question

HannesBrunner-7495 avatar image
0 Votes"
HannesBrunner-7495 asked EvanGreene-2371 edited

When connecting to an Azure VM with AAD enabled, the accounts do not work

My assigned user accounts for admin and normal users from AAD are not accepted in a Windows VM. The following error messages occur in the event viewer on the VM:

AAD Cloud AP plugin call Lookup name name from SID returned error: 0xC00485D3

and

Http request status: 400. Method: GET Endpoint Uri: https://login.microsoftonline.com/<Removed>; Correlation ID: <Removed>


AzureAdPrt is NO


windows-10-generalazure-active-directoryazure-virtual-machines
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Are you able to login in the account using local account?
Try ping your tenant and see if it is reachable?
Are you able to enroll the device as a tenant to AAD?

0 Votes 0 ·

@Reza-Ameri
Q1: Yes
Q2: do you mean ping into the guest OS or ping out of the guest os? As I can connect with a local account that is probably anyhow unnecessary.
Q3: don't understand. I can assign AAD users in Azure as Administrator or normal users via IAM, but when I do, it does not help. What do yo mean by enrol device as tenant to AAD? Which device?

0 Votes 0 ·

Check event viewer and look into log files and see if there are any other error which might be helpful?

0 Votes 0 ·

@HannesBrunner-7495
Thank you for your post!

  • Are you able to share any documentation that you followed to enable your Azure VM with AAD? This way I can gain a better understanding of your issue.

  • From your comment, I understand you can sign into your VM using the local account you created during VM creation? But none of the AzureAD accounts are working with sign-in.

  • Have you looked into our Sign in to Windows virtual machine in Azure using Azure Active Directory authentication (Preview) tutorial to enabled AzureAD Authentication?


Any additional details or screenshots would be greatly appreciated.


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·
Reza-Ameri avatar image
0 Votes"
Reza-Ameri answered

In case your are not the Azure administrator, then ask the administrator to check the log files in the Azure and see if you see any relevant issue there?
Make sure you are able to connect to the VM remotely.
You may report this issue through the Feedback Hub app in Windows 10.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

jos-5181 avatar image
0 Votes"
jos-5181 answered jos-5181 published

We are experiencing the same issue. We created a VM which with AzureAD connection, but when trying to sign in with a AzureAD user we get these errors in the event log of the server.

We already assigned the roles "Virtual Machine User Login" and "Virtual Machine Administrator Login". We also tested already with "azuread\admin@tenant.onmicrosoft.com" and without "azuread\" but both didn't work.

What could cause this?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EvanGreene-2371 avatar image
0 Votes"
EvanGreene-2371 answered EvanGreene-2371 edited

I'm having this issue on a fresh install of Windows 10 Pro (elevated to enterprise on login due to E3 license). I've just installed the October 2022 22h2 image. I logged in using my Azure Work account. I am seeing "the sync could not be initiated" when I go look at the Intune info under Accounts -> Work accounts.

In event log, I'm seeing:

AAD Cloud AP plugin call Lookup name name from SID returned error: 0xC00485D3
Http request status: 400. Method: GET Endpoint Uri: https://login.microsoftonline.com/<censored>/sidtoname Correlation ID: <censored>

Error: 0xCAA90056 Renew token by the primary refresh token failed.
Logged at RefreshTokenRequest.cpp, line: 147, method: RefreshTokenRequest::AcquireToken.

Request: authority: https://login.microsoftonline.com/common, client: {<censored>}, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-1609473798-1231923017-684268153-4268514328-882773646-2760585773-1760938157, resource: https://onestore.microsoft.com, correlation ID (request): <censored>

On-prem tgt error: On-prem configuration is missing*strong text*


Error: 0xCAA2000C The request requires user interaction.
Code: interaction_required
Description: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '45a330b1-b1ec-4cc1-9161-<censored>'.
Trace ID: 2e6ba972-3f07-480e-8b21-cec67ba12900
Correlation ID: <censored>
Timestamp: 2022-11-04 14:23:55Z
TokenEndpoint: https://login.microsoftonline.com/common/oauth2/token
Logged at OAuthTokenRequestBase.cpp, line: 449, method: OAuthTokenRequestBase::ProcessOAuthResponse.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I have mfa enabled. When I logged in, I entered my mfa code before setting up a Hello pin.

0 Votes 0 ·