Azure VM (Failing to login with AAD password) PIN works...

Question

Azure VM (Failing to login with AAD password) PIN works...

Corey Mechalske 60

Came across a frustrating issue when trying to RDP or use Bastion via my AAD credentials. Keeps telling me my password is incorrect; however, it lets me log in with my PIN. I have all the proper extensions installed on my VM to be able to use my AAD credentials.

Copilot said this: ✅ Your VM is Azure AD Joined

IsDeviceJoined : YES
IsUserAzureAD : YES

However, there are a couple of red flags:

⚠️ Potential Issues

DeviceEligible : NO

This means the device is not eligible for automatic MDM enrollment, which could affect conditional access or token acquisition.

CertEnrollment : none and PreReqResult : WillNotProvision

These suggest that the device is not provisioning a Primary Refresh Token (PRT), which is required for AAD-based SSO and Bastion login.

🛠️ Suggested Fixes

✅ 1. Check Conditional Access Policies

Ensure there are no Conditional Access policies blocking token issuance or requiring compliant devices.

✅ 2. Enable PRT and MDM Enrollment

You may need to:

Assign an Azure AD Premium license to the user.
Ensure Intune MDM auto-enrollment is configured.
Reboot the VM and sign in again with an AAD user to trigger token provisioning.

✅ 3. Try Manual AAD Login via RDP

As a workaround, try connecting to the VM using the Remote Desktop client with AAD credentials:

Use the VM’s public IP (if available) or connect via Bastion in the portal.
Format the username as: AzureAD\yourUPN (e.g., AzureAD\******@yourdomain.com) ✅ Your VM is Azure AD Joined
- IsDeviceJoined : YES
- IsUserAzureAD : YES
However, there are a couple of red flags: ⚠️ Potential Issues 1. DeviceEligible : NO This means the device is not eligible for automatic MDM enrollment, which could affect conditional access or token acquisition. 2. CertEnrollment : none and PreReqResult : WillNotProvision These suggest that the device is not provisioning a Primary Refresh Token (PRT), which is required for AAD-based SSO and Bastion login. 🛠️ Suggested Fixes ✅ 1. Check Conditional Access Policies Ensure there are no Conditional Access policies blocking token issuance or requiring compliant devices. ✅ 2. Enable PRT and MDM Enrollment You may need to:
- Assign an Azure AD Premium license to the user.
- Ensure Intune MDM auto-enrollment is configured.
- Reboot the VM and sign in again with an AAD user to trigger token provisioning.
✅ 3. Try Manual AAD Login via RDP As a workaround, try connecting to the VM using the Remote Desktop client with AAD credentials:
- Use the VM’s public IP (if available) or connect via Bastion in the portal.
- Format the username as: AzureAD\yourUPN (e.g., AzureAD\******@yourdomain.com)

Anusree Nashetty 4,710 Reputation points Microsoft External Staff Moderator

2025-06-12T01:17:50.2166667+00:00

Hi Corey Mechalske,

As you can log in with a PIN but not your password suggests there might be an issue with Primary Refresh Token (PRT) provisioning or conditional access policies.

See that you have met all requirements to connect to Azure VMs or Azure Bastion enabled VMs via Microsoft Entra authentication. https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows#requirements

Check Conditional Access + Licensing: Ensure your user has an Azure AD Premium P1 or P2 license. Make sure no Conditional Access policy is requiring compliant or Hybrid Azure AD Joined devices unless you meet that.
Corey Mechalske 60 Reputation points

2025-06-13T15:24:12.8533333+00:00
Thanks for your reply.

