When connecting to an Azure VM with AAD enabled, the accounts do not work

Hannes Brunner 16 Reputation points
2021-02-08T12:02:44.047+00:00

My assigned user accounts for admin and normal users from AAD are not accepted in a Windows VM. The following error messages occur in the event viewer on the VM:

AAD Cloud AP plugin call Lookup name name from SID returned error: 0xC00485D3

and

Http request status: 400. Method: GET Endpoint Uri: https://login.microsoftonline.com/<Removed> Correlation ID: <Removed>

AzureAdPrt is NO

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,593 questions
Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,102 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,428 questions

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jos 106 Reputation points
    2022-10-20T08:00:46.657+00:00

    We are experiencing the same issue. We created a VM which with AzureAD connection, but when trying to sign in with a AzureAD user we get these errors in the event log of the server.

    We already assigned the roles "Virtual Machine User Login" and "Virtual Machine Administrator Login". We also tested already with "azuread\admin@tenant .onmicrosoft.com" and without "azuread\" but both didn't work.

    What could cause this?

    1 person found this answer helpful.
    0 comments
  2. Reza-Ameri 16,831 Reputation points
    2021-03-25T15:04:26.543+00:00

    In case your are not the Azure administrator, then ask the administrator to check the log files in the Azure and see if you see any relevant issue there?
    Make sure you are able to connect to the VM remotely.
    You may report this issue through the Feedback Hub app in Windows 10.

    0 comments
  3. Evan Greene 1 Reputation point
    2022-11-04T14:30:48.297+00:00

    I'm having this issue on a fresh install of Windows 10 Pro (elevated to enterprise on login due to E3 license). I've just installed the October 2022 22h2 image. I logged in using my Azure Work account. I am seeing "the sync could not be initiated" when I go look at the Intune info under Accounts -> Work accounts.

    In event log, I'm seeing:

    AAD Cloud AP plugin call Lookup name name from SID returned error: 0xC00485D3
    Http request status: 400. Method: GET Endpoint Uri: https://login.microsoftonline.com/<censored>/sidtoname Correlation ID: <censored>

    Error: 0xCAA90056 Renew token by the primary refresh token failed.
    Logged at RefreshTokenRequest.cpp, line: 147, method: RefreshTokenRequest::AcquireToken.

    Request: authority: https://login.microsoftonline.com/common, client: {<censored>}, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-1609473798-1231923017-684268153-4268514328-882773646-2760585773-1760938157, resource: https://onestore.microsoft.com, correlation ID (request): <censored>

    On-prem tgt error: On-prem configuration is missingstrong text

    Error: 0xCAA2000C The request requires user interaction.
    Code: interaction_required
    Description: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '45a330b1-b1ec-4cc1-9161-<censored>'.
    Trace ID: 2e6ba972-3f07-480e-8b21-cec67ba12900
    Correlation ID: <censored>
    Timestamp: 2022-11-04 14:23:55Z
    TokenEndpoint: https://login.microsoftonline.com/common/oauth2/token
    Logged at OAuthTokenRequestBase.cpp, line: 449, method: OAuthTokenRequestBase::ProcessOAuthResponse.

  4. ArgoSteven-5871 0 Reputation points
    2023-07-07T16:52:25.33+00:00

    Not sure if this relates to your issue or not... but we have also seen the "Http request status: 400. Method: GET Endpoint Uri: https://login.microsoftonline.com/<censored>/sidtoname Correlation ID: <censored>" errors on AAD joined machines.

    If I open the "local users and groups" MMC snap-in on an AAD Joined machine, and look in the administrators group, I can see that there are 2 SIDs that are unresolved.

    The SID's are the Global Administrator and Azure AD Joined Device Local Administrator roles that are added by default. What we found in some testing was that if we remove the 2 SID's from the built in admins group, these errors seem to stop.

    So maybe these errors don't really mean much besides the fact that the SIDs can't be resolved?

    Not sure if this helps, but it's what we have found.

    0 comments
  5. Christian Rousseau 0 Reputation points
    2023-07-24T12:39:50.1666667+00:00

    We have started experiencing the same issue since June as well. Existing users already connected to a computer Azure AD joined can still log in. But it fails for any new computers joined OR when a user tries to log in for the first time on a computer.

    It fails specifically for users where federation is enabled. Login with a "native" AAD user (with an onmicrosoft.com) address works. I feel something changed on Microsoft side with the authentication on these endpoints when federation is enabled. Mabe related to ws-trust?