Unable to log into Entra ID joined Azure VM

Question

Unable to log into Entra ID joined Azure VM

Charles Lakes II 20

I can access the VM using the admin account, but not with my Entra ID account. Per the "Support + troubleshooting" suggestions, I have reset the NIC a few times, also redeployed the solution a few times, gotten all green marks from the Azure check, and confirmed that the connectivity diagnostics reported no issue.

Speaking with a few people, I tried tweaking the RDP file and even found some curl commands to run on the VM as an admin, but I still cannot access the VM using my Entra ID account. My credentials are correct, but still no luck.

What am I missing?

Charles Lakes II 20 Reputation points

2025-04-29T04:53:42.16+00:00
Sanoop M 3,075 Reputation points Microsoft External Staff Moderator

2025-04-29T05:29:07.89+00:00
Hello @Charles Lakes II,

Based on your issue description, I understand that you are unable to access the Virtual Machine using your Microsoft Entra ID credentials, but you can able to access the Virtual Machine using your local admin account.

Please make sure if all the below mentioned Pre-requisites are met and the below steps are correctly configured.

Requirements

Supported Azure regions and Windows distributions

This feature currently supports the following Windows distributions:

Windows Server 2019 Datacenter and later

Windows 10 1809 and later

Windows 11 21H2 and later

Network requirements

To enable Microsoft Entra authentication for your Windows VMs in Azure, you need to ensure that your VM's network configuration permits outbound access to the following endpoints over TCP port 443.

Azure Global:

https://enterpriseregistration.windows.net: For device registration.

http://169.254.169.254: Azure Instance Metadata Service endpoint.

https://login.microsoftonline.com: For authentication flows.

https://pas.windows.net: For Azure RBAC flows.

Azure Government:

https://enterpriseregistration.microsoftonline.us: For device registration.

http://169.254.169.254: Azure Instance Metadata Service endpoint.

https://login.microsoftonline.us: For authentication flows.

https://pasff.usgovcloudapi.net: For Azure RBAC flows.

Microsoft Azure operated by 21Vianet:

https://enterpriseregistration.partner.microsoftonline.cn: For device registration.

http://169.254.169.254: Azure Instance Metadata Service endpoint.

https://login.chinacloudapi.cn: For authentication flows.

https://pas.chinacloudapi.cn: For Azure RBAC flows.

Authentication requirements

Microsoft Entra Guest accounts can't connect to Azure VMs or Azure Bastion enabled VMs via Microsoft Entra authentication.

Enable Microsoft Entra login for a Windows VM in Azure

Azure portal

You can enable Microsoft Entra login for VM images in Windows Server 2019 Datacenter or Windows 10 1809 and later.

To create a Windows Server 2019 Datacenter VM in Azure with Microsoft Entra login:

Sign in to the Azure portal by using an account that has access to create VMs, and select + Create a resource.

In the Search the Marketplace search bar, type Windows Server.

Select Windows Server, and then choose Windows Server 2019 Datacenter from the Select a software plan dropdown list.

Select Create.

On the Management tab, select the Login with Microsoft Entra ID checkbox in the Microsoft Entra ID section.

Make sure that System assigned managed identity in the Identity section is selected. This action should happen automatically after you enable login with Microsoft Entra ID.

Go through the rest of the experience of creating a virtual machine. You have to create an administrator username and password for the VM.

Note

Please note that to sign in to the VM by using your Microsoft Entra credentials, you first need to configure role assignments for the VM.

Please make sure if you are having below mentioned two roles to be able to sign in to Virtual Machine using Microsoft Entra credentials.

Virtual Machine Administrator Login

Virtual Machine User Login

If you've configured a legacy per-user Enabled/Enforced Microsoft Entra multifactor authentication setting, please make sure to disable the Per-user MFA setting for your affected Microsoft Entra ID user account.

Please provide the Error message screenshot you are getting when you are trying to access the VM using your Microsoft Entra ID credentials.

Reference document: Sign in to a Windows virtual machine in Azure by using Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn

I've initiated a Private Message to gather additional information for a closer investigation on this issue. Please review it and update the requested details.
Raja Pothuraju 22,480 Reputation points Microsoft External Staff Moderator

2025-05-01T18:11:23.53+00:00

Hello @Charles Lakes II,

Just checking in to see if the steps shared by Sanoop helped resolve your issue. If not, please let me know your availability via private message, and we’ll continue the troubleshooting offline.
Charles Lakes II 20 Reputation points

2025-05-02T17:26:46.84+00:00

Hi, Sanoop. Thank you for the quick response and my apologies for the delayed response. I am still working through your suggested steps.