Check List-

No CA policies affecting me

VM running Windows 11 Pro OS

VM is Entra Joined

VM enrolled into Intune

My account has the virtual machine administrator logon IAM permission

My account has an Entra AD P2 license assigned

Updated RDP txt file with full address:s: x.x.x.x:3389 prompt for credentials:i:1 administrative session:i:1 enablecredsspsupport:i:1 authentication level:i:2 username:s:AzureAD\******@365internet-tech.com
Corey Mechalske 60 Reputation points

2025-06-13T16:31:57.3566667+00:00

Please see below

Corey Mechalske 60

        NgcSet : NO

       WorkplaceJoined : NO

         WamDefaultSet : YES

   WamDefaultAuthority : organizations

          WamDefaultId : https://login.microsoft.com


        
```+----------------------------------------------------------------------+

| SSO State                                                            |

+----------------------------------------------------------------------+

```yaml
            AzureAdPrt : YES

  AzureAdPrtUpdateTime : 2025-06-13 17:33:33.000 UTC

  AzureAdPrtExpiryTime : 2025-06-27 17:33:32.000 UTC

   AzureAdPrtAuthority : https://login.microsoftonline.com/c37f4203-8a5e-438f-aa15-bfda78f1cedf

         EnterprisePrt : NO

EnterprisePrtAuthority :

             OnPremTgt : NO

              CloudTgt : YES

     KerbTopLevelNames : .windows.net,.windows.net:1433,.windows.net:3342,.azure.net,.azure.net:1433,.azure.net:3342
```+----------------------------------------------------------------------+

| Diagnostic Data                                                      |

+----------------------------------------------------------------------+

```yaml
    AadRecoveryEnabled : NO

Executing Account Name : AzureAD\, ******@365internet-tech.com

           KeySignTest : PASSED

    DisplayNameUpdated : Managed by MDM

      OsVersionUpdated : Managed by MDM

       HostNameUpdated : YES

  Last HostName Update : NONE
```+----------------------------------------------------------------------+

| IE Proxy Config for Current User                                     |

+----------------------------------------------------------------------+

```haskell
  Auto Detect Settings : YES

Auto-Configuration URL :

     Proxy Server List :

     Proxy Bypass List :
```+----------------------------------------------------------------------+

| WinHttp Default Proxy Config                                         |

+----------------------------------------------------------------------+

```sql
           Access Type : DIRECT
```+----------------------------------------------------------------------+

| Ngc Prerequisite Check                                               |

+----------------------------------------------------------------------+

```haskell
        IsDeviceJoined : YES

         IsUserAzureAD : YES

         PolicyEnabled : YES

      PostLogonEnabled : YES

        DeviceEligible : NO

    SessionIsNotRemote : NO

        CertEnrollment : none

          PreReqResult : WillNotProvision

Corey Mechalske 60 Reputation points

2025-06-13T17:58:04.87+00:00

I locked my azure vm and then was able to use my password to login to the VM....so, I'm getting closer.
Mallikarjuna Vardham 450 Reputation points Microsoft External Staff Moderator

2025-06-16T10:04:49.4233333+00:00

Hello Corey Mechalske,

As per your your logs

NgcSet: NO, DeviceEligible: NO, and PreReqResult: WillNotProvision indicate that Windows Hello for Business (WHfB) provisioning has not completed.

These values indicate that Windows Hello for Business (WHfB) has not been provisioned on the device.

As a result, Azure AD password sign-in at the RDP lock screen might fail initially. However, signing in with a PIN should still work, as it relies on a different authentication mechanism that doesn’t depend on WHfB being set up.

To Fix AAD Password Login Issue on VM

After logging into the VM, open gpedit.msc.

After opening the Group Policy Editor, navigate to:

Computer Configuration → Administrative Templates → Windows Components → Windows Hello for Business

and then enable Windows Hello for Business.

Next, run the below command in PowerShell to apply the policy:

gpupdate /force

Then manually trigger NGC setup in the virtual machine:

Open Settings > Accounts > Sign-in options.

Set up a PIN if prompted this will force NGC/Hello provisioning and PRT refresh.

