When connecting to an Azure VM with AAD enabled, the accounts do not work

Hannes Brunner 16

My assigned user accounts for admin and normal users from AAD are not accepted in a Windows VM. The following error messages occur in the event viewer on the VM:

AAD Cloud AP plugin call Lookup name name from SID returned error: 0xC00485D3

and

Http request status: 400. Method: GET Endpoint Uri: https://login.microsoftonline.com/<Removed> Correlation ID: <Removed>

AzureAdPrt is NO

Reza-Ameri 16,836 Reputation points

2021-02-08T16:32:49.973+00:00

Are you able to login in the account using local account?
Try ping your tenant and see if it is reachable?
Are you able to enroll the device as a tenant to AAD?
Hannes Brunner 16 Reputation points

2021-02-08T16:37:41.36+00:00

@Reza-Ameri
Q1: Yes
Q2: do you mean ping into the guest OS or ping out of the guest os? As I can connect with a local account that is probably anyhow unnecessary.
Q3: don't understand. I can assign AAD users in Azure as Administrator or normal users via IAM, but when I do, it does not help. What do yo mean by enrol device as tenant to AAD? Which device?
JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2021-02-09T22:36:59.503+00:00
@Hannes Brunner
Thank you for your post!

Are you able to share any documentation that you followed to enable your Azure VM with AAD? This way I can gain a better understanding of your issue.

From your comment, I understand you can sign into your VM using the local account you created during VM creation? But none of the AzureAD accounts are working with sign-in.

Have you looked into our Sign in to Windows virtual machine in Azure using Azure Active Directory authentication (Preview) tutorial to enabled AzureAD Authentication?

Any additional details or screenshots would be greatly appreciated.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Reza-Ameri 16,836 Reputation points

2021-02-19T14:51:46.553+00:00

Check event viewer and look into log files and see if there are any other error which might be helpful?
Azin Wright (Hotmail) 6 Reputation points

2022-12-15T23:05:15.36+00:00
We are seeing a similar error message with following conditions:

On-prem AD Security group sync'd to AAD

Intune Profile is used to add this group to Windows Workstation AAD Joined device Local Administrators group

The group that is added to the Local Administrators group only shows a SID with a question-mark, error "AAD Cloud AP plugin call Lookup name name from SID returned error: 0xC00485D3" is logged in Windows-AAD-Operational events

user who is a member of the Security Group is unable to elevate on the workstation

my question is - Why can't Azure AD provide the relevant display name for that SID?
Even if I VPN into the environment where I have a line of sight to a Domain Controller, this Group name does not resolve.

When a user ID who is sync'd to Azure AD from on-prem AD is added to the Local Administrator of an AADJ Windows device, it actually resolves to the AD domain\userID.
What gives :?

6 answers

Roger Platt 0 Reputation points

2023-08-07T16:30:21.3766667+00:00

We experienced this issue during a POC of Dev Box and tracked it down to WS-Trust protocol being disabled on the ADFS servers in our environment last month due to the documented Microsoft best practice document to eliminate inherent vulnerabilities. https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#disable-ws-trust-windows-endpoints-on-the-proxy-from-extranet As such, any federated organization that has followed this best practice to disable this protocol will be unable to authenticate to a Dev Box or likely other VM's using a federated login relying on WS-trust.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment