Azure VM User Access Rights

Question

Azure VM User Access Rights

Michael Malambri 25

Hello,

I spun up an Azure VM and connected it to my Intune via my global admin Entra ID credentials in the "access work or school" section of the settings. After doing so, I went into Intune, made a new configuration policy, and under user rights added a few users under "allow local login". I added the VM to a group and assigned the configuration to the group. When I look at the device, Intune reports that it was successfully applied.

When I try to login with a standard user that is on the user rights list, I get a "The connection was denied because the user account is not authorized for remote login." error. So I went to lusrmgr.msc and tired to add the user to the "remote desktop users" group. However, I cannot add these users because it is not showing my Azure domain as an avialable location.

When another global admin who is not on my user access list tries to sign in, he can do so successfully.

Am I missing something here? Is there another "Allow remote login" user access rights that I may be missing? Something tells me this should be that hard, and it's throwing me for a loop.

My end goal is to restrict the VM to only the allowed users list and get them to be able to login. I would rather not have users maintain a local account and password, but if I can't figure this out, we may have to go that route.

Lijitha B 515 Reputation points Moderator

2024-12-11T12:27:38.7866667+00:00

Hi Michael Malambri,

Just checking in to see if the below answer provided by Crystal-MSFT If this answers your query, do click 'Accept Answer' and 'Yes' for was this answer helpful. And, if you have any further query do let us know.
Lijitha B 515 Reputation points Moderator

2024-12-13T11:20:43.0066667+00:00

Hi Michael Malambri,

I wanted to check if you had the opportunity to review the information which was provided by Crystal-MSFT in his previous posted answer.

If it was helpful, please click "Upvote and Accept Answer" on his post to let us know.

Thank you.

Accepted answer

2 additional answers

Your answer

Lijitha B 515 Reputation points Moderator

2024-12-11T12:27:38.7866667+00:00

Hi Michael Malambri,

Just checking in to see if the below answer provided by Crystal-MSFT If this answers your query, do click 'Accept Answer' and 'Yes' for was this answer helpful. And, if you have any further query do let us know.
Lijitha B 515 Reputation points Moderator

2024-12-13T11:20:43.0066667+00:00

Hi Michael Malambri,

I wanted to check if you had the opportunity to review the information which was provided by Crystal-MSFT in his previous posted answer.

If it was helpful, please click "Upvote and Accept Answer" on his post to let us know.

Thank you.

Answer 1

@Michael Malambri, Thanks for sharing the solution. I am glad the issue is fixed. To help others quickly find the solution, please let me write a summary for our issue.

Issue

Get a "The connection was denied because the user account is not authorized for remote login." error when access Azure VM.

Resolution

User's image

Again, thanks for your time and have a nice day!

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

For anyone else having this issue...

The fix for me to was to ensure that I granted access to accounts directly on the virtual machine IAM itself using the roles "Virtual Machine User Login" and "Virtual Machine Administrator Login". You cannot do this on the resource group level. It has to be done on the machine level in azure.

Also, I thought you had to make a new conditional access policy to exclude "Microsoft Azure Windows Virtual Machine Sign In". Do not do that. Look for your existing MFA conditional access policy and add the exclusion there.

These two things fixed my issue. Thank you for your support.

Answer 3

Crystal-MSFT 53,981 Microsoft External Staff

@Michael Malambri, Thanks for posting in Q&A. To clarify our issue, please choose one affected device and check the following information.

1, Type gpedit.msc to open local group policy editor.

2, Navigate to the following location to check the setting "Allow log on locally" to see what users and group included. Please confirm if it is the same as the one you configured. And if there's any group which may include the global admin you test.