Confirm success by using the PowerShell command

dsregcmd /status

Look in the output for:

NgcSet: YES, DeviceEligible: YES, PreReqResult: Provisioned

Then reboot and try password-based RDP login again.
Mallikarjuna Vardham 450 Reputation points Microsoft External Staff Moderator

2025-06-17T09:43:57.2+00:00

Hello Corey Mechalske,
following up on this. Did you get a chance to go through my suggestion? Hope it cleared your query. Thanks
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-06-17T09:52:33.68+00:00

Hello Corey Mechalske,

I can see that Mallikarjuna Vardham has shared a detailed resolution for your issue. As he rightly highlighted from your dsregcmd /status output, a few critical flags are the root cause of the inconsistent AAD password behavior. These indicate that Windows Hello for Business (WHfB) provisioning has not completed on the VM. As a result, even though your device is Entra joined and shows AzureAdPrt: YES, the lack of WHfB provisioning blocks full AAD credential.

The reason you're able to log in with a PIN but not your password is because PIN-based sign-in leverages local TPM/NGC (Next Generation Credentials), whereas AAD password login depends on the Primary Refresh Token (PRT) and successful WHfB provisioning. Kindly follow the steps suggested by Mallikarjuna Vardham and let us know if you were able to resolve the blocker. Thanks
Corey Mechalske 60 Reputation points

2025-06-18T23:26:23.0033333+00:00

Hello, sorry for the late response and I appreciate your efforts! Let me test that out now and I will get back to you soon!

Thanks.
Corey Mechalske 60 Reputation points

2025-06-18T23:37:59.7133333+00:00

So, I enabled the Windows Hello For Business like you suggested. However, when I go to Sign-In options I don' see the same thing you are showing. I did do the gpupdate /force and rebooted my vm.
Mallikarjuna Vardham 450 Reputation points Microsoft External Staff Moderator

2025-06-19T10:03:09.7+00:00

Hello Corey Mechalske,

TPM is required for Windows Hello for Business to provision PINs and certificates.

If TPM is not present or enabled the PIN option won’t show up, and WHfB provisioning will fail silently.

Check TPM (Trusted Platform Module) availability on Azure VM

Open powershell and run as administrator then Run the TPM check command

Get-WmiObject -Namespace root\CIMv2\Security\MicrosoftTpm -Class Win32_Tpm

check the output

If TPM is present you’ll see a list of properties like IsActivated_InitialValue, IsEnabled_InitialValue etc.
Corey Mechalske 60 Reputation points

2025-06-20T14:13:36.4366667+00:00

On my Azure VM....I went to security type in the "Overview" section and changed it from Standard to Trusted Launch virtual machines and made sure the enablevtpm was activated. Will Start my VM up and will then see if I get the option for Adding a Pin.
Corey Mechalske 60 Reputation points

2025-06-20T15:05:59.8+00:00

Hey, so after configuring everything...and rebooting my VM, I'm still not seeing the option to set up a PIN and the Ngc check is still showing "WillNotProvision". I also went into Intune and made sure Windows Hello for Business was enabled. Note: After I enabled Windows Hello via Intune, it did make me update my PIN when trying to log into my VM.
Kancharla Saiteja 5,890 Reputation points Microsoft External Staff Moderator

2025-06-24T19:29:37.32+00:00

Hello Corey Mechalske,

Following up to see if the above provided information is helpful.Please feel free to reach out if you have any further questions.
Raja Pothuraju 23,805 Reputation points Microsoft External Staff Moderator

2025-06-25T14:35:22.1566667+00:00

Hello Corey Mechalske,

I’d like to continue troubleshooting this issue offline. Could you please let me know when you’re available for a discussion and share your email address with me via private message.
Kancharla Saiteja 5,890 Reputation points Microsoft External Staff Moderator

2025-06-26T22:28:00.14+00:00

Hello Corey Mechalske,

Kindly check the private messages and respond accordingly.
Kancharla Saiteja 5,890 Reputation points Microsoft External Staff Moderator

2025-06-27T17:24:20.1133333+00:00

Hello Corey Mechalske,

Kindly check the private messages and respond accordingly.
Kancharla Saiteja 5,890 Reputation points Microsoft External Staff Moderator

2025-07-01T11:14:28.5833333+00:00

Hello Corey Mechalske,

We are waiting for your response to assist you offline and provide you the solution on the issue. Kindly check private messages and respond accordingly.
Corey Mechalske 60 Reputation points

2025-07-02T00:29:34.74+00:00

Hello, I replied back to the private message email.

