Azure Virtual Desktop now has the option to join session hosts to Azure AD in addition to Windows AD and Azure AD Domain Services.  I got the error message below while logging in.

“The sign-in method you’re using isn’t allowed.  Try a different sign-in method or contact your system administrator.”

In this case, I logged in with a username and password.  The message indicated that the method I used to log in was not allowed.  Fortunately, there is a simple explanation and a couple solutions.

The error was caused by a conditional access policy that enforces multi-factor authentication for all users and all applications.  The application causing the issue is “Azure Windows VM Sign-in.”  The Azure Windows VM Sign-in application controls how users log in to Azure AD joined devices.  By enforcing MFA on this application, the log in requires smart card or Windows Hello for Business to sign in.

The simple solution is to add the application to an exclusion on the MFA policy. 

By excluding this App from the MFA policy, users still need MFA to log into the AVD client, such as the Windows Remote Desktop client or the web client.  Once logged into the client, they can use username and password credentials to log into the AVD Client.

As an alternative solution, you can require smart card or Windows Hello for Business to sign-in to the AVD session.