question

$$ANON_USER$$ avatar image
2 Votes"
$$ANON_USER$$ asked VladimirUsov-3753 answered

Azure VM RDP access using AAD user credential

Hello
I have create a Win10 VM machine for testing several Microsoft 365/Azure new features, but I'n not able to RDP connect to the vm using and Azure AD users.
I found this article,. Is it correct?
https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows

The vm has already been created. so I run this command, but I got an error:

 PS Azure:\> az vm extension set --publisher Microsoft.Azure.ActiveDirectory --name AADLoginForWindows --resource-group EG_TestRG --vm-name PCVI02
    
 Deployment failed. Correlation ID: 3cc311b1-5df5-43d6-8a54-43ceef1e157d. The handler for VM extension type 'Microsoft.Azure.ActiveDirectory.AADLoginForWindows' has reported terminal failure for VM extension 'AADLoginForWindows' with error message: 'Install failed for plugin (name: Microsoft.Azure.ActiveDirectory.AADLoginForWindows, version 0.4.1.0) with exception Command C:\Packages\Plugins\Microsoft.Azure.ActiveDirectory.AADLoginForWindows\0.4.1.0\AADLoginForWindowsHandler.exe of Microsoft.Azure.ActiveDirectory.AADLoginForWindows has exited with Exit code: -2145648572'.
    
 'Install handler failed for the extension. More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot'


Furthermore the user I'm testing is using MFA. May somebody give me an help? Thank you

Ebrico

azure-active-directoryazure-virtual-machines
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
2 Votes"
amanpreetsingh-msft answered

anonymous user

In order to allow all Azure AD users in your Azure AD tenant to log into azure joined machines using RDP, you need to configure Remote Desktop settings as highlighted below:

3581-untitled.png

Once this is done, you can login by using AzureAD\UPN format i.e., AzureAD\username@your_tenant.onmicrosoft.com or AzureAD\username@your_verified_domain.com


Please Accept as answer wherever the information provided helps you to help others in the community.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

$$ANON_USER$$ avatar image
0 Votes"
$$ANON_USER$$ answered $$ANON_USER$$ edited

Hello Amanpreet and thank you, I did the configuration you sent me, but it's not working yet. I will try to redo all the following steps, maybe they are userful to other: (I followed https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-authentication-to-windows-vms-in-azure-now-in-public/ba-p/827840) - create a new VM called PCVI03 and check the Login with AAD credentials (Preview) on Create Virtual Machine/Management tab - Assigned a the role &#34;Virtual Machine Administrator login&#34; to the VM to an AAD User - The machine has already been joined to AAD Tried an RDP access immediately using AzureAD\mario.rossi@nanosoft365.com, but failed - Add Authenticated User inside Remote desktop Users group - Tried an RDP access immediately using AzureAD\mario.rossi@nanosoft365.com, but still failed I can see the extension &#34;Microsoft.Azure.ActiveDirectory.AADLoginForWindows&#34; in provisioned succesfully I have tryed to access either with password and app password, as policy forces MFA The event viewer shows this Audit Failure: [3582-securityevtx.txt][1] Don't know what else I can do. Looking forward to hearing from you, I thank you Enrico ===== Event Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 28/02/2020 15:27:41 Event ID: 4625 Task Category: Logon Level: Information Keywords: Audit Failure User: N/A Computer: PCAZVI01 Description: An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: mario.rossi@nanosoft365.com Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: ITVICNOT008 Source Network Address: 81.174.8.153 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> <EventID>4625</EventID> <Version>0</Version> <Level>0</Level> <Task>12544</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2020-02-28T14:27:41.996293200Z" /> <EventRecordID>1328</EventRecordID> <Correlation ActivityID="{0008de13-1bd6-0000-4fd1-8c9d3ceed501}" /> <Execution ProcessID="672" ThreadID="4268" /> <Channel>Security</Channel> <Computer>PCAZVI01</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-0-0</Data> <Data Name="SubjectUserName">-</Data> <Data Name="SubjectDomainName">-</Data> <Data Name="SubjectLogonId">0x0</Data> <Data Name="TargetUserSid">S-1-0-0</Data> <Data Name="TargetUserName">mario.rossi@nanosoft365.com</Data> <Data Name="TargetDomainName"> </Data> <Data Name="Status">0xc000006d</Data> <Data Name="FailureReason">%%2313</Data> <Data Name="SubStatus">0xc0000064</Data> <Data Name="LogonType">3</Data> <Data Name="LogonProcessName">NtLmSsp </Data> <Data Name="AuthenticationPackageName">NTLM</Data> <Data Name="WorkstationName">ITVICNOT008</Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">-</Data> <Data Name="KeyLength">0</Data> <Data Name="ProcessId">0x0</Data> <Data Name="ProcessName">-</Data> <Data Name="IpAddress">81.174.8.153</Data> <Data Name="IpPort">0</Data> </EventData> </Event> [1]: /answers/storage/attachments/3582-securityevtx.txt

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GerritEdzardsAMAGNO-3655 avatar image
0 Votes"
GerritEdzardsAMAGNO-3655 answered GerritEdzardsAMAGNO-3655 commented

I can also reproduce this behaviour and have not found a solution for it.