Accepted answer

0 additional answers

Your answer

Anusree Nashetty 4,710 Reputation points Microsoft External Staff Moderator

2025-06-12T01:17:50.2166667+00:00

Hi Corey Mechalske,

As you can log in with a PIN but not your password suggests there might be an issue with Primary Refresh Token (PRT) provisioning or conditional access policies.

See that you have met all requirements to connect to Azure VMs or Azure Bastion enabled VMs via Microsoft Entra authentication. https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows#requirements

Check Conditional Access + Licensing: Ensure your user has an Azure AD Premium P1 or P2 license. Make sure no Conditional Access policy is requiring compliant or Hybrid Azure AD Joined devices unless you meet that.
Corey Mechalske 60 Reputation points

2025-06-13T15:24:12.8533333+00:00

Thanks for your reply.

Check List-

No CA policies affecting me

VM running Windows 11 Pro OS

VM is Entra Joined

VM enrolled into Intune

My account has the virtual machine administrator logon IAM permission

My account has an Entra AD P2 license assigned

Updated RDP txt file with full address:s: x.x.x.x:3389 prompt for credentials:i:1 administrative session:i:1 enablecredsspsupport:i:1 authentication level:i:2 username:s:AzureAD\******@365internet-tech.com
Corey Mechalske 60 Reputation points

2025-06-13T16:31:57.3566667+00:00

Please see below
Corey Mechalske 60 Reputation points

2025-06-13T17:58:04.87+00:00

I locked my azure vm and then was able to use my password to login to the VM....so, I'm getting closer.
Mallikarjuna Vardham 450 Reputation points Microsoft External Staff Moderator

2025-06-16T10:04:49.4233333+00:00

Hello Corey Mechalske,

As per your your logs

NgcSet: NO, DeviceEligible: NO, and PreReqResult: WillNotProvision indicate that Windows Hello for Business (WHfB) provisioning has not completed.

These values indicate that Windows Hello for Business (WHfB) has not been provisioned on the device.

As a result, Azure AD password sign-in at the RDP lock screen might fail initially. However, signing in with a PIN should still work, as it relies on a different authentication mechanism that doesn’t depend on WHfB being set up.

To Fix AAD Password Login Issue on VM

After logging into the VM, open gpedit.msc.

After opening the Group Policy Editor, navigate to:

Computer Configuration → Administrative Templates → Windows Components → Windows Hello for Business

and then enable Windows Hello for Business.

Next, run the below command in PowerShell to apply the policy:

gpupdate /force

Then manually trigger NGC setup in the virtual machine:

Open Settings > Accounts > Sign-in options.

Set up a PIN if prompted this will force NGC/Hello provisioning and PRT refresh.

Confirm success by using the PowerShell command

dsregcmd /status

Look in the output for:

NgcSet: YES, DeviceEligible: YES, PreReqResult: Provisioned

Then reboot and try password-based RDP login again.
Mallikarjuna Vardham 450 Reputation points Microsoft External Staff Moderator

2025-06-17T09:43:57.2+00:00

Hello Corey Mechalske,
following up on this. Did you get a chance to go through my suggestion? Hope it cleared your query. Thanks
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-06-17T09:52:33.68+00:00

Hello Corey Mechalske,

I can see that Mallikarjuna Vardham has shared a detailed resolution for your issue. As he rightly highlighted from your dsregcmd /status output, a few critical flags are the root cause of the inconsistent AAD password behavior. These indicate that Windows Hello for Business (WHfB) provisioning has not completed on the VM. As a result, even though your device is Entra joined and shows AzureAdPrt: YES, the lack of WHfB provisioning blocks full AAD credential.

