Unable to Access Windows Server 2019 Datacenter Using Azure Active Directory User

Question

I am facing an issue while attempting to access a Windows Server 2019 Datacenter instance using an Azure Active Directory (Azure AD) user. Despite configuring various settings on the server, I encounter an error stating "the username or password is incorrect" when attempting to log in with the Azure AD user credentials.

Configuration Details:

1. Configured role assignments for the VM, granting Virtual Machine Administrator Login for the user requiring access.
2. Ran the command "DisableNLA".
3. Installed the AADLoginForWindows extension using the command: az vm extension set --publisher Microsoft.Azure.ActiveDirectory --name AADLoginForWindows --resource-groupAdded the user to the remote desktop group using the command: **net localgroup "remote desktop users" /add "AzureAd\username@domain.com"`
4. Edited the RDP file to connect to the VM
   enablecredsspsupport:i:0 authentication level:i:2
5. Checked local policies and confirmed the user is in the administrators group.

Despite these configurations, I continue to receive the error message mentioned above. The format used for providing credentials is "user@domain.com" for the username and the correct password.

Any insights or suggestions on resolving this issue would be greatly appreciated. Thank you in advance for your assistance.

the same step follwed by other its working.

Answer 1

Hi @Niket Kumar Singh

Thank you for following up on this and I apologize for the delayed response!

i'm able tto acces the vm using ad user for the windows machine and linux machine but the external invited user is unable to access windows vm but he can be able to access linux vm any suggestion why?

Unfortunately, Microsoft Entra Guest accounts can't connect to Azure windows VMs or Azure Bastion enabled VMs via Microsoft Entra authentication.

could you please help me in this regard :

Guest users who are invited to your Azure AD directory using the Azure AD B2B invite process cannot be authenticated using Azure AD Domain Services. This is because the passwords for these users are not stored in your Azure AD directory, and therefore, Azure AD Domain Services has no way to synchronize NTLM and Kerberos hashes for these users into your managed domain. As a result, such users cannot sign in or join computers to the managed domain.

On the other hand, for any user who was created locally within your Azure AD instance, the password will be stored either on Azure AD or synced from On-premises if they are synced users. When you enable Azure AD Domain Services, the NTLM hashes for those users will be generated and it will be synced to your Azure AD Domain Services instance. Thus, the password for local users will always be with you, and the system will be able to authenticate them while this won't be the case for any user who was not from within the domain.

For your reference: NTLM

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

If the answer is helpful, please click "Accept Answer" and kindly "upvote" it.