How to Specify User Assigned Managed Identity for AADLoginForWindows

Question

Hi All, I have a Virtual Machine with multiple user assigned managed identities assigned to it. I am trying to use Azure Active directory for RDP to this VM. I have added AADLOGINFORWINDOWS extension for this to my VM which shows that it provisioned successfully but when I check logs inside my VM it shows that AAD had an error because it wasn't able to get tenantid of a user assigned managed identity as this VM has multiple and I need to specify which identity I need to use in token. Can anyone please help me how I can specify this? Thanks!

Answer 1

Hi Nikhil,

To configure role assignments for your Microsoft Entra ID-enabled Windows Server VMs:

1. For Resource Group, select the resource group that contains the VM and its associated virtual network, network interface, public IP address, or load balancer resource.
2. Select Access control (IAM).
3. Select Add > Add role assignment to open the Add role assignment page.
4. Assign the following role. For detailed steps, see Assign Azure roles by using the Azure portal.
5. Select the required UMI which you need to assign

Or you can also do by

$resourceGroupName = "YourResourceGroup"
$vmName = "YourVMName"
$identityClientId = "YourManagedIdentityClientId"

Set-AzVMAADExtension -ResourceGroupName $resourceGroupName -VMName $vmName `
                     -AADTenantID "YourAADTenantID" -IdentityClientId $identityClientId

Replace YourResourceGroup, YourVMName, YourManagedIdentityClientId, and YourAADTenantID with your actual values.

Please check this doc for more ref --> https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows

Kindly accept answer , if it helps ., Thanks