If you were unaware, per-user MFA can create problems when trying to connect to Entra-Joined Azure virtual machines, particularly AVD and Windows 365 instances. When this occurs, you may encounter an error message like the one below:
This error usually indicates one of two issues:
- Your Conditional Access MFA policy does not exclude the Azure Windows VM Sign-in app
- Per-User MFA remains enabled or enforced for that user
I encountered an interesting scenario while piloting an Entra-Joined AVD pool for an organization. While most users could log in without problems, some experienced the above error. After confirming the Azure Windows VM Sign-in app was excluded from the Conditional Access MFA policy, I turned my attention to the per-user MFA settings. Since the organization employs conditional access, I expected not to see any affected users with per-user MFA enabled or enforced in the dashboard:
After further troubleshooting, signs continued to lead toward either per-user MFA or the Azure Windows VM Sign-in app. I speculated that filtering might be malfunctioning in the per-user MFA section, so I specifically searched for one of the affected users and found no results.
I was certain this user existed, so I cleared all filters and scrolled through the complete list of users, only to discover that the user wasn’t present in the per-user MFA dashboard. This was odd because I had no confirmation that per-user MFA was disabled for this user. I checked a few other users and noted that the per-user MFA list was incomplete.
I turned to MS Graph to seek out this information. Utilizing the graph explorer is an excellent way to spot-check a few users. The graph resource you can utilize to check a user’s per-user MFA status is – https://graph.microsoft.com/beta/users/
Sure enough, querying one of these impacted users revealed their per-user MFA status as enforced:
This was the issue, but since this user isn’t visible in the GUI, how can we disable their per-user MFA state? Before we delve into that, if your organization implements Conditional Access, it’s recommended to disable per-user MFA for all users and manage MFA with conditional access. A couple of years back, I authored a post that outlines this process – Move from per-user MFA to Conditional Access MFA in Azure AD – SMBtotheCloud.
Nonetheless, if you wish to do this using the graph explorer for a single user, you can proceed as follows:
Change the graph request method to PATCH and include the syntax below in the request body:
{
"perUserMfaState": "disabled"
}Then click Run Query.
You’re in the clear if you see a green check mark with no errors in the response. You can then verify by switching the request method back to GET, and confirm that the perUserMfaState is set to disabled:
Once again, I do not recommend using Graph Explorer to make changes for all users. Instead, you should refer to the script from the aforementioned post, which bulk disables per-user MFA for all users, so that your team utilizes conditional access rather than per-user MFA. This way, your users should be able to access their Entra Joined AVD/W365 devices without encountering any issues.
