Azure VM RDP access using AAD user credential

Question

Hello
I have create a Win10 VM machine for testing several Microsoft 365/Azure new features, but I'n not able to RDP connect to the vm using and Azure AD users.
I found this article,. Is it correct?
https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows

The vm has already been created. so I run this command, but I got an error:

PS Azure:\> az vm extension set --publisher Microsoft.Azure.ActiveDirectory --name AADLoginForWindows --resource-group EG_TestRG --vm-name PCVI02  
  
Deployment failed. Correlation ID: 3cc311b1-5df5-43d6-8a54-43ceef1e157d. The handler for VM extension type 'Microsoft.Azure.ActiveDirectory.AADLoginForWindows' has reported terminal failure for VM extension 'AADLoginForWindows' with error message: 'Install failed for plugin (name: Microsoft.Azure.ActiveDirectory.AADLoginForWindows, version 0.4.1.0) with exception Command C:\Packages\Plugins\Microsoft.Azure.ActiveDirectory.AADLoginForWindows\0.4.1.0\AADLoginForWindowsHandler.exe of Microsoft.Azure.ActiveDirectory.AADLoginForWindows has exited with Exit code: -2145648572'.  
  
'Install handler failed for the extension. More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot'  

Furthermore the user I'm testing is using MFA. May somebody give me an help? Thank you

Ebrico

Answer 1

anonymous user

In order to allow all Azure AD users in your Azure AD tenant to log into azure joined machines using RDP, you need to configure Remote Desktop settings as highlighted below:

Once this is done, you can login by using AzureAD\UPN format i.e., AzureAD\username@your_tenant.onmicrosoft.com or AzureAD\username@your_verified_domain.com

-----------------------------------------------------------------------------------------------------------

Please Accept as answer wherever the information provided helps you to help others in the community.

Answer 2

Hello Amanpreet and thank you, I did the configuration you sent me, but it's not working yet. I will try to redo all the following steps, maybe they are userful to other: (I followed https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-authentication-to-windows-vms-in-azure-now-in-public/ba-p/827840) - create a new VM called PCVI03 and check the Login with AAD credentials (Preview) on Create Virtual Machine/Management tab - Assigned a the role "Virtual Machine Administrator login" to the VM to an AAD User - The machine has already been joined to AAD Tried an RDP access immediately using AzureAD\mario.rossi@nanosoft365.com, but failed - Add Authenticated User inside Remote desktop Users group - Tried an RDP access immediately using AzureAD\mario.rossi@nanosoft365.com, but still failed I can see the extension "Microsoft.Azure.ActiveDirectory.AADLoginForWindows" in provisioned succesfully I have tryed to access either with password and app password, as policy forces MFA The event viewer shows this Audit Failure: [3582-securityevtx.txt][1] Don't know what else I can do. Looking forward to hearing from you, I thank you Enrico ===== Event Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 28/02/2020 15:27:41 Event ID: 4625 Task Category: Logon Level: Information Keywords: Audit Failure User: N/A Computer: PCAZVI01 Description: An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: mario.rossi@nanosoft365.com Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: ITVICNOT008 Source Network Address: 81.174.8.153 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> <EventID>4625</EventID> <Version>0</Version> <Level>0</Level> <Task>12544</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2020-02-28T14:27:41.996293200Z" /> <EventRecordID>1328</EventRecordID> <Correlation ActivityID="{0008de13-1bd6-0000-4fd1-8c9d3ceed501}" /> <Execution ProcessID="672" ThreadID="4268" /> <Channel>Security</Channel> <Computer>PCAZVI01</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-0-0</Data> <Data Name="SubjectUserName">-</Data> <Data Name="SubjectDomainName">-</Data> <Data Name="SubjectLogonId">0x0</Data> <Data Name="TargetUserSid">S-1-0-0</Data> <Data Name="TargetUserName">mario.rossi@nanosoft365.com</Data> <Data Name="TargetDomainName"> </Data> <Data Name="Status">0xc000006d</Data> <Data Name="FailureReason">%%2313</Data> <Data Name="SubStatus">0xc0000064</Data> <Data Name="LogonType">3</Data> <Data Name="LogonProcessName">NtLmSsp </Data> <Data Name="AuthenticationPackageName">NTLM</Data> <Data Name="WorkstationName">ITVICNOT008</Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">-</Data> <Data Name="KeyLength">0</Data> <Data Name="ProcessId">0x0</Data> <Data Name="ProcessName">-</Data> <Data Name="IpAddress">81.174.8.153</Data> <Data Name="IpPort">0</Data> </EventData> </Event> [1]: /api/attachments/3582-securityevtx.txt?platform=QnA

Answer 3

I can also reproduce this behaviour and have not found a solution for it.

The article says you should try "curl https://login.microsoftonline.com/<TenantId>/ -D –". That call returns HTTP Status 404. All other commands are working (302 Found or 200 OK) correctly.

Also "curl -H Metadata:true "http://169.254.169.254/metadata/identity/info?api-version=2018-02-01" returns the correct TenantId.

Answer 4

I got the same error when adding the extension to an existing VM.
Solution was to activate the "system assigned identity" in VM settings.

Answer 5

How does this work with Federation (AD FS?) with synchronised identity (no hash)