I recently transitioned our Azure Virtual Desktop (AVD) hosts to use Single Sign-On (SSO). The session hosts are Hybrid Azure AD Joined, and the setup is quite straightforward. We've also pushed our users to adopt Windows Hello for Business (WHfB) over the last few months, and now, all of them authenticate using WHfB (via PIN, Face, or Fingerprint) when they sign in to their laptops without any issues.
However, when they launch the Windows App to access their AVD session, they are greeted with a sign-in screen that defaults to password authentication due to Conditional Access. Although users can choose to sign in with WHfB methods, after logging off and reopening the app, it often reverts back to the password option instead of remembering their WHfB choice.
This inconsistency is causing problems, especially since some applications require MFA within the session hosts. Does anyone know why the Windows App doesn't seem to retain WHfB as the preferred authentication method once it's been used successfully?
3 Answers
It's interesting that you're facing this issue. In my case, it's actually the opposite—I don't have WHFB set up on my AVD hosts, yet it still prompts for it when logging in. I had a tough time getting it working with just the laptops. I ended up adding some registry keys through Intune and enabled Azure Kerberos on Active Directory to make it functional.
You might want to look into enforcing a phishing-resistant MFA specifically for the AVD service. Though I haven't tested it extensively, I’ve found that it works well for browser-based applications. That said, it might still prompt users for a password, and if they enter one, they could run into an 'Auth Method Not Allowed' error. Definitely not the smooth experience we want!
This behavior usually stems from how the Windows App manages cached credentials and Conditional Access policies. Even if WHfB authentication is working, the app may revert to password prompts when the token cache expires or if Conditional Access enforces a fresh authentication context. It's also possible the app session gets cleared after logging out, causing this reset.
I recommend checking:
- The sign-in frequency settings in Conditional Access
- If the 'Persistent browser session' setting is enforced
- How the Windows App is using the Web Account Manager
- Azure AD sign-in logs to analyze both successful and reverted logins.
These factors can contribute to this inconsistent user experience.
Related Questions
How to Build a Custom GPT Journalist That Posts Directly to WordPress
Fix Not Being Able To Add New Categories With Intuitive Category Checklist For Wordpress
Get Real User IP Without Installing Cloudflare Apache Module
How to Get Total Line Count In Visual Studio 2013 Without Addons
Install and Configure PhpMyAdmin on Centos 7
How To Setup PostfixAdmin With Dovecot and Postfix Virtual Mailbox