Can't login with AzureAD Virtual User role

Chris Parker 21 Reputation points
2021-06-30T14:53:50.287+00:00

Hi all.

I have enabled login with AzureAD Credentials when setting up my vms but continue to have trouble logging in with anything other than the local admin account "Admin".

A little insight on my environment. Connecting to devices over the Azure VPN Client.
VM's only have private IPs. I have added other azure ad account access to the VMs by using the " net localgroup "Remote Desktop Users" /add "AzureAD\test@keyman .com" In addition to that I have also edited the RDP client to include "enablecredsspsupport:1:0" and "authentication level :i:2". There isn't any NSG attached to the vm to interfere.

I can login with one azuread account but it is a global admin. It only works when using the the windows hello pin. When trying to use just the credential it fails to connect to the vm client over rdp or bastion. All azuread users have the "Virtual Machine User Login" added through IAM of the VM. These are Windows 10 2004 gen2 VMs. Login with AzureAD credentials was selected when creating the devices.110689-rdp-in-notepad.png110711-rdp-windows-security-screen.png110721-rdp-failed-login-pin-prompt.png110690-remote-desktop-users-screen.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,380 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,546 Reputation points
    2021-07-02T18:38:31.643+00:00

    Hello @Chris Parker ,

    Thanks for reaching out.

    Could you please confirm if allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities option is enabled on both system client as well on remote ?

    also check disabling NLA (Network Level Authentication) on remote system after include "enablecredsspsupport:1:0" and "authentication level :i:2" in RDP file would help with success ?

    111414-image.png

    Here is supported configurations for remotely connecting to an Azure AD-joined PC: https://learn.microsoft.com/en-us/windows/client-management/connect-to-remote-aadj-pc

    More information, refer Connect to remote Azure Active Directory-joined PC

    Hope this helps.

    --------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    3 people found this answer helpful.

  2. Chris Parker 21 Reputation points
    2021-06-30T14:56:59.78+00:00

    110654-dsregcmd-1.png110693-dsregcmd-2.png

    0 comments No comments

  3. Chris Parker 21 Reputation points
    2021-07-23T18:04:50.513+00:00

    Sorry for the delay @JamesTran-MSFT

    Unfortunately this didn't work completely. I can login with some azuread users but some I can't.
    For example the christopher account can login only when using windows hello authentication. If trying to use actual azureAD password the connection does not work. I can login with the mano account using azure credentials when located in the USA but user mano can't login when located in INDIA for example.

    Additional issues I run into with this setup. When adding AzureADusers to local admin they disappear after reboot or signoff.

    0 comments No comments