AAD joined Azure VM and MFA

JKRRI 21 Reputation points
2021-02-26T19:09:58.02+00:00

I have followed this document https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows and set up a 2019 Datacenter VM our Azure subscription and had no issues getting the extension installed successfully. I verified the VM is joined to our Azure AD, and all seems right except....
I have MFA enabled on my account and when connecting (with RDP) to the target VM but I keep getting "The sign-in method you're trying to use isn't allowed. Try a different sign-in method or contact your system administrator." I have set up my Azure account with "Azure Virtual Machine Administrator Login" role assignment at the subscription level.
I have modified my MFA Conditional Access policy to exclude the "Azure Windows VM Sign-In" cloud app.
It seems I am able to workaround the MFA issue and successfully log in to the 2019 Datacenter VM with my AAD Creds by adding the public IP address of the target VM into the trusted MFA Authentication > Service Settings for our AAD Tenant. I didn't see that as a requirement in the documentation and I'd very much like to not have to manage the list of trusted IPs in MFA settings when my Azure VMs all get new IPs as frequently as they do. I would like to see if this can get this process locked in before A. Our organization moves to full Azure AD (from the on-prem AD-sync'd hybrid model we're currently in) and B. before I start rebuilding +/- 100 Azure VMs to 2019 Datacenter.

I am hoping someone in this community can provide some insight to my dilemma. Thank you all in advance

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,341 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,722 questions
0 comments No comments
{count} votes

Accepted answer
  1. Siva-kumar-selvaraj 15,566 Reputation points
    2021-03-02T15:12:16.373+00:00

    Hello @JKRRI ,

    Thanks for reaching out.

    Could you please confirm, how you enabled MFA for users ? through "Azure AD conditional access policy" or "Per-user Enabled/Enforced" from legacy MFA portal ?

    Reason because, Per-user Enabled/Enforced Azure AD Multi-Factor Authentication is not supported for VM sign-in.

    I see that you already have excluded "Azure Windows VM Sign-In" cloud app from conditional access, but when you have more than one policy created in AAD, then its worth to check out if same condition has been updated in all policy. The best way to find out list of policy applied for the user is to use What If tool in Conditional Access or user Sign-in Logs.

    Hope this helps.

    ----
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Sky Yeo 6 Reputation points
    2022-03-03T03:00:50.753+00:00

    Hi Fellow IT users, I agreed that the above is working but this is a conflict to organization security. we still like to have MFA to work with VM. can you advise how to handle this instead of above workaround which may compromise company security policies.

    Thanks

    Yeo

    1 person found this answer helpful.