Share via

Azure Bastion Not Showing Azure Active Directory Login Option Despite Full Configuration

Manoj 25 Reputation points
2025-05-28T02:13:01.44+00:00

Hello Azure Support,

I’m encountering an issue where Azure Bastion does not show the "Azure Active Directory" authentication option when connecting to a Windows Server 2022 Datacenter (Azure Edition) VM that is correctly configured for AAD login.

✅ Configuration Details:

VM OS: Windows Server 2022 Datacenter – Azure Edition

AAD Join: dsregcmd /status confirms AzureAdJoined : YES

Extension: AADLoginForWindows installed, version 2.2.0.0

RBAC: Virtual Machine Administrator Login role assigned to my AAD user at the VM level

Local Admin Group: AAD user is added via Add-LocalGroupMember and confirmed in Administrators group

SID Cleanup: Corrupt local group member SIDs removed

System-assigned identity: Enabled on the VM

Network: Bastion is deployed in the same VNet and subnet (AzureBastionSubnet)

Bastion Tier: Standard

Browser/Cache: Tried from Incognito mode with cleared cache

Bastion: Deleted and recreated from scratch

Despite all of the above, the Bastion authentication dropdown only shows “VM Password” and not “Azure Active Directory”.

Azure Bastion
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
293 questions
Accepted answer
  1. G Sree Vidya 2,360 Reputation points Microsoft External Staff Moderator
    2025-05-29T02:26:34.3433333+00:00

    Hello Manoj

    It looks like you are facing the same issue as before. Could you please confirm if you have reviewed the steps suggested by Rohit? https://learn.microsoft.com/en-us/answers/questions/2277656/azure-bastion-not-showing-azure-active-directory-l

    Please check below troubleshooting steps for AAD authentication for bastion.

    1. Review Bastion logs to see if there are any errors related to token injection or authentication failures.
    2. Please verify Token Acquisition by using Run az account get-access-token to confirm that your local machine can retrieve an Azure AD token.
    3. Some users have reported region-specific issues affecting Bastion authentication. If possible, test in a different Azure region.
    4. Run az extension update --name bastion to ensure you're using the latest Bastion CLI extension.
    5. Please check by disabling NTLM Fallback, since some users have resolved authentication issues by adding a registry key to disable NTLM fallback. Disable the NTLM by navigating to your VM > Run command > DisableNLA User's image

    Refer this article: https://learn.microsoft.com/en-us/answers/questions/2259295/unable-to-use-aad-login-via-azure-bastion-despite

    Some users have reported issues that seem to be region-specific. If possible, try creating a new Bastion instance in another Azure region and see if the issue persists.

    Note: Double-check that all necessary roles and permissions are correctly assigned to your Azure Active Directory user for accessing the VM through Bastion.

    For your reference, please review the following documentation: https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows

    I kindly request you to ensure that the system-assigned managed identity is enabled on your virtual machine before installing the Microsoft Entra login VM extension. You can follow these steps to enable the system-assigned managed identity on your VM:

    1. Sign in to the Azure portal using an account associated with the Azure subscription containing the VM.
    2. Navigate to the desired Virtual Machine and select Identity.
    3. Under System assigned, set the Status to click On and then Save.

    For more details, please refer to: https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-configure-managed-identities?pivots=qs-configure-portal-windows-vm#enable-system-assigned-managed-identity-on-an-existing-vm

    Additionally, I suggest opening the RDP file you downloaded to connect to the VM in Notepad and editing it as follows:

    • enablecredsspsupport:i:0 - With this option, RDP won't use CredSSP, even if the operating system supports CredSSP.
    • authentication level:i:2 - With this option, if server authentication fails, show a warning and choose to connect or refuse the connection.

    For more information, please refer to: https://learn.microsoft.com/en-us/azure/virtual-desktop/rdp-properties?context=%2Fwindows-server%2Fcontext%2Fwindows-server-remote-desktop-services

    Lastly, please log in to the VM with a local user account, navigate to the system in the Control Panel, select Remote Settings, and uncheck "Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)" as shown in the screenshot below. This should be disabled if you are connecting from an unregistered device.

    User's image

    I hope this information is helpful! If my answer helped you resolve your issue, please consider marking it as the correct answer or Upvote. This helps others in the community find solutions more easily. Thanks!

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.