not attached to Corp. network) and the remote user end-points are hybrid Domain joined (can be connected to Corp. network, offsite direct to Internet, or offsite with FortiClient VPN to Corp.network).

This issue does not seem to affect users who wholly work offsite (and always hit the conditional access policy for MFA?). But, it does affect our users who access the AVD System from both onsite and offsite.

It happened to me yesterday when I was onsite (so I was not being prompted for MFA), so I disconnected from the Corp. network and connected via my Mobile Phone Hotspot (to force MFA prompt) – and the login ran through fine, and when I then connected back to the Corp network, I could login fine.

What confuses me, is that being onsite on the Corp. network should not require an MFA, so why does disconnecting from the Corp. network and forcing the MFA prompt fix the issue – MFA should not come into things when accessing from onsite, surely?

One thing comes to mind – that MFA uses a 90 day token so you don’t get prompted all the time, I wonder if this token has expired (and hence is not renewed as you are logging in from onsite with no requirement for MFA), and that this expired MFA token is preventing the login until it is forcibly renewed by performing and MFA login?

It also seems to be specific to a session host – whilst I get the login loop trying to login to one AVD Host Pool/Session Host, I can login perfectly fine to others. So, does the Session Host cache the MFA token that has perhaps expired?

I think I may have seen situations with users, where this login loop occurs and if you then just leave it and then try and re-connect a few hours later, you can then login again fine (so maybe it is to do with AD / Entra Connect Sync delays)?

Any ideas or suggestions why this is happening and how to fix it would be greatly appreciated – as trying to run an Enterprise AVD System that every now and then users cannot get into is far from ideal!

Regards

Gary

​We have been suffering intermittent AVD Auth/Login issues to multiple Host Pools for multiple users – the login gets stuck and just loops continually between the Authentication “Just a moment” screen, and then initiating/configuring/securing remote connection dialog box.  It occurs on a per user basis (others can login to the same VM’s perfectly fine) and it seems to be related to Entra MFA (we have a conditional access policy to enforce MFA for users when not on Corp. network). We use EntraID joined AVD Session Hosts (not attached to Corp. network) and the remote user end-points are hybrid Domain joined (can be connected to Corp. network, offsite direct to Internet, or offsite with FortiClient VPN to Corp.network). This issue does not seem to affect users who wholly work offsite (and always hit the conditional access policy for MFA?). But, it does affect our users who access the AVD System from both onsite and offsite. It happened to me yesterday when I was onsite (so I was not being prompted for MFA), so I disconnected from the Corp. network and connected via my Mobile Phone Hotspot (to force MFA prompt) – and the login ran through fine, and when I then connected back to the Corp network, I could login fine. What confuses me, is that being onsite on the Corp. network should not require an MFA, so why does disconnecting from the Corp. network and forcing the MFA prompt fix the issue – MFA should not come into things when accessing from onsite, surely? One thing comes to mind – that MFA uses a 90 day token so you don’t get prompted all the time, I wonder if this token has expired (and hence is not renewed as you are logging in from onsite with no requirement for MFA), and that this expired MFA token is preventing the login until it is forcibly renewed by performing and MFA login? It also seems to be specific to a session host – whilst I get the login loop trying to login to one AVD Host Pool/Session Host, I can login perfectly fine to others. So, does the Session Host cache the MFA token that has perhaps expired? I think I may have seen situations with users, where this login loop occurs and if you then just leave it and then try and re-connect a few hours later, you can then login again fine (so maybe it is to do with AD / Entra Connect Sync delays)? Any ideas or suggestions why this is happening and how to fix it would be greatly appreciated – as trying to run an Enterprise AVD System that every now and then users cannot get into is far from ideal! Regards Gary  Read More

​