Share via

Azure VMSS - AAD Login - Re-join Issue

websolut 0 Reputation points
2023-08-18T09:52:40.0733333+00:00

We recently started to experience issues with managing VMSS with AAD Login technology.

Before:

  • we deploy a VMSS cluster with AAD Windows Login extension and we able to login to individual VMs with AAD accounts
  • Destroy the cluster
  • Redeploy the cluster using the same code base
  • VMs are able to join the AAD

Now:

We can redeploy the cluster (at least latest extension does not fail the release as it would do if you deploy, destroy and re-deploy a VM in the portal)

But the extension is not able to join the VM to AAD with this error:

Join request ID: f9d2a128--4f01-a118-508135a4952c 2023-08-15T09:12:08.1158945Z[Information]:Join response time: 08-15-2023 9:12:00Z 2023-08-15T09:12:08.1158945Z[Information]:Join HTTP status: 400 2023-08-15T09:12:08.1158945Z[Information]:Join error code: directory_error 2023-08-15T09:12:08.1158945Z[Information]:Join error subcode: error_hostname_duplicate 2023-08-15T09:12:08.1315216Z[Information]:Join message: {'odata.error':{'code':'Request_BadRequest','message':{'lang':'en','value':'Another object with the same value for property hostnames already exists.'},'requestId':'4a2034ae--4651-b2b4-57d7b546d8fa','date':'2023-08-15T09:12:00','details':[{'code':'ObjectConflict','target':'hostnames','message':'Another object with the same value for property hostnames already exists.'},{'code':'ConflictingObjects','target':'Device_34603cc4--4af6-9402-3dd55d49b81b','message':'Another object with the same value for property hostnames already exists.'}]}} 2023-08-15T09:12:08.1315216Z[Information]:Server operation: DeviceJoin 2023-08-15T09:12:08.1315216Z[Information]:AzureSecureVMEnroll failed with 0x801c0083 2023-08-15T09:12:08.1315216Z[Information]:AzureSecureVMJoinOperation: DeviceEnroller::AzureSecureVMEnroll failed 0x801c0083. 2023-08-15T09:12:08.1315216Z[Error]:AAD Join failed with status code -2145648509. 2023-08-15T09:12:08.1315216Z[Information]:Reporting handler status. 2023-08-15T09:12:08.1315216Z[Information]:Handler Status: [{'status':{'code':-2145648509,'formattedMessage':{'lang':'en-US','message':'AAD Join failed with status code: -2145648509. AzureSecureVMJoinOperation: DeviceEnroller::AzureSecureVMEnroll failed 0x801c0083. The hostname is already used by another device in this tenant, please change the VM name to redeploy the extension.'},'name':'Microsoft.Azure.ActiveDirectory.AADLoginForWindows','operation':'AADJoin','status':'error','substatus':null},'timestampUTC':'\\/Date(1692090728131)\\/','version':'1'}]

Essentially Azure does not allow elastic workloads at all now. What about VMSS cluster upgrades or re-images? The same I suppose applies to AKS.

Azure Virtual Machine Scale Sets
Azure Virtual Machine Scale Sets
Azure compute resources that are used to create and manage groups of heterogeneous load-balanced virtual machines.
364 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Prrudram-MSFT 23,131 Reputation points
    2023-08-20T14:18:50.83+00:00

    Hello @websolut

    Thank you for reaching out to the Microsoft Q&A platform.

    The error message suggests that there's a naming conflict related to the hostnames of your Azure Virtual Machines (VMs) when trying to join them to Azure Active Directory (AAD). It is caused by the previous registration. The issue here is with Resource Cleanup. Sometimes, when VMs are destroyed and recreated, there can be delays in the release of hostnames, especially if soft-deletion is enabled for resources. Ensure that you have completely removed any previous VM instances and associated resources (NICs, storage, etc.) before deploying new VMs with the same host names.

    If this is urgent, you can change the VM name to something new and redeploy the extension.

    Regarding your question about elastic workloads, Azure does support elastic workloads, including VMSS cluster upgrades and re-images. However, it is important to ensure that your deployment scripts and configurations are correct and up to date to avoid issues like the one you are experiencing.

    If you continue to experience issues with the AAD Windows Login extension, I recommend reaching out to Microsoft support for further assistance. They can help you troubleshoot the issue and provide guidance on how to resolve it.

    If this does answer your question, please accept it as the answer as a token of appreciation.

    0 comments
  2. Juan Carlos Puerto 1 Reputation point
    2024-07-25T20:46:22.3133333+00:00

    I waited and waited for the cleanup but the actual solution was to go to https://entra.microsoft.com/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId/Devices and delete the device from that list.

    0 comments