Share via

Unable to log in to Azure VM using Azure Entra ID (Azure AD) user using Bastion

Jay 40 Reputation points
2025-10-27T14:36:15.8766667+00:00

Hi GUys, 

I am sharing so far what i have done. But i have no idea why am not getting success here,

have anything on this to help me. that will be great , thanks in advance

 

🧩 Azure VM – Entra ID (Azure AD) Login Issue Summary

Background

As part of securing VM access under the "AM" environment, I followed the full Microsoft-recommended process to allow Azure Entra ID (Azure AD) users to log in to a Windows 11 Azure VM through Azure Bastion without using local credentials. The setup included all security best practices such as disk encryption, Just-In-Time access, and the use of Bastion (no public RDP exposure).

✅ Approach Followed

I implemented the entire configuration end-to-end, step by step:

1️⃣ VM and Network Setup

  • Created Windows 11 Datacenter VM: vm-Prod-debuging under resource group rg-am-debug-vm.
  • Configured VNet: vm-prod-debug-2-vnet with subnets default and AzureBastionSubnet.
  • Deployed Azure Bastion host: am-App-Vnet-bastion (confirmed SKU = Standard).
  • Verified that both VM and Bastion are in the same VNet and connected properly.
  • Confirmed no public IP exposure and NSG rules restricted to internal Bastion communication.

2️⃣ Azure AD (Entra ID) Configuration

  • Installed the AADLoginForWindows extension successfully:

 

  • ✔ Verified with az vm extension listProvisioningState: Succeeded.
  • Confirmed VM is Azure AD joined:

 

  • (Tenant verified to be the correct AM tenant.)
  • Assigned RBAC roles:
    • Virtual Machine Administrator Login
      • Virtual Machine User Login ✔ Verified with az role assignment list.

3️⃣ Security and Access Controls

  • Network Level Authentication (NLA) disabled to support token-based Entra login.
  • Just-In-Time (JIT) RDP access enabled through Microsoft Defender for Cloud.
  • Azure Disk Encryption applied using Key Vault.
  • Monitoring and tagging configured for traceability.

⚙️ Current Behavior

Even after completing all configuration steps successfully:

  • In Bastion → Connect → Authentication type, only shows:
    • “VM Password”
      • “Password from Azure Key Vault” ❌ “Azure AD” option is missing, even though SKU is Standard and all prerequisites are met.
  • Attempting direct RDP using AzureAD\******@domain.co results in:

“The sign-in method you’re trying to use isn’t allowed.”

  • Occasionally, Azure Portal displays:

UnauthorizedDataError: data set DataCache:2:2

🔍 Validation Summary

CheckpointStatusVerifiedVM OS supports AAD login (Windows 11)✅ConfirmedVM OS supports AAD login (Windows 11)✅ConfirmedAADLoginForWindows extension✅Installed successfullyVM joined to Entra ID✅AzureAdJoined: YESRBAC roles assigned (VM User/Admin Login)✅ConfirmedNetwork Level Authentication✅DisabledBastion and VM same VNet✅ConfirmedBastion SKU✅StandardAuthentication type “Azure AD” visible❌Not availableRDP login with Entra ID❌Fails--- 🧠 Conclusion

I have implemented every configuration as per the official Microsoft documentation and verified each prerequisite:

  • Azure AD join ✅
  • RBAC assignment ✅
  • AADLoginForWindows extension ✅
  • Bastion Standard SKU ✅
  • Correct network + NSG ✅
  • NLA disabled ✅

Despite this, Azure AD login is still not available in Bastion, and attempts to use Entra credentials through RDP result in the “sign-in method not allowed” message.

This indicates a potential backend or Bastion control-plane issue in the tenant’s Azure environment, which may require Microsoft’s internal validation of:

  • Bastion → Entra ID authentication registration
  • Metadata propagation for AAD interactive login
  • Role token handshake on control-plane
dsregcmd /status → AzureAdJoined : YES

az vm extension set --publisher Microsoft.Azure.ActiveDirectory --name AADLoginForWindows \ --resource-group rg-am-debug-vm --vm-name vm-Prod-debuging
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Answer accepted by question author
  1. Raja Pothuraju 42,040 Reputation points Microsoft External Staff Moderator
    2025-11-11T08:58:00.51+00:00

    Hello @Jay,

    Thank you for your time on the call earlier.

    As discussed, you’re experiencing an issue connecting to Azure Bastion using Microsoft Entra ID authentication through a browser session. However, the connection works as expected when using your local credentials.

    Please note that Azure Bastion login with Microsoft Entra ID is not a supported scenario, which is why the sign-in cannot be completed successfully.

    If you’re using a Mac to connect to Azure Bastion, the recommended approach is to use Azure Bastion’s tunnel mode (az network bastion tunnel). However, Microsoft Entra authentication is not supported in this mode. You’ll need to use traditional authentication methods such as SSH keys or username/password credentials.

    For your reference, the screenshot below shows that Microsoft Entra authentication is supported only for Windows and Linux native clients using RDP and SSH methods, and not available for other native clients.

    User's image

    You can find more details here: Azure Bastion — Connect using the native client

    Regarding your second issue with RDP login on Mac using Entra ID credentials, please note that RDP login with Entra ID is supported only on Windows 10 and later devices. It is not supported on Mac systems, which explains why the login attempt fails.

    Sign in using password/limited passwordless authentication with Microsoft Entra ID

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.