Hi, Raja. As I am still getting familiar with the networking aspect of Azure, it is taking me longer than expected to verify things per Sanoop's response while I juggle other projects. Though, I have confirmed the VM image is win11-22h2-avd. Now, I am researching how to allow the listed endpoints on port 443.
Sanoop M 3,075 Reputation points Microsoft External Staff Moderator

2025-05-06T01:59:20.0333333+00:00

Hello @Charles Lakes II,

I am following up to check whether if you had reviewed and followed all the above mentioned Pre-requisites and the suggested steps and please let me know if you have any queries.
Charles Lakes II 20 Reputation points

2025-05-06T22:58:47.94+00:00

I have reviewed, adhered to the above mentioned pre-reqs, and followed the suggested steps. Working with Raja, we tested some additional settings, and he is researching a quirk internally.
Raja Pothuraju 22,480 Reputation points Microsoft External Staff Moderator

2025-05-12T23:08:32.6966667+00:00

Hello @Charles Lakes II,

As discussed on our call, I’ve summarized the solution we followed. If all your concerns have been addressed, I would greatly appreciate it if you could mark the answer as “Accepted”. This helps both us and others in the community who may face similar issues.

Accepted answer

0 additional answers

Your answer

Charles Lakes II 20 Reputation points

2025-04-29T04:53:42.16+00:00
Raja Pothuraju 22,480 Reputation points Microsoft External Staff Moderator

2025-05-01T18:11:23.53+00:00

Hello @Charles Lakes II,

Just checking in to see if the steps shared by Sanoop helped resolve your issue. If not, please let me know your availability via private message, and we’ll continue the troubleshooting offline.
Charles Lakes II 20 Reputation points

2025-05-02T17:26:46.84+00:00

Hi, Sanoop. Thank you for the quick response and my apologies for the delayed response. I am still working through your suggested steps.

Hi, Raja. As I am still getting familiar with the networking aspect of Azure, it is taking me longer than expected to verify things per Sanoop's response while I juggle other projects. Though, I have confirmed the VM image is win11-22h2-avd. Now, I am researching how to allow the listed endpoints on port 443.
Sanoop M 3,075 Reputation points Microsoft External Staff Moderator

2025-05-06T01:59:20.0333333+00:00

Hello @Charles Lakes II,

I am following up to check whether if you had reviewed and followed all the above mentioned Pre-requisites and the suggested steps and please let me know if you have any queries.
Charles Lakes II 20 Reputation points

2025-05-06T22:58:47.94+00:00

I have reviewed, adhered to the above mentioned pre-reqs, and followed the suggested steps. Working with Raja, we tested some additional settings, and he is researching a quirk internally.
Raja Pothuraju 22,480 Reputation points Microsoft External Staff Moderator

2025-05-12T23:08:32.6966667+00:00

Hello @Charles Lakes II,

As discussed on our call, I’ve summarized the solution we followed. If all your concerns have been addressed, I would greatly appreciate it if you could mark the answer as “Accepted”. This helps both us and others in the community who may face similar issues.

Answer 1

Hi @Charles Lakes II,

Thank you for connecting with us offline.

Typically, issues signing in to a VM using Entra ID are related to Multi-Factor Authentication (MFA) being enforced through per-user MFA settings, Security Defaults, or Conditional Access policies.

You can refer to the following documentation to verify and manage the MFA status: Change the status for a user - Microsoft Learn

During our call, we observed that per-user MFA was enabled for your account. As per standard procedure, we disabled it; however, the sign-in issue persisted.

Upon further investigation, we found that Security Defaults were enabled in your tenant. While Security Defaults typically do not affect non-admin users signing into a VM, they do require Global Administrators to complete MFA. Since your account has the Global Administrator role assigned, MFA is still being enforced due to Security Defaults.

To work around this, we created a new Global Administrator account and a backup admin account, then removed the Global Administrator role from your main account. This allows you to sign in to the VM without being prompted for MFA.

Charles Lakes II 20 Reputation points

2025-05-14T02:10:39.8433333+00:00

Thank you for your help troubleshooting this.

Share via

Unable to log into Entra ID joined Azure VM

0 additional answers

Your answer