Share via

Unable to use AAD login via Azure Bastion despite full configuration

Ryan Warrener 0 Reputation points
2025-04-18T11:45:58.13+00:00

We have deployed a Windows Server 2022 VM with AADLoginForWindows extension installed, CloudAP provider confirmed, and all NSG/RBAC prerequisites in place. Bastion host is deployed with Standard SKU and enableTunneling=true. We launch az network bastion rdp --auth-type aad from Windows CLI, and it opens the native RDP client as expected.

However, login attempts always result in Event ID 4625 and 4776, with AuthenticationPackage: NTLM, LogonProcessName: NtLmSsp, and SubStatus: 0xC0000064.

This indicates a fallback to NTLM instead of AAD token-based auth, despite the full environment being configured correctly. We have rebuilt the Bastion host, tried multiple OS images, confirmed CloudAP presence, and verified all token path dependencies.

We believe the issue is with token injection failure at the Bastion layer, possibly region-specific (australiaeast) or related to Bastion platform bugs.

Are you able to assist in resolving the failure to initiate the AAD login handshake?

Azure Bastion
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
293 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Venkat V 2,545 Reputation points Microsoft External Staff Moderator
    2025-04-22T13:27:06.52+00:00

    Hi @Ryan Warrener

    You may follow the troubleshooting steps below to resolve the issue .Configure Bastion for native client connections.

    1. To allow a user to sign in to the VM over RDP, you must assign the Virtual Machine Administrator Login or Virtual Machine User Login role to the Virtual Machine resource.
    2. Disable the NTLM by navigating to your VM > Run command > DisableNLA
      User's image
    3. Make sure to add the same user to the Remote Desktop Users group using the command below.
    net localgroup "Remote Desktop Users" /add "AzureAD\******@Testdemo.onmicrosoft.com"
Ex: user VPN:******@Testdemo.onmicrosoft.com
Get-LocalGroupMember -Name "Remote Desktop users"
    1. Verify the Device Joining status by navigating to Entra AD > Devices.

    enter image description here5. Check the Azure AD join status on the VM by running the dsregcmd /status
    enter image description here

    1. To log in, you need to prefix your username with 'AzureAD'

    For example: "****AzureAD*@something.com*"**

    Verify that you have the following prerequisites to connect to a VM using Bastion and the Windows native client.
    User's image
    If you are still facing the issue, you can refer to the 'Connect to a VM using Bastion and the Windows native client' documentation for more details.

    I hope this is helpful! Do not hesitate to let me know if you have any other questions

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.