Cannot login to Azure Windows 11 VM from a Entra user account

Question

Cannot login to Azure Windows 11 VM from a Entra user account

Stephen Thomas Wheeler 26

I have created an Azure Windows 11 Pro VM. I can use RDP to login using the default local username that was entered when I created the VM, but cannot login using an Entra Id user account. I have tried many, many combinations without success. I have turned off the NLA. I have tried it from a domain joined PC and a non-domain joined PC.

I have the AADLoginForWindows Extension installed and enabled

I have set the role for the domain users to Virtual Machine User Login or Virtual Machine Administrator Login

I keep getting "Your credentials did not work"

This is a really annoying issue and logging in to a Azure VM from a Entra Id user account should not be so difficult.

Stephen Thomas Wheeler 26 Reputation points

2025-04-17T01:15:07.5766667+00:00

So I have been able to login using Entra ID accounts which is great. I think there were a couple of got-ya issues including prepending the login name with AzureAd and adding the users to the PC accounts.

But I still have 2 issues: 1) I cannot login with a Extra Id user that has admin role. How can that be enabled? I can login local admin, or Entra users that are not admin.

And the big question is: I want to get the logged in user UPN but cannot seem to do this. If I look at the UserName and UserDomain it is Domain\username what I need is the form of the UPN something like ******@domain.com

Any suggestions?

Accepted answer

1 additional answer

Your answer

Stephen Thomas Wheeler 26 Reputation points

2025-04-17T01:15:07.5766667+00:00

So I have been able to login using Entra ID accounts which is great. I think there were a couple of got-ya issues including prepending the login name with AzureAd and adding the users to the PC accounts.

But I still have 2 issues: 1) I cannot login with a Extra Id user that has admin role. How can that be enabled? I can login local admin, or Entra users that are not admin.

And the big question is: I want to get the logged in user UPN but cannot seem to do this. If I look at the UserName and UserDomain it is Domain\username what I need is the form of the UPN something like ******@domain.com

Any suggestions?

Answer 1

Hi Stephen Thomas Wheeler,

Thanks for your post. Please make sure you have enabled MDM autoenrollment, which requires Microsoft Entra ID P1 licenses. After you enable this capability, your Windows VMs in Azure will be Microsoft Entra joined. You cannot join them to another domain, like on-premises Active Directory or Microsoft Entra Domain Services. If you need to do so, disconnect the VM from Microsoft Entra ID by uninstalling the extension. In addition, if you deploy a supported golden image, be aware that you can enable Entra ID authentication installing after the deployment the dedicated extension.

Reference: Sign in to a Windows virtual machine in Azure by using Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn

Best Regards,

Ian Xue

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 2

Marcin Policht 50,735 MVP Volunteer Moderator

Follow https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Stephen Thomas Wheeler 26 Reputation points

2025-03-22T15:13:47.1933333+00:00

Thanks for your reply. Unfortunately, I am still having the same issue. I have followed that guide to the letter and tried in several different times. I can login via RDP using the local account that is created during VM provisioning. I have the roles set and have the extension installed. But I still cannot connect to the VM via RDP using an Entra user. The VM is Entra joined. I have spent hours on this issue and have seen it in many post online, but none of the suggests have resolved the issue. I am using Windows Pro 10 and 11 images provided via the Azure market by Microsoft. Suggestions welcome.
Stephen Thomas Wheeler 26 Reputation points

2025-03-22T15:16:35.9633333+00:00

oh, and I have tried it with NLA both on and off without success.
Marcin Policht 50,735 Reputation points MVP Volunteer Moderator

2025-03-22T15:33:38.4833333+00:00

Keep in mind the following (you should NOT be using AD domain-joined computers - but Entra joined computers):

Remote connection to VMs that are joined to Microsoft Entra ID is allowed only from Windows 10 or later PCs that are either Microsoft Entra registered (minimum required build is 20H1) or Microsoft Entra joined or Microsoft Entra hybrid joined to the same directory as the VM. Additionally, to RDP by using Microsoft Entra credentials, users must belong to one of the two Azure roles, Virtual Machine Administrator Login or Virtual Machine User Login.

If you're using a Microsoft Entra registered Windows 10 or later PC, you must enter credentials in the AzureAD\UPN format (for example, AzureAD\******@contoso.com).

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Stephen Thomas Wheeler 26 Reputation points

2025-03-22T16:07:47.6333333+00:00

yes the VM is Entra joined. I am using the AzureAD\userprincipalname format. And am trying to login from a windows 10 machine that is Entra registered. The VM shows in Entra All Devices as Microsoft Entra Joined. I can connect and get the credentials login box. The response I always get is "Your credentials did not work" so it seems that it is trying to authenticate but fails. I have added the roles for VM access both to the VM and the resource group that contains it.

Share via

Cannot login to Azure Windows 11 VM from a Entra user account

1 additional answer

Your answer