Enable Azure AD login with Bastion on exisitng VM

Question

Enable Azure AD login with Bastion on exisitng VM

Ian Bartram 6

I've been tasked with enabling login with Azure AD on all of our existing servers. I've followed the howto-vm-sign-in-azure-ad-windows guide on using Azure Cloud Shell to enable it on an existing VM. I'm able to run the commands with no errors but the VM will still only connect when using the admin credentials established. I've configured IAM as well. Any help would be useful as it's not an option to have to rebuild all 16 VMs and set them to use AAD creds during the initial configuration.

prmanhas-MSFT 17,796 Reputation points Microsoft Employee

2021-06-07T05:10:01.197+00:00

@Ian Bartram Any updates on the issue?

Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.

prmanhas-MSFT 17,796 Reputation points Microsoft Employee

2021-06-07T05:10:01.197+00:00

@Ian Bartram Any updates on the issue?

Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.

Answer 1

prmanhas-MSFT 17,796 Microsoft Employee

@Ian Bartram Thank you for your query!!!

To allow a user to log in to the VM over RDP, you must assign either the Virtual Machine Administrator Login or Virtual Machine User Login role. An Azure user with the Owner or Contributor roles assigned for a VM do not automatically have privileges to log in to the VM over RDP so can you please confirm what role you have assigned to the user under IAM blade on the VM?

Remote connection to VMs joined to Azure AD is only allowed from Windows 10 PCs that are either Azure AD registered (minimum required build is 20H1) or Azure AD joined or hybrid Azure AD joined to the same directory as the VM. Additionally, to RDP using Azure AD credentials, the user must belong to one of the two Azure roles, Virtual Machine Administrator Login or Virtual Machine User Login. If using an Azure AD registered Windows 10 PC, you must enter credentials in the AzureAD\UPN format (for example, AzureAD\john@Company portal .com). At this time, Azure Bastion can't be used to log in by using Azure Active Directory authentication with the AADLoginForWindows extension; only direct RDP is supported as mentioned in same article so can you please check on it and let me know if it still not working on you.

Hope it helps!!!

Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.

fmuntean 1 Reputation point

2022-06-15T19:22:44.993+00:00

please read the title. this is about Bastion connectivity to AD joined VMs so we do not need to open RDP over internet.
Matt Ronchetto 11 Reputation points

2022-06-30T20:52:34.543+00:00
Microsoft could SIGNIFICATLY improve the login Via Azure AD functionality if they did two things:

Allowed Azure Bastion to leverage AAD credentials

Made the limitation that "only machines allowed to create a remote connection MUST be on the same domain as the Azure machines" a OPTION for the setup configuration .

The second request is so intuitive I don't understand what Microsoft was thinking in forcing the client to be on the same domain. This is an data center type solution and most times the servers and the workstations will be on different domains. That and we are moving to having domain joining a thing of past (I thought?). By forcing domain join Managed Service Providers and consultants get kicked out as they aren't going to want to use a company device or connect their device to that company. I get that enforcing that same domain is more secure but I'd rather have the choice.
Aleksandr Kolyada 1 Reputation point

2022-09-23T08:05:13.337+00:00

Absolutely agree. As a DevOps, I need to be able to connect to some environments at least at the rollout and testing stages. And customer's AD enrollment or a corporate laptop request is definitely not an option.

Answer 2

Tim Heckmann 11

@prmanhas-MSFT Are there any plans to implement AAD login via Bastion?

Answer 3

Farshad Abasi 11

Same issue here, interested in a resolution. Seems natural to allow AAD based user login via Bastion...

Answer 4

Ahmed Elharouny 6

If someone still needs an answer:
The limitation for Azure AD login exists in sessions started from UI (Azure Portal). If you start RDP or SSH sessions from a "native client" (i.e
your window client) you can use Azure AD login. Documentation to turn on native client connections in Bastion and how to connect here:

https://learn.microsoft.com/en-us/azure/bastion/connect-native-client-windows

Masi Malmi 11 Reputation points

2023-03-14T17:45:31.88+00:00

Hmm.. didn't work for me at least. I tested also with Windows local account (through the native client) and the login there worked.
Rasmus Lindberg 25 Reputation points

2023-04-12T09:58:39.4833333+00:00

I have the same issue as Masi, using the local account that was created with the VM I can sign into the VM via Natice Client. But when I try to use the account that have Contributor over Bastion, VM, NIC and Virtual Machine Administrator Login role on the VM I get "logon attempt failed".
Im doing AzureAD<example.upn@upn.com> ofcourse.

Enable Azure AD login with Bastion on exisitng VM

4 answers

Activity