Azure VM RDP access using AAD user credential


I have create a Win10 VM machine for testing several Microsoft 365/Azure new features, but I'n not able to RDP connect to the vm using and Azure AD users.
I found this article,. Is it correct?

The vm has already been created. so I run this command, but I got an error:

PS Azure:\> az vm extension set --publisher Microsoft.Azure.ActiveDirectory --name AADLoginForWindows --resource-group EG_TestRG --vm-name PCVI02  
Deployment failed. Correlation ID: 3cc311b1-5df5-43d6-8a54-43ceef1e157d. The handler for VM extension type 'Microsoft.Azure.ActiveDirectory.AADLoginForWindows' has reported terminal failure for VM extension 'AADLoginForWindows' with error message: 'Install failed for plugin (name: Microsoft.Azure.ActiveDirectory.AADLoginForWindows, version with exception Command C:\Packages\Plugins\Microsoft.Azure.ActiveDirectory.AADLoginForWindows\\AADLoginForWindowsHandler.exe of Microsoft.Azure.ActiveDirectory.AADLoginForWindows has exited with Exit code: -2145648572'.  
'Install handler failed for the extension. More information on troubleshooting is available at'  

Furthermore the user I'm testing is using MFA. May somebody give me an help? Thank you


Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,530 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,494 questions
0 comments No comments
{count} votes

10 answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,486 Reputation points

    anonymous user

    In order to allow all Azure AD users in your Azure AD tenant to log into azure joined machines using RDP, you need to configure Remote Desktop settings as highlighted below:


    Once this is done, you can login by using AzureAD\UPN format i.e., AzureAD\ or AzureAD\


    Please Accept as answer wherever the information provided helps you to help others in the community.

    2 people found this answer helpful.
    0 comments No comments

  2. fabio 11 Reputation points

    Steps need to followed to make successful

    1. Need to Create VM with AAD extension
      Follow the Steps and Create VM
    2. Login with local Admin Credential’s in Win 10 VM or 2019 Datacenter
    3. Open CMD with ADMIN and run dsregcmd /status Check device was first option device was Azure AD join set to yes
    4. Navigate To This PC> Right Click > Properties >Change Settings >Remote> Allow Remote Connections to this computer and remove the checkbox from Allow connections only from computers running Remote Desktop with Network Level Authentication enabled as shown here.
    5. Apply and click OK
    6. Close the VM and go to your Physical PC
    7. Create a new rdp config file
    8. On the computer open RDP from or run open mstsc.exe and click on Show Options don’t enter computer or user
    9. Click on Save As… and give it a new name such as VM_RDP, save it somewhere easy to find.
    10. Open the saved file(VM_RDP) using Notepad. Verify that the following two lines are present, if not, add them.
    11. enablecredsspsupport:i:0
    12. authentication level:i:2
    13. Save The File
    14. On the pc we just edited the config file, open MSTSC.exe or remote desktop and click on show options, then click on Open. Point it to the previously created VM_RDP config file. Enter the IP address or FQDN of the computer you want to RDP to, do not enter any username and click connect
    15. you may see the usual RDP prompt…it’s ok, click on Connect
    16. You will be inside the device now
    17. Click on other User Option give user name as AzureAD\username@keyman .com

    Don't forget to follow these steps to put the user in the "Virtual Machine Administrator Login" or "Virtual Machine User Login" role:

    Hope you get!!!!

    Fabio Vilardo

    2 people found this answer helpful.

  3. 2020-04-29T09:29:29.307+00:00

    I got the same error when adding the extension to an existing VM.
    Solution was to activate the "system assigned identity" in VM settings.

    1 person found this answer helpful.
    0 comments No comments

  4. Anonymous

    Hello Amanpreet and thank you, I did the configuration you sent me, but it's not working yet. I will try to redo all the following steps, maybe they are userful to other: (I followed - create a new VM called PCVI03 and check the Login with AAD credentials (Preview) on Create Virtual Machine/Management tab - Assigned a the role "Virtual Machine Administrator login" to the VM to an AAD User - The machine has already been joined to AAD Tried an RDP access immediately using AzureAD\, but failed - Add Authenticated User inside Remote desktop Users group - Tried an RDP access immediately using AzureAD\, but still failed I can see the extension "Microsoft.Azure.ActiveDirectory.AADLoginForWindows" in provisioned succesfully I have tryed to access either with password and app password, as policy forces MFA The event viewer shows this Audit Failure: [3582-securityevtx.txt][1] Don't know what else I can do. Looking forward to hearing from you, I thank you Enrico ===== Event Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 28/02/2020 15:27:41 Event ID: 4625 Task Category: Logon Level: Information Keywords: Audit Failure User: N/A Computer: PCAZVI01 Description: An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: ITVICNOT008 Source Network Address: Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. Event Xml: <Event xmlns=""> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> <EventID>4625</EventID> <Version>0</Version> <Level>0</Level> <Task>12544</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2020-02-28T14:27:41.996293200Z" /> <EventRecordID>1328</EventRecordID> <Correlation ActivityID="{0008de13-1bd6-0000-4fd1-8c9d3ceed501}" /> <Execution ProcessID="672" ThreadID="4268" /> <Channel>Security</Channel> <Computer>PCAZVI01</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-0-0</Data> <Data Name="SubjectUserName">-</Data> <Data Name="SubjectDomainName">-</Data> <Data Name="SubjectLogonId">0x0</Data> <Data Name="TargetUserSid">S-1-0-0</Data> <Data Name="TargetUserName"></Data> <Data Name="TargetDomainName"> </Data> <Data Name="Status">0xc000006d</Data> <Data Name="FailureReason">%%2313</Data> <Data Name="SubStatus">0xc0000064</Data> <Data Name="LogonType">3</Data> <Data Name="LogonProcessName">NtLmSsp </Data> <Data Name="AuthenticationPackageName">NTLM</Data> <Data Name="WorkstationName">ITVICNOT008</Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">-</Data> <Data Name="KeyLength">0</Data> <Data Name="ProcessId">0x0</Data> <Data Name="ProcessName">-</Data> <Data Name="IpAddress"></Data> <Data Name="IpPort">0</Data> </EventData> </Event> [1]: /api/attachments/3582-securityevtx.txt?platform=QnA

    0 comments No comments

  5. Gerrit Edzards (AMAGNO) 1 Reputation point

    I can also reproduce this behaviour and have not found a solution for it.

    The article says you should try "curl<TenantId>/ -D –". That call returns HTTP Status 404. All other commands are working (302 Found or 200 OK) correctly.

    Also "curl -H Metadata:true "" returns the correct TenantId.