The reason you're able to log in with a PIN but not your password is because PIN-based sign-in leverages local TPM/NGC (Next Generation Credentials), whereas AAD password login depends on the Primary Refresh Token (PRT) and successful WHfB provisioning. Kindly follow the steps suggested by Mallikarjuna Vardham and let us know if you were able to resolve the blocker. Thanks
Corey Mechalske 60 Reputation points

2025-06-18T23:26:23.0033333+00:00

Hello, sorry for the late response and I appreciate your efforts! Let me test that out now and I will get back to you soon!

Thanks.
Corey Mechalske 60 Reputation points

2025-06-18T23:37:59.7133333+00:00

So, I enabled the Windows Hello For Business like you suggested. However, when I go to Sign-In options I don' see the same thing you are showing. I did do the gpupdate /force and rebooted my vm.
Mallikarjuna Vardham 450 Reputation points Microsoft External Staff Moderator

2025-06-19T10:03:09.7+00:00

Hello Corey Mechalske,

TPM is required for Windows Hello for Business to provision PINs and certificates.

If TPM is not present or enabled the PIN option won’t show up, and WHfB provisioning will fail silently.

Check TPM (Trusted Platform Module) availability on Azure VM

Open powershell and run as administrator then Run the TPM check command

Get-WmiObject -Namespace root\CIMv2\Security\MicrosoftTpm -Class Win32_Tpm

check the output

If TPM is present you’ll see a list of properties like IsActivated_InitialValue, IsEnabled_InitialValue etc.
Corey Mechalske 60 Reputation points

2025-06-20T14:13:36.4366667+00:00

On my Azure VM....I went to security type in the "Overview" section and changed it from Standard to Trusted Launch virtual machines and made sure the enablevtpm was activated. Will Start my VM up and will then see if I get the option for Adding a Pin.
Corey Mechalske 60 Reputation points

2025-06-20T15:05:59.8+00:00

Hey, so after configuring everything...and rebooting my VM, I'm still not seeing the option to set up a PIN and the Ngc check is still showing "WillNotProvision". I also went into Intune and made sure Windows Hello for Business was enabled. Note: After I enabled Windows Hello via Intune, it did make me update my PIN when trying to log into my VM.
Kancharla Saiteja 5,890 Reputation points Microsoft External Staff Moderator

2025-06-24T19:29:37.32+00:00

Hello Corey Mechalske,

Following up to see if the above provided information is helpful.Please feel free to reach out if you have any further questions.
Raja Pothuraju 23,805 Reputation points Microsoft External Staff Moderator

2025-06-25T14:35:22.1566667+00:00

Hello Corey Mechalske,

I’d like to continue troubleshooting this issue offline. Could you please let me know when you’re available for a discussion and share your email address with me via private message.
Kancharla Saiteja 5,890 Reputation points Microsoft External Staff Moderator

2025-06-26T22:28:00.14+00:00

Hello Corey Mechalske,

Kindly check the private messages and respond accordingly.
Kancharla Saiteja 5,890 Reputation points Microsoft External Staff Moderator

2025-06-27T17:24:20.1133333+00:00

Hello Corey Mechalske,

Kindly check the private messages and respond accordingly.
Kancharla Saiteja 5,890 Reputation points Microsoft External Staff Moderator

2025-07-01T11:14:28.5833333+00:00

Hello Corey Mechalske,

We are waiting for your response to assist you offline and provide you the solution on the issue. Kindly check private messages and respond accordingly.
Corey Mechalske 60 Reputation points

2025-07-02T00:29:34.74+00:00

Hello, I replied back to the private message email.

Answer 1

Kancharla Saiteja 5,890 Microsoft External Staff Moderator

Hi Corey Mechalske,

Based on your query, we understand that you are unable to sign in for Azure VM.

We have disabled per user MFA and enabled conditional access policy for user by excluding Azure Windows VM sign in application which eventually worked, and user is able to sign in.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment".

Share via

Azure VM (Failing to login with AAD password) PIN works...

0 additional answers

Your answer