![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 64%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPP%3C/text%3E%3C/svg%3E)
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,631 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Thank you for posting this in Microsoft Q&A.
There are some limitations while logging in to VM where Azure AD sign-in is enabled. Check below limitations and see if you are not falling under any of the below limitations.
Limitations
- Users of type Guest in the home tenant of the Azure VM running the AADLoginForWindows VM extension cannot sign-in.
- Users with Per-user Enabled/Enforced Azure AD Multi-Factor Authentication are not supported for VM Sign-In.
- If the user signing in is subject to a conditional access policy that requires MFA and Windows Hello for Business cert trust model has not been deployed, the sign-in will be blocked until the "Azure Windows VM Sign-In" application is excluded from list of cloud apps that require MFA.
- Windows Hello for Business PIN authentication with RDP has been supported, however support for Biometric authentication with RDP was added in Windows 10 version 1809.
- Windows Hello for Business authentication during RDP is not available for key trust model.
You can check the sign-in logs of user in Azure AD and confirm if this is happening due to any of the conditional access policy which might require user to satisfy conditional access policy.
If the issue is due to conditional access policy, then you can follow below solution.
Ensure that the Windows 10 client that the RDP session is initiated from is using a strong authentication method such as Windows Hello for Business.
NOTE: If the customer has not deployed Windows Hello for Business in their environment, and they wish to sign-in to the Windows server using their Azure AD account, they can bypass the strong authentication requirement by adding Azure Windows VM Sign-in as an Excluded cloud application to the conditional access policy that requires Multi Factor authentication.
Let me know if you have any further questions.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 26%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)