Share via

How to fix Entra User Sign with conditional access policy for exclusion or Arc enabled Windows Server 2025 VM

Milun Moghe 0 Reputation points
2025-11-18T16:45:08.3833333+00:00

We setup a local on-prem hosted Azure Arc enabled VM such that users can RDP into the PC using their entra credentials with the "Entra login for windows extension" enabled. We also have a conditional access policy that requires compliant device. Now given that Azure Arc enabled VM is not Intune enrolled and thus not compliant, the user is getting blocked to sign-in with this error. User's imageUser's image

User's image

Azure Arc
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dimple Rane 1,241 Reputation points
    2025-11-18T18:10:23.4666667+00:00

    To resolve the issue where users are blocked from signing in due to the conditional access policy requiring a compliant device, you can either:

    1. Exclude the Azure Arc enabled VM from the conditional access policy:
      • Go to the Azure portal.
      • Navigate to Azure Active Directory > Security > Conditional Access.
      • Select the policy in question.
      • Under "Assignments," go to "Users and groups" and add the Azure Arc enabled VM to the exclusion list.
    2. Enroll the Azure Arc enabled VM in Intune:
      • Follow the steps to enroll the VM in Intune to ensure it meets compliance requirements.

    Choose the option that best fits your security and operational requirements.

    1 person found this answer helpful.
    0 comments
  2. Shubham Sharma 3,330 Reputation points Microsoft External Staff Moderator
    2025-11-21T18:08:11.07+00:00

    Milun Moghe

    No — Azure Arc–enabled Windows Servers cannot be Intune (MDM)–enrolled, so they can’t report Device compliance for Conditional Access. Windows Server sign‑in with the Entra login for Windows extension is supported, but CA controls that require a compliant device aren’t supported for Windows Server sign‑ins, which is why your users are blocked.

    for you reference: https://docs.azure.cn/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows?pivots=identity-extension-vm

    What supported and what not supported according to microsoft:-

    1. Windows Server + Entra login (Arc or Azure VM): Microsoft explicitly states “Windows Server VMs don’t support MDM enrollment**.”** Therefore, they cannot be Intune‑compliant devices.
    2. Conditional Access: For Windows Server sign‑ins, device‑based CA (Require compliant device) is not supported. Use other signals such as MFA, sign‑in risk, location instead.
    3. Management path for servers: Use Azure Arc, Azure Policy (Guest Configuration/Machine Configuration), Azure Update Manager, and Microsoft Defender for Cloud / Defender for Endpoint for governance and security — not Intune MDM compliance.

    For your references: https://docs.azure.cn/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows?pivots=identity-extension-vm

    https://learn.microsoft.com/en-us/azure/azure-arc/servers/overview

    Please reach out to us in case of any further issue.

    Thanks

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.