Cannot configure Conditional Access Policy for Azure Virtual Desktop

Question

Cannot configure Conditional Access Policy for Azure Virtual Desktop

Aidan Grupac 0

I want to create an allow-by-exception Conditional Access policy that blocks access to all resources except for those required to sign into Windows App and connect to a virtual desktop. From all of the documentation I can find this should be the three following resources, which I have in my policy:

Azure Virtual Desktop (app ID 9cdead84-a844-4324-93f2-b2e6bb768d07)

Microsoft Remote Desktop (app ID a4a365df-50f1-4397-bc59-1a1564b8bb9c)

Windows Cloud Login (app ID 270efc09-cd0d-444b-a71f-39af4910ec45)

However, upon opening Windows App and attempting to sign in, I get an error with these details:

Error Code: 53003

App name: Windows 365 Client

App id: 4fb5cc57-dbbc-4cdc-9595-748adff5f414

I'm then able to close the sign in window and proceed to the app, but when trying to connect to a virtual desktop I get stuck in an endless sign in loop.

I've tried to include the Windows 365 Client resource in my policy, but I can't find it anywhere. From documentation I read, that resource is required for Cloud PC policies, but I don't use any Cloud PCs. I also read that you can enable the Windows 365 Client resource by registering the Microsoft.DesktopVirtualization resource provider, but mine was already registered and re-registering did nothing.

Nikhil Duserla 8,515 Reputation points Microsoft External Staff Moderator

2025-08-08T18:16:36.4233333+00:00

Hello @Aidan Grupac ,

In the Azure portal, go to AVD VM > Select Access Control (IAM) > Select Role Assignments > Confirm that the user account has been granted either the Virtual Machine User Login or Virtual Machine Administrator Login role.

Ensure that the RDP property targetisaadjoined:i:1 was added to the AVD host pool. To do this, navigate to the Azure portal > Select the host pool configured for Azure AD Join > Select the RDP Properties blade > Select the Advanced Tab > Add targetisaadjoined:i:1.

Disable security defaults by navigating to Entra ID > Manage > Properties > Manage Security Defaults > Disable.

Add Conditional Access policies to exclude the VM from MFA by adding the user.

Enable Conditional Access policies and exclude the users and groups as needed.

I would suggest access the AVD VM's from windows app.
Durga Reshma Malthi 9,840 Reputation points Microsoft External Staff Moderator

2025-08-11T09:45:56.62+00:00

Hi Aidan Grupac

Just checking in to see if you had a chance to review the Nikhil's response provided to your question.

Feel free to reach out if you have any further queries.
Himanshu Shekhar 160 Reputation points Microsoft External Staff Moderator

2025-08-12T22:16:42.0933333+00:00

Hi Aidan Grupac

Could you please provide an update on this post?

Kindly let us know if the below helps or you need further assistance on this issue.

1 answer

Your answer

Nikhil Duserla 8,515 Reputation points Microsoft External Staff Moderator

2025-08-08T18:16:36.4233333+00:00

Hello @Aidan Grupac ,

In the Azure portal, go to AVD VM > Select Access Control (IAM) > Select Role Assignments > Confirm that the user account has been granted either the Virtual Machine User Login or Virtual Machine Administrator Login role.

Ensure that the RDP property targetisaadjoined:i:1 was added to the AVD host pool. To do this, navigate to the Azure portal > Select the host pool configured for Azure AD Join > Select the RDP Properties blade > Select the Advanced Tab > Add targetisaadjoined:i:1.

Disable security defaults by navigating to Entra ID > Manage > Properties > Manage Security Defaults > Disable.

Add Conditional Access policies to exclude the VM from MFA by adding the user.

Enable Conditional Access policies and exclude the users and groups as needed.

I would suggest access the AVD VM's from windows app.
Durga Reshma Malthi 9,840 Reputation points Microsoft External Staff Moderator

2025-08-11T09:45:56.62+00:00

Hi Aidan Grupac

Just checking in to see if you had a chance to review the Nikhil's response provided to your question.

Feel free to reach out if you have any further queries.
Himanshu Shekhar 160 Reputation points Microsoft External Staff Moderator

2025-08-12T22:16:42.0933333+00:00

Hi Aidan Grupac

Could you please provide an update on this post?

Kindly let us know if the below helps or you need further assistance on this issue.

Answer 1

A permissions-related issue. An organization’s IT administrator can set policies with various conditions from the Azure portal. In most cases, Error 53003 occurs because an administrator has enabled Azure Conditional Access policies. For example, you can be prevented from logging in from a location not allowed by the administrator.
An outdated Microsoft Office app. You may get this error if the app you use to access Microsoft’s online services is outdated.
An outdated operating system. You may get Error 53003 if your operating system is outdated.
Server outage. A service outage on Microsoft’s end can cause this error. In this case, you must wait for the server-related issues to be resolved and try to sign in again.

Before trying our fixes, here are some things you can do:

The issue may arise due to temporary issues with Microsoft’s servers. Wait a few minutes and try to sign in again.
Contact your organization’s IT administrator and request to check if they have created a Conditional Access Policy to access an application from a different location.
Update your Windows operating system.
Ensure that your connection to the Internet is stable and fast. Try restarting your Internet router and connecting to the Internet using an Ethernet cable if you currently use Wi-Fi. For more tips on improving your Internet connection, check out our 8 Ways to Make Internet Faster article.
A permissions-related issue. An organization’s IT administrator can set policies with various conditions from the Azure portal. In most cases, Error 53003 occurs because an administrator has enabled Azure Conditional Access policies. For example, you can be prevented from logging in from a location not allowed by the administrator.
An outdated Microsoft Office app. You may get this error if the app you use to access Microsoft’s online services is outdated.
An outdated operating system. You may get Error 53003 if your operating system is outdated.
Server outage. A service outage on Microsoft’s end can cause this error. In this case, you must wait for the server-related issues to be resolved and try to sign in again.

Before trying our fixes, here are some things you can do:

The issue may arise due to temporary issues with Microsoft’s servers. Wait a few minutes and try to sign in again.
Contact your organization’s IT administrator and request to check if they have created a Conditional Access Policy to access an application from a different location.
Update your Windows operating system.
- Ensure that your connection to the Internet is stable and fast. Try restarting your Internet router and connecting to the Internet using an Ethernet cable if you currently use Wi-Fi. For more tips on improving your Internet connection, check out our 8 Ways to Make Internet Faster article.

Share via

Cannot configure Conditional Access Policy for Azure Virtual Desktop

1 answer

Your answer