Enable Azure VM login using Entra ID

Question

To whom it may concern:

We followed the instructions at https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows trying to enable access to our Azure VMs using MS entra ID.

Specifically, we used following power shell command to add AADLogin extension to the VM successfully:

az vm extension set --publisher Microsoft.Azure.ActiveDirectory --name AADLoginForWindows --resource-group myResourceGroup --vm-name myVM

We also created a new user group "VM Admin Login", added user to it, and assigned the user group "Virtual Machine Administrator Login" role to the VM:

We also followed instructions at https://learn.microsoft.com/en-us/azure/bastion/native-client to enable native client connection support in the bastion service and we were able to connect to the VM through native connection mode by running command:

However, as shown in the above screenshot, when I tried to login using my entra ID (i.e., azuread<username>@<domain.com>), I got error message "The logon attempt failed".

I verified that my entra ID was added to user group "VM Admin Login".

Any suggestion or idea that I might have missed something setting up and attempting to login using my company's entra ID credential?

Thank you and look forward to your response.

Answer 1

Hi, if you hit the “logon attempt failed” loop when using Entra ID with Bastion or native RDP, here's the fastest fix:

-Update the AAD extension on the VM to version ≥ 2.2.0 — older versions (like 1.3.0) don’t support Entra over Bastion.

-Use --auth-type AAD when launching Bastion via CLI — without it, the RDP file won’t trigger web-based auth and Entra login will fail.

-Log in using AzureAD******@domain.com (or just the UPN if a web prompt appears).

-Make sure your client PC is Entra registered or joined — otherwise AAD login isn’t allowed.

-Check RBAC: you need at least Reader + Virtual Machine User/Admin Login on the VM, NIC, and Bastion.

-If it still fails, check that the RDP file has enablerdsaadauth:i:1, make sure the VM name matches its Entra device object, avoid using guest accounts, and ensure the VM is properly Entra-joined (dsregcmd /status inside the VM).

One-liner to do it all:

az network bastion rdp -n BastionName -g BastionRG --target-resource-id <VMID> --auth-type AAD --enable-mfa true --configure

Bottom line: upgrade the extension, pass the right flag, and log in from an Entra-aware device , that fixes almost every case.

Answer 2

Hello @Ming Yu,

Thank you for your time over the call. As discussed, create an image of a VM by refer to this link-https://learn.microsoft.com/en-us/azure/virtual-machines/capture-image-portal and use the same image while deploying the VM- https://learn.microsoft.com/en-us/azure/virtual-machines/vm-generalized-image-version?tabs=portal%2Ccli2%2Ccli3%2Ccli4

Once you mark a VM as generalized in Azure, you cannot restart the VM. Legacy managed images are automatically marked as generalized.

When capturing an image of a virtual machine in Azure, the virtual machine will be temporarily stopped to ensure data consistency and prevent any potential issues during the image creation. This is because capturing an image requires a point-in-time snapshot of the virtual machine's disk. To avoid disruptions in a production environment, it's recommended you schedule the image capture process during a maintenance window or a time when the temporary downtime won't impacting critical services.

If you have any further queries, do let us know.

If you found this informative, please consider accepting an answer as a token of appreciation. And don't forget to give it a thumbs up 👍 if it was helpful.