question

PLPro avatar image
0 Votes"
PLPro asked AnshulKumarMINDTREELIMITED-5501 commented

[AVD] AzureAD Authority URL with GUID TenantID not resolving (HTTP Error 400)

Posted at the request of Microsoft support:

When deploying an Azure Virtual Desktop (formerly WVD) Host Pool with AzureAD-only auth, the pool VMs requires the ability to access https://login.microsoftonline.com/<tenantID>; and https://login.microsoftonline.com/<tenantID>/sidtoname on the default AzureAD tenant for their authorization flow. However, both URLs fail with a 400 error (both from the AVD VM and when I try to reach them locally from my browser) for my tenantID GUID. I would have assumed that the above URLs are always available for an AzureAD tenant, but clearly something in the tenant configuration is off.

Might someone have thoughts regarding how these endpoints might have been disabled for the AzureAD tenant and how they might be re-enabled?

azure-virtual-desktop
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

anonymous user Apologies for the delay in response and all the inconvenience caused because of the issue.

I can see you have posted a similar query here as well:

https://docs.microsoft.com/en-us/answers/questions/481456/azure-ad-only-azure-virtual-desktop-avd-deployment.html

Can you please confirm if the mentioned issue is around same query or do you have any additional queries?

Thanks

0 Votes 0 ·

Hi, if the posted answer resolves your question, please mark it as the answer by clicking the check mark. Doing so helps others find answers to their questions.

0 Votes 0 ·

1 Answer

prmanhas-MSFT avatar image
0 Votes"
prmanhas-MSFT answered prmanhas-MSFT commented

anonymous user Posting as answer as well few more inputs based upon some research.

Not sure about the URLs but it seems like you might have issues with AVD AAD Join. I followed this documentation and it worked in my lab. Also as mentioned on top of the page this feature is in public preview and hence should not be use in production. Also few feature may or may not work in different environment considering it is still into development and hence won't guarantee that it will be working to its fullest capability in this phase.


Dean Cefola's video is to the point in setting it up successfully and might be helpful to you.

Few tips to keep into consideration:

1) Only works for the pool with validation flag set to to yes.

2) Dont forget targetisaadjoined:i:1 flag as RDP property. I had to restart host pool VMs to get this setting in to effect

3) Use latest Windows 10 image as much as possible. There a policy setting "Network security: Allow PKU2U authentication requests to this computer to use online identities" which is disabled in Windows 10 1607 and below which prevents logon if not enabled.

Hope it helps!!!

Please "Accept as Answer" if it helped so it can help others in community looing for help on similar topics.



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you so much- that did the trick!!! The targetisaadjoined:i:1 flag is what I was missing.

Now if I manage to get external accounts working, we'll be cookin' with gas!

0 Votes 0 ·

anonymous user Glad to hear that your issue was resolved :)

Thanks

0 Votes 0 ·