Jump to content
Welcome to our new Citrix community!
  • 0

O365 E3 license and 2FA

Ryon Brubaker



We have enabled 2FA for O365.  Why?  because some employees need access to O365 (email, etc..) outside of work, on the iPhones, etc...

ISSUE; We have 1912 LTSR running on Windows 2016 Server.  On a PC/Laptop, all is fine for them with O365 and 2FA.  But within a Citrix session, apps like Teams, Word, Excel always trigger the 2FA at every logon, annoying.  Why?  Is there some profile folder(s)/file(s) we are OR not roaming?  What is the secret sauce other than maybe buying for $6 per user per month the P1 license to set up trusted IP's?

Folks who do not have 2FA enabled are fine in Citrix.  Shared licensing is fine.

Has to be a fix.

Thanks in advance.

Link to comment

7 answers to this question

Recommended Posts

  • 0



Thanks for responding.  Our Network Admin out for the week, will run it past them.

I'd imagine the same "join" as others, hopefully not... to your point, just to get this fixed, lol.  Is there documentation on the hybrid join as the correct way to work with O365 2FA?

Background: We use MCS (w/MCSIO) and every night the 24 VDA's (CVAD01, CVAD02, etc..) pull/rebuild from the gold image.  My guess, O365 thinks we're logging into new machine everyday.  We did figure out that the "%USERPROFILE%\AppData\Local\Microsoft\IdentityCache" folder was not fully loading (we have that XCOPY'd over to the VDA they get...at logon from their homedrive) by the time Teams auto-launched at logon (no UPM here, still good ole' roaming profiles) that and placing a 30 sec delay on the Teams load, seems to have helped the 2FA logging back into same VDA but logging into new machine still trigger's it.

... I have it prompting on my Apple Watch, saves some time, lol, no more typing in numbers at least.


Link to comment
  • 0

Hi Ryon,


There is no documentation saying anything about hybrid join and 2FA. Hybrid join just seems to fix all these small issues with sign in with either Azure AD and/or MFA.


You might have another issue, with Office activation. With your current profil configuration, the Office activation token is not roaming, that could also trigger a login/activation prompt. I assume you have enabled shared computer activation for Office?

Microsoft has some information about it in this article:
Overview of shared computer activation for Microsoft 365 Apps - Deploy Office | Microsoft Docs

Link to comment
  • 0

Office Activation is fine for the non-2FA Citrix employees.  We have that token saved to their personal homedrive (theirs is the W:\ drive).

For employees "without" 2FA enabled, Teams, Word and Excel all work fine.  They can logon to different VDA's and no matter what, it activates just fine.

Something with the 2FA AND the fact that the VDA's are brand new every morning and that they could logon to any of the 24 VBA's throughout the day.  These are non-persistent images.  O365 2FA engine see must these machines with new computer names.


Something to do with finalizing the gold image I imagine?  Maybe "dsregcmd.exe /leave"?  Again, if it matters, employees using O365 2FA locally on laptops/PC's are just peachy too.  Has to be an image thing.


Link to comment
  • 0


Finally got back to this.  Well, we don't even use Hybrid AAD.  So, we just need to start using to get this working correctly right?  Hopefully the trick.

dsregcmd /status

| Device State |

AzureAdJoined : NO
EnterpriseJoined : NO
DomainJoined : YES


Side question; Recommend for laptops/PC's too?

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...