Share via

Azure Windows VM Sign-In Application shows wrong IP address in Sign-In logs

Lukas Lohrsträter 20 Reputation points
2025-01-22T17:50:22.84+00:00

Hello,

I provisioned a Azure VM with Entra ID authentication enabled.

The necessary RBAC assignment for the login is in place.

When attempting to login using RDP from our corporate network I receive an error with code 16000.

I checked the Sign-In logs for my user to figure out what the issue is.

User sign-ins (interactive) show my Sign-in to Application "Microsoft Remote Desktop Client" as Success with our corporate public IP as source.

User sign-ins (non-interactive) show "Windows Sign In" as failure. Our Conditional Access Policy blocks it because the request seems to originate from an untrusted location. According to the logs the request originated from an IP address that is owned by Microsoft instead from our corporate public IP.

I could create an exemption for the "Windows Sign In" application in our conditional access policy but before I do I would like to understand why this unknown IP is used for the Sign In.

It is the same IP that is also used for "Microsoft Authentication Broker" which makes me believe that the request is routed through some kind of Proxy owned by Microsoft.

I was not able to find any documentation explaining this behavior.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,137 questions
0 comments
Accepted answer
  1. Goutam Pratti 1,565 Reputation points Microsoft Vendor
    2025-01-23T23:16:46.1433333+00:00

    Hello @Lukas Lohrsträter ,

    Thank you for reaching out Microsoft Q&A.

    I understand that you want know why in the non-interactive sign the logs the request originated from an IP address that is owned by Microsoft because the address gets tracked in sign-in logs when there is a any Azure services which are accessed.

    Additionally The events shown are non-interactive user login events for the VM, which means the IP address will appear to come from the external IP address from which your VM accesses Microsoft Entra ID.

    User's image

    For the additional information you can follow the document: https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-noninteractive-sign-ins
    https://learn.microsoft.com/en-us/azure/virtual-desktop/troubleshoot-client-microsoft-store?source=recommendations

    Hope this helps. Do let us know if you any further queries.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    Regards,
    Goutam Pratti.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.