User's image

Meanwhile, to add Microsoft Entra user into local group, you can add them via Local user group membership policy.

https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-account-protection-policy#manage-local-groups-on-windows-devices

Please check the above information and if there's any update, feel free to let us know.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Michael Malambri 25 Reputation points

2024-12-11T04:49:05.9366667+00:00

Thank you for you for this reply. Your answer pointed me in the right direction. I have made some progress. I had to recreate the VM and at the time of creation, select the "Entra ID Login" option under Management. I can now get past the RDP prompt but am now greeted by an error at the VM sign in screen. It is "your account is configured to prevent you from using this device. Please contact your system administrator."

I think that I may be able to fix this by enrolling the device in Intune. However, part of me wants to try and figure this out using only Entra ID as it seems it's possible to do so without Intune. Maybe someone can point me in the right direction on how to fix this error without Intune?
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2024-12-11T05:23:02.6466667+00:00

@Michael Malambri, Thanks for the reply. For your error message, after researching more, I find a similar link describe this. It mentions to ensure that your user account has the Virtual Machine User Login role assigned to the VM or the resource group containing the VM. Maybe it can help.

https://learn.microsoft.com/en-us/azure/virtual-desktop/troubleshoot-azure-ad-connections#your-account-is-configured-to-prevent-you-from-using-this-device
Michael Malambri 25 Reputation points

2024-12-11T14:22:13.6366667+00:00
Thank you for your reply and help. I have ensured that the user account has the virtual machine user login role on the resource group. That got me past a previous "user not authorized for remote login" error thrown by the RDP app. But i think you pointed me in the right direction. The article also says:

Does your Conditional Access policy exclude multifactor authentication requirements for the Azure Windows VM sign-in cloud application?

I tired to make a rule for this, but my conditional access does not show Azure Windows VM sign-in as an option to exclude (Im looking under "target resources". Maybe this is the wrong spot?)
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2024-12-12T01:37:28.05+00:00

@Michael Malambri, Thanks for the reply. Find a link describe this. You can try to see if it can help.

https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows#missing-application
Michael Malambri 25 Reputation points

2024-12-12T03:27:48.89+00:00

Thank you. Microsoft Azure Windows Virtual Machine Sign-in is indeed missing from my tenant. I am not able to add it from the Entra Gallery. I will have to look into this deeper as the help article does not say what to do if the service principal is missing.
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2024-12-12T05:49:12.83+00:00

@Michael Malambri, How about "Azure Windows VM Sign-in"? Is it existing after removing the filters to see all applications?
Michael Malambri 25 Reputation points

2024-12-12T16:48:59.9733333+00:00

You are awesome, I was able to find it! I made a new conditional access policy to exclude "Microsoft Azure Windows Virtual Machine Sign In". However, I am still getting the "your account is configured to prevent you from using this pc.". Thank you for your help. I'm giving up on this... Local accounts it is.
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2024-12-13T02:08:22.4933333+00:00

@Michael Malambri, Thanks for the reply. I notice we create a new conditional access policy.to exclude "Microsoft Azure Windows Virtual Machine Sign In". Based as I know, the previous conditional access policy cans be still applied which can cause issue. You can check the sign in log to double confirm on this.

https://learn.microsoft.com/en-us/entra/identity/conditional-access/troubleshoot-conditional-access

I suggest excluding the test user from the previous conditional access as well to see if it works.
Michael Malambri 25 Reputation points

2024-12-17T15:22:21.8366667+00:00

Thanks for the reply. When I look at the log it says the sign in is successful. When checking the conditional access policy, I do not see any policies listed that affected sign-in which is strange. But it does say that sign-in can be interrupted by risk policy or sign in risk policy. I will look there next.
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2024-12-18T01:52:47.8433333+00:00

@Michael Malambri, Thanks for the reply. I notice you will look at the risk policy or sign in risk policy. If there's any update, feel free to let me know.
Michael Malambri 25 Reputation points

2024-12-18T22:12:02.11+00:00

Crystal, thank you for your support on this. The issue was resolved. I will post resolution in the main thread.

Share via

Azure VM User Access Rights

2 additional answers

Your answer