Enable Azure AD login with Bastion on exisitng VM

Ian Bartram 6 Reputation points

I've been tasked with enabling login with Azure AD on all of our existing servers. I've followed the howto-vm-sign-in-azure-ad-windows guide on using Azure Cloud Shell to enable it on an existing VM. I'm able to run the commands with no errors but the VM will still only connect when using the admin credentials established. I've configured IAM as well. Any help would be useful as it's not an option to have to rebuild all 16 VMs and set them to use AAD creds during the initial configuration.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
6,351 questions
{count} vote

4 answers

Sort by: Most helpful
  1. prmanhas-MSFT 17,796 Reputation points Microsoft Employee

    @Ian Bartram Thank you for your query!!!

    To allow a user to log in to the VM over RDP, you must assign either the Virtual Machine Administrator Login or Virtual Machine User Login role. An Azure user with the Owner or Contributor roles assigned for a VM do not automatically have privileges to log in to the VM over RDP so can you please confirm what role you have assigned to the user under IAM blade on the VM?

    Remote connection to VMs joined to Azure AD is only allowed from Windows 10 PCs that are either Azure AD registered (minimum required build is 20H1) or Azure AD joined or hybrid Azure AD joined to the same directory as the VM. Additionally, to RDP using Azure AD credentials, the user must belong to one of the two Azure roles, Virtual Machine Administrator Login or Virtual Machine User Login. If using an Azure AD registered Windows 10 PC, you must enter credentials in the AzureAD\UPN format (for example, AzureAD\john@Company portal .com). At this time, Azure Bastion can't be used to log in by using Azure Active Directory authentication with the AADLoginForWindows extension; only direct RDP is supported as mentioned in same article so can you please check on it and let me know if it still not working on you.

    Hope it helps!!!

    Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.

    3 people found this answer helpful.

  2. Tim Heckmann 11 Reputation points

    @prmanhas-MSFT Are there any plans to implement AAD login via Bastion?

    2 people found this answer helpful.
    0 comments No comments

  3. Farshad Abasi 11 Reputation points

    Same issue here, interested in a resolution. Seems natural to allow AAD based user login via Bastion...

    2 people found this answer helpful.
    0 comments No comments

  4. Ahmed Elharouny 6 Reputation points

    If someone still needs an answer:
    The limitation for Azure AD login exists in sessions started from UI (Azure Portal). If you start RDP or SSH sessions from a "native client" (i.e
    your window client) you can use Azure AD login. Documentation to turn on native client connections in Bastion and how to connect here:


    1 person found this answer helpful.