How do I login to an Azure AD Joined VM using Azure AD Credentials on an Windows Server 2019?

Question

I'm currently trying to enable VM Login on a Windows 2019 Server with Azure AD Credentials. For this I have followed the Microsoft Documentation: https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows

I have tried by creating a new user as type "member" in my Azure AD. Then I have created a Windows Server 2019 VM with "Login with Azure AD" enabled as shown in the documentation. Afterwards I have given the "Virtual Machine Administrator Login" Role to the new User. Then I have tried to login to the VM using the new user credentials. Unfortunately it didn't work. I encounter the "Your Credentials did not work" error message.

With the local user I can login to the VM. I have tried to de- and reinstall the "Microsoft.Azure.ActiveDirectory.AADLoginForWindows" Extension. I have checked the VM with the command: "dsregcmd/status", whether th VM is really Azure AD joined.

Has someone done it before and know why it doesn't work? What have I done wrong?

Best regards!

Answer 1

I tried to reproduce the same in my environment and added successfully

I have added user and created VM with Windows Server 2019 enabled Login with Azure AD. While creating azure vm make sure to give username and password same as azure ad user Credentials.

Verify whether you have added AADLoginForWindows Extension in Azure as below:

Downloaded RDP file and tried to login it shows me an error. To resolve this issue, use different account use "\" try to login as below.

 <VMname>\Username or localhost\username and password

Make sure you are using the correct credentials When RDP VM using Azure AD credentials, in order to log in, you can also reset your password try logging in if still error appears.

Once RDP has opened try to Join a Windows 10 Device to Azure AD and on your Windows 10 Azure VM -> system properties -> remote setting -> uncheck Allow connections only from computers as below:

To add azure ad user to RDP user group Run the command prompt as administrator like blow:

net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"

Account should be AzureAD\[email protected] type.

To confirm the Azure AD user has been added run this Get-LocalGroupMember -Name "Remote Desktop users" in powershell .

And then, I modify the azure vm RDP file. If you modify this file in before u will get an error, Click Download RDP File -> right click open with notepad file and try to add like below and save

address:s:IPADDRESS:3389
prompt for credentials:i:0
authentication level:i:2
enablecredsspsupport:i:0
username:s:[email protected]
domain:s:AzureAD

And try to connect with this RDP file. make sure you need to use AzureAD\[email protected]. if you are enter only the Azure AD user account without the domain it may cause an error.

Reference: Assign Azure roles using the Azure portal - Azure RBAC | Microsoft Learn

Answer 2

My bad; I got it to work.

On my laptop—that is not AzureAD-Joined—I edited the hosts file to have the AzureAD-VM host name listed:

10.200.2.8   dal-test-01

Then I edited the rdp file:

full address:s:dal-test-01:3389
prompt for credentials:i:1
username:s:tester@[domain].onmicrosoft.com
domain:s:AzureAD
administrative session:i:0
negotiate security layer:i:1
enablerdsaadauth:i:1
targetisaadjoined:i:1
enablecredsspsupport:i:1
redirectwebauthn:i:1
authentication level:i:2

Then it will ask you to enter the password, just like how you access "Office.com". The most important part is to allow it to connect to the Azure VM via RDP; it will ask you just before it connects, so READ the message, don't just select "No".