RDS users confronted with Microsoft 365 login popups in a hybrid environment

Question

RDS users confronted with Microsoft 365 login popups in a hybrid environment

Michel G 20

Hi all,

We have a customer with a on premises hybrid RDS environment; they have a domain controller and RDS server, both running Windows Server 2022 Standard. The domain controller is running the AD/Entra ID sync service which is configured for pass-through authentication. The necessary policies are in place to enable SSO with Microsoft 365 services (used to authenticate/license MS Office apps + Outlook etc.). This works fine when signing in to their account, but after an hour or two of being logged in users are confronted with the Microsoft 365 authentication pop-ups. This happens a few times a day.

We've tried the following to remediate the issue:

Run a .ps1 script to clear all M365 authentication tokens at logout
Disable WAM (DisableADALaptopWAMOverride, DisableAADWAM, DisableMSAWAM)
Re-enable WAM (DisableADALaptopWAMOverride, DisableAADWAM, DisableMSAWAM)
Block AADWorkspaceJoin (to make sure only app-authentication is enabled)
Migrated from UPD images to FSLogix
Created an Conditional Access policy to disable MFA for their office IP

We'd like to here what else we can try to remediate this annoyance for our customer, thanks!

1 answer

Your answer

Answer 1

Harry Phan 10,850 Independent Advisor

Hi Michel,

Given the environment—Windows Server 2022 Standard with Entra ID sync and pass-through authentication—this behavior often stems from token persistence and session context limitations within RDS sessions, especially when WAM (Web Account Manager) is involved.

Here are a few additional areas worth exploring:

Ensure Modern Authentication is fully enabled across all Microsoft 365 services, particularly Exchange Online and SharePoint Online. Inconsistent auth modes can trigger fallback behaviors.
Review Conditional Access policies, especially those involving session controls or sign-in frequency. If policies enforce re-authentication after a short interval, that could explain the repeated prompts.
Check for roaming profile or FSLogix configuration issues. If token caches aren’t persisting correctly across sessions, users may lose their auth state prematurely.
Validate the integrity of the Primary Refresh Token (PRT). If the PRT isn’t issued or maintained properly in the RDS session, WAM-based SSO will fail intermittently. You can use dsregcmd /status to inspect PRT status.
Consider disabling WAM only if absolutely necessary, as it’s tightly integrated with modern authentication flows. Instead, try isolating the issue by testing with a clean user profile and minimal GPOs.
Enable logging for Office apps and AAD authentication

Hope it works for you.

Harry P.

Michel G 20

Hi Harry,

Thank you for your response. See below our feedback:

Modern Authentication is fully enabled
There's one conditional access policy: to enable MFA/strong authentication for all users, except for the GA, and their office location (IP) is excluded.
We migrated over a few users to another RDS implemented with FSLogix (previous was a UPD environment), this yielded no difference. FSLogix is configured as per Microsoft's recommendations
The PRT token claims SSO is not implemented, it is, I just confirmed all requirements are met:

 dsregcmd /status

+----------------------------------------------------------------------+
| Device State                                                         |
+----------------------------------------------------------------------+

             AzureAdJoined : NO
          EnterpriseJoined : NO
              DomainJoined : YES
                DomainName : TDP
               Device Name : XXXRDS05.CUSTOMER.local  +----------------------------------------------------------------------+ | User State                                                           |
+----------------------------------------------------------------------+

                    NgcSet : NO
           WorkplaceJoined : NO
             WamDefaultSet : NO

+----------------------------------------------------------------------+
| SSO State                                                            |
+----------------------------------------------------------------------+

                AzureAdPrt : NO
       AzureAdPrtAuthority : NO
             EnterprisePrt : NO
    EnterprisePrtAuthority : NO

+----------------------------------------------------------------------+
| Diagnostic Data                                                      |
+----------------------------------------------------------------------+

     Diagnostics Reference : www.microsoft.com/aadjerrors
              User Context : UN-ELEVATED User
               Client Time : 2025-09-01 19:02:55.000 UTC
      AD Connectivity Test : PASS
     AD Configuration Test : FAIL [0x80070002]
        DRS Discovery Test : SKIPPED
     DRS Connectivity Test : SKIPPED
    Token acquisition Test : SKIPPED
     Fallback to Sync-Join : ENABLED

     Previous Registration : 2025-09-01 19:02:47.000 UTC
               Error Phase : discover
          Client ErrorCode : 0x801c001d     Executing Account Name : XXX\enduser, ******@customer.com  +----------------------------------------------------------------------+
| IE Proxy Config for Current User                                     |
+----------------------------------------------------------------------+

      Auto Detect Settings : YES
    Auto-Configuration URL :
         Proxy Server List :
         Proxy Bypass List :

+----------------------------------------------------------------------+
| WinHttp Default Proxy Config                                         |
+----------------------------------------------------------------------+

               Access Type : DIRECT

+----------------------------------------------------------------------+
| Ngc Prerequisite Check                                               |
+----------------------------------------------------------------------+

            IsDeviceJoined : NO
             IsUserAzureAD : NO
             PolicyEnabled : NO
          PostLogonEnabled : YES
            DeviceEligible : NO
        SessionIsNotRemote : NO
            CertEnrollment : none
              PreReqResult : WillNotProvision

For more information, please visit https://www.microsoft.com/aadjerrors

We've previously disabled WAM, although this did improve the amount of login issues previously it did not resolve the issue. We've re-enabled it through policies.

Looking forward to your feedback.

Share via

RDS users confronted with Microsoft 365 login popups in a hybrid environment

1 answer

Your answer