The article says you should try "curl https://login.microsoftonline.com/<TenantId>;/ -D –". That call returns HTTP Status 404. All other commands are working (302 Found or 200 OK) correctly.

Also "curl -H Metadata:true "http://169.254.169.254/metadata/identity/info?api-version=2018-02-01" returns the correct TenantId.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The AAD device and user, which are used for the connection, need to be at least "Azure AD joined". In my case both were only "Azure AD registered". After making them hybrid the Azure VM extension for AAD has worked properly.

0 Votes 0 ·
cschuette-teamneusta avatar image
1 Vote"
cschuette-teamneusta answered

I got the same error when adding the extension to an existing VM.
Solution was to activate the "system assigned identity" in VM settings.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MichaelBONNY-2983 avatar image
0 Votes"
MichaelBONNY-2983 answered MichaelBONNY-2983 published

How does this work with Federation (AD FS?) with synchronised identity (no hash)

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

fabio-7160 avatar image
2 Votes"
fabio-7160 answered StephenP-4813 commented

Steps need to followed to make successful
1. Need to Create VM with AAD extension
Follow the Steps and Create VM
2. Login with local Admin Credential’s in Win 10 VM or 2019 Datacenter
3. Open CMD with ADMIN and run dsregcmd /status Check device was first option device was Azure AD join set to yes
4. Navigate To This PC> Right Click > Properties >Change Settings >Remote> Allow Remote Connections to this computer and remove the checkbox from Allow connections only from computers running Remote Desktop with Network Level Authentication enabled as shown here.
5. Apply and click OK
6. Close the VM and go to your Physical PC
7. Create a new rdp config file
8. On the computer open RDP from or run open mstsc.exe and click on Show Options don’t enter computer or user
9. Click on Save As… and give it a new name such as VM_RDP, save it somewhere easy to find.
10. Open the saved file(VM_RDP) using Notepad. Verify that the following two lines are present, if not, add them.
11. enablecredsspsupport:i:0
12. authentication level:i:2
13. Save The File
14. On the pc we just edited the config file, open MSTSC.exe or remote desktop and click on show options, then click on Open. Point it to the previously created VM_RDP config file. Enter the IP address or FQDN of the computer you want to RDP to, do not enter any username and click connect
15. you may see the usual RDP prompt…it’s ok, click on Connect
16. You will be inside the device now
17. Click on other User Option give user name as AzureAD\username@domain.com

Don't forget to follow these steps to put the user in the "Virtual Machine Administrator Login" or "Virtual Machine User Login" role:
https://docs.microsoft.com/pt-br/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows

Hope you get!!!!

Fabio Vilardo





· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Fabio's answer works fine.

You need to add amanpreetsingh-msft tip for adding NT Authenticated Users to the RDS User group.

For me I can login using AzureAD\username@your_tenant.onmicrosoft.com. However AzureAD\username@your_verified_domain.com users do not work. Google is the the IDP for my secondary domain. I cannot make this domain Primary for some reason.

0 Votes 0 ·

I tried all that; all it gave was the account and password prompt on the machine, but login still failed. It doesn't help that the clipboard doesn't work so you can't paste a strong password into the password prompt, increasing the probability of typos.

The VM is AD Joined.

Authenticated Users have Remote User access.

The remote machine is AD Registered. It is running Windows 10 Pro 20H2.


So, we shall continue to use local accounts to manage virtual machines.

0 Votes 0 ·

I tried it again; still no joy. Nothing changed since January; I still get username or password incorrect.

0 Votes 0 ·
ShehzadKhanUIT avatar image
0 Votes"
ShehzadKhanUIT answered ShehzadKhanUIT commented

what about people accessing the VM using Bastian @fabio-7160

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

my bad. missing the fine line in the documentation that AAD authentication doesn't work when you login via Bastian. Ahh bravo Microsoft. never a complete solution.

0 Votes 0 ·
Niranjanmo-5584 avatar image
0 Votes"
Niranjanmo-5584 answered

microsoft is so bad not giving students credit

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ErnestoMayol-4634 avatar image
0 Votes"
ErnestoMayol-4634 answered mikecrowley commented

Anyone know if a Public IP for the VM is required for this to work. Network requirements on the doc below do not mentioned anything, but I have not been able to get the option to download the RDP file to show up and Fabio's instructions above seem to indicate a public IP is needed, which is something I do not want to create.
https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows#requirements

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ErnestoMayol-4634 , no a public IP is not required.

0 Votes 0 ·
VladimirUsov-3753 avatar image
0 Votes"
VladimirUsov-3753 answered

here is what is easy to miss resulting above connectivity issues:

Remote connection to VMs joined to Azure AD is only allowed from Windows 10 or newer PCs that are either Azure AD registered (minimum required build is 20H1) or Azure AD joined or hybrid Azure AD joined to the same directory as the VM. Additionally, to RDP using Azure AD credentials, the user must belong to one of the two Azure roles, Virtual Machine Administrator Login or Virtual Machine User Login. If using an Azure AD registered Windows 10 or newer PC, you must enter credentials in the AzureAD\UPN format (for example, AzureAD\john@contoso.com).


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.