Unable to Log into Azure VDI Computer From On-premises Hybrid Accounts

Question

Unable to Log into Azure VDI Computer From On-premises Hybrid Accounts

Mike 5

We have a hybrid environment with on-premises Active Directory controllers synchronizing to Azure. Nearly all of our on-premises accounts are synched to Entra.

I just created a new VDI host pool in Azure. The host pool is not joined to Active Directory--it is Entra ID joined. I gave all accounts in Entra the Virtual Machine User Login role for this virtual machine. Under Application Group > Assignments, I assigned permissions to allow login from both on-premises/hybrid accounts and some cloud only accounts.

Problem: The cloud-only accounts are the only accounts that can login to the VDI machines. Whenever a hybrid/AD synched account tries to login, the remote desktop app states "The logon attempt failed". How do I allow on-prem/hybrid accounts to log into this VDI computer?

Also, on the VM I go to Computer Management > Local Users and Groups > Remote Desktop Users. In there, I do see the on-premises account listed as AzureAD<onpremaccount>. But that account still cannot login.

2 answers

Your answer

Answer 1

Marcin Policht 49,640 MVP Volunteer Moderator

Refer to https://learn.microsoft.com/en-us/azure/virtual-desktop/authentication

When accessing Azure Virtual Desktop using hybrid identities, sometimes the User Principal Name (UPN) or Security Identifier (SID) for the user in Active Directory (AD) and Microsoft Entra ID don't match. For example, the AD account user@contoso.local may correspond to ******@contoso.com in Microsoft Entra ID. Azure Virtual Desktop only supports this type of configuration if either the UPN or SID for both your AD and Microsoft Entra ID accounts match. SID refers to the user object property "ObjectSID" in AD and "OnPremisesSecurityIdentifier" in Microsoft Entra ID.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Mike 5 Reputation points

2025-03-04T15:40:05.11+00:00

Hi Marcin, thank you for the response. I went ahead and confirmed that the UPN for the account in the cloud matches the UPN in Active Directory. They are identical, yet the problem remains.

Now I'm hearing some talk about setting up 'Federated sign in' inside Entra Connect. I'm trying to get more information about it. Currently our logins are set to 'passthrough'.

If you have any other ideas, do let me know.
Mike 5 Reputation points

2025-03-04T15:42:20.23+00:00

Hi Marcin, thank you for the response. I confirmed that the UPN in the cloud is identical to the UPN in Active directory. Unfortunately the problem still remains.

As a side note, there is some talk on the internet about setting up federated sign-in. Currently our sign-in is configured to 'passthrough' in Entra Connect. I'm looking into this more.

The problem remains. If you have any additional ideas, let me know.
Mike 5 Reputation points

2025-03-04T17:14:56.23+00:00

Here is some additional information. I don't believe the issue is a VDI problem. On the VDI computer, I log in with a cloud-only account. Now I'm at the desktop (Windows 11). I then right-click the start button and run terminal as administrator. I'm asked for credentials.

If I use a cloud-only account without admin permissions, I get the following error: The requested operation requires elevation.

If I use a on-premises synched account without admin rights, I get the following error: The username or password is incorrect.

It appears that the workstation is not talking to active directory at all. But what is strange is my local laptop is Entra ID joined (not hybrid joined) and I have no problems logging in with AD-synched accounts.
Pramidha Yathipathi 1,135 Reputation points Microsoft External Staff Moderator

2025-03-05T05:07:08.6+00:00
Hi Mike,

I see you are troubleshooting this issue with Marcin Policht. Please follow below steps and see if it helps

Try to reach the on-prem authentication agents.

nslookup yourdomain.com

telnet authenticationagent.yourdomain.com 443

Verify that PTA agents are running and healthy in Entra ID:

Go to Microsoft Entra ID → Authentication Methods → Pass-through authentication

Ensure at least one Authentication Agent is online.

If no agents are available, authentication will fail.

Solution:

If PTA is unreliable, try temporarily enabling Password Hash Sync (PHS) for testing.

OnPremisesSecurityIdentifier (SID) Mismatch

Even though the UPNs match, the SID of the AD account and the one stored in Entra ID might not match, causing login failures.

Check:

Run the following PowerShell command in Entra ID:

Get-MgUser -UserId ******@contoso.com | Select-Object OnPremisesSecurityIdentifier

Compare this OnPremisesSecurityIdentifier with the ObjectSID of the same user in AD:

Get-ADUser -Identity ******@contoso.com -Properties ObjectSID

If they do not match, authentication will fail.

Solution:

• If there’s a mismatch, consider re-synchronizing the account or checking for duplicate accounts in AD and Entra.

Please let us know if it was helpful and feel free to reach out if you have any further queries. If you found the information useful, please click "Upvote" on the post to let us know.
Mike 5 Reputation points

2025-03-05T18:22:28.9133333+00:00

Found the solution. Currently we have MFA configured via conditional access AND some of our users have per-user MFA enabled. Our cloud-only accounts are newer and don't have the old per-user MFA setting configured. Because the on-prem accounts were older, they had per-user MFA enabled. This per-user MFA was causing the logins to fail.

Additional information:

https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-desktop/troubleshoot-azure-ad-connections

VM sign-ins don't support per-user enabled or enforced Microsoft Entra multifactor authentication. If you try to sign in with multifactor authentication on a VM, you won't be able to sign in and will receive an error message.
Pramidha Yathipathi 1,135 Reputation points Microsoft External Staff Moderator

2025-03-06T06:19:27.0033333+00:00

Hi Mike,

Good catch! Glad the issue is resolved for you finally. I will have this answer promoted by reposting it. As an Original Poster(You) will not be able to accept your own answer. This is in the attempt to help others looking for a solution for a similar issue. Thanks again for sharing the solution here. Have a good day!

Answer 2

Hi Mike,

Good catch! Glad the issue is resolved for you finally. I will have this answer promoted by reposting it. As an Original Poster will not be able to accept your own answer. This is in the attempt to help others looking for a solution for a similar issue.

Issue:

The cloud-only accounts are the only accounts that can login to the VDI machines. Whenever a hybrid/AD synched account tries to login, the remote desktop app states "The logon attempt failed". How do I allow on-prem/hybrid accounts to log into this VDI computer?

Solution:

Found the solution. Currently we have MFA configured via conditional access AND some of our users have per-user MFA enabled. Our cloud-only accounts are newer and don't have the old per-user MFA setting configured. Because the on-prem accounts were older, they had per-user MFA enabled. This per-user MFA was causing the logins to fail.

Additional information:

https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-desktop/troubleshoot-azure-ad-connections

VM sign-ins don't support per-user enabled or enforced Microsoft Entra multifactor authentication. If you try to sign in with multifactor authentication on a VM, you won't be able to sign in and will receive an error message.

User's image

Thanks again for sharing the solution here. Have a good day!

Share via

Unable to Log into Azure VDI Computer From On-premises Hybrid Accounts

2 answers

Your answer