VMware Horizon Community
Hot Shot
Hot Shot

Horizon Instant Clones and Azure MFA - Anybody have a working configuration?

I've been working with a consultant on producing a viable Win10 IC configuration for several months now. Due to multiple factors surrounding on-prem and Azure AD coupled with OneDrive, o365 and MFA we've thus far created a user experience that is far worse than our static clone Horizon desktops. Essentially we have a user experience that is wrought with authentication/MFA to teams, onedrive (which needs to start with the logon but does not). Every time a user logs off the IC is destroyed (as expected) and the next logon is met with the same frustrating logon experience. We have a small staff working every flavor of IT admin and VDI takes up way too much time. I have come to loath everything about cloud integration.

We have the following pieces in play

vsphere 7 with about 1000 VDI desktops (we want replace with IC and as good or better user experience)

Horizon 8 CS behind F5 internally/externally (via v7 UAG's)

Win10 21h2 images

FSlogix o365 containers storing profiles on CIFS

DEM profiles (for the stuff you can't do with FSlogix)

Onedrive redirection of mydocuments etc

Our logon sessions and IC's objects are on-prem AD which does not match the domain suffix for our AAD/MFA authentication.

Example on prem AD auth is my.company.com and all the AAD stuff authenticates to company.com. This appears to produce the issue with Onedrive not authenticating at logon. MFA tokens aren't being saved one session to the next.

We have been testing with hybrid join of AAD which is met with similar user experience.


Who has time for this insanity? Please just give me back the old days of on-prem everthing!

0 Kudos
3 Replies

I feel all of your pain. 

I am working on a solution for our group, which is nearly identical to what you're experiencing. 

FSLoigx is going to be of little help. In order for it to work properly, as of Feb '23, you need to have your ICs "AADJ" or "HAADJ" (hybrid azure ad joined). 


"Virtual machines, which are AADJ or HAADJ create the user's primary refresh token (PRT) at sign-in. Primary refresh token(s) created at sign-in are used to authenticate to Azure AD based applications. Standard Domain Joined (DJ) virtual machines don't create a PRT at sign-in, instead rely on the Microsoft Azure AD broker plugin." 

I've tried it again with this GPO setting: Install FSLogix 2210 hotfix 1 (2.9.8440.42104). Configure the new RoamIdentity setting by setting the registry value to 1 or enabling via Group Policy.

But no luck. 

DEM is mostly useless with regard to roaming o365 profile, but I have got it to work using this profile: https://communities.vmware.com/t5/Dynamic-Environment-Manager/DEM-template-for-Office-365-is-insuffi...

However, it is not "user friendly" and requires signing into Outlook/Teams, signing out, signing in again, then hoping the license file is there when signing back in again. It's VERY CLUNKY, but it does kind of work. 

Look at the post by Lansti. 

The other thing that I've been trying to do, but have not been successful with, is trying to PREVENT office from recognizing the "signed in user" (and it's user token) when first opening the application. This plays a part in how well DEM/FSLogix stores the profile/license information and more importantly, what account is seen when o365 opens. However; it is not possible to remove that setting - at least that I've been able to find. It's a "feature" to make it easier to use the o365 applications.  

Also, a site I reference often with this setup is here: https://www.stephenwagner.com/2021/08/06/microsoft-office-365-vdi

It's a pretty good guide. I've had the most luck with this over anything else, but like I said, it's still clunky, and every time MS updates o365, less and less stuff works right. 







Hot Shot
Hot Shot

Good to commisserate on this insanity. My project is dead in the water at this point. We have a contingent of people who are full steam ahead with everything Azure but fail time and again when it comes to integration and costs but still we limp forward. I don't have time to attempt to understand how it all works and doesn't work.  I think IC technology was created to make our lives simpler and resource efficient but cloud integration and MFA turn IC into a management nightmare. Ultimately we'll probably end up with Azure based VDI which will bring it's own problems with data latency and authentication to on-prem app/data. 

Appreciate all your details and will look into them.

To the cloud and beyond!

0 Kudos
Hot Shot
Hot Shot

I would expect it to work with FSLogix, we have similar configuration.

-- If you find this reply helpful, please consider accepting it as a solution.
0 Kudos