Share via

External Entra ID Guest Users Cannot Log In to Entra‑Joined VM via AADLoginForWindows

Wojciech Błażejewski 40 Reputation points
2026-02-18T21:48:58.0166667+00:00

Hi,

I need to configure access for an external client to a virtual machine in my tenant on the Microsoft Azure. The server is running Windows Server 2025. It is Entra ID joined and has the AADLoginForWindows extension installed. Users log in to the server using their Microsoft Entra accounts. They are authorized through a group added in the server permissions with the “Virtual Machine User Login” role.

We have started working with a company that has its own Microsoft 365 environment. We want users from the client’s tenant to be able to log in to our server using their Microsoft accounts, which are invited to our tenant as guest accounts and assigned the Virtual Machine User Login permissions on the server. However, during login, an error appears:

AADSTS293004: The target-device identifier in the request [FQDN_VM] was not found in the tenant [External_Tenant_ID]. Trace ID: [...] Correlation ID: [...] Timestamp: 2026-02-18 10:26:30Z

I know this happens because during the login process, Entra searches for the target-device identifier within the user’s home tenant. But is there any way to allow an external user to log in to the server in my tenant using their own Microsoft account?

I’ve tried everything and I’ve completely run out of ideas

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Answer accepted by question author
  1. VEMULA SRISAI 9,265 Reputation points Microsoft External Staff Moderator
    2026-02-18T23:32:53.2033333+00:00

    Hello Wojciech Błażejewski,

    This is expected behavior and not a configuration issue.

    AADLoginForWindows does not support B2B guest users for interactive sign‑in to Entra‑joined Azure VMs. When a guest user signs in, authentication happens in the user’s home tenant, but the VM’s device object exists only in your tenant. As a result, the home tenant cannot resolve the target device, leading to AADSTS293004, which is by design.

    https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows?pivots=identity-extension-vm

    Currently, only member users from the same tenant that owns the VM can sign in to Entra‑joined VMs using AADLoginForWindows. Cross‑tenant (B2B) OS‑level sign‑in is not supported.

    https://learn.microsoft.com/en-us/answers/questions/5780343/external-entra-id-guest-users-cannot-log-in-to-ent

    Supported alternatives:

    • Create member user accounts in your tenant and assign Virtual Machine User Login
    • Use local or domain accounts for VM access
    • Use Azure Virtual Desktop (AVD), which does support B2B guest access scenarios

    So there is no workaround to enable this with guest accounts today—you’ve reached a product limitation, not a misconfiguration.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-02-18T21:49:11.6633333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To allow external guest users from another Microsoft 365 tenant to log in to your Entra ID joined virtual machine, you need to ensure that the correct permissions and configurations are in place. Here are some steps and considerations:

    1. Cross-Tenant Access Settings: Ensure that your Azure Active Directory (AAD) settings allow external users to access resources. You may need to modify the cross-tenant access settings to permit the external users from the client's tenant.
    2. Role Assignment: Verify that the external guest users have been assigned the Virtual Machine User Login role for the specific virtual machine or the resource group that contains the VM. This role is necessary for them to log in.
    3. Conditional Access Policies: Check if there are any Conditional Access policies that might be blocking the external users from logging in. Ensure that these policies do not restrict access for guest users.
    4. Device Identifier: The error message you are encountering indicates that the target-device identifier is not found in the external tenant. This means that the external user’s login request is being validated against their home tenant, which does not recognize your VM. Unfortunately, this is a limitation of how Azure AD handles guest access and device identification.
    5. Inviting External Users: Make sure that the external users are properly invited and accepted as guests in your tenant. They should use their own Microsoft accounts to log in, and their accounts should be active and correctly configured.

    If after checking these configurations the issue persists, you may need to consult Azure support for more specific guidance on enabling cross-tenant access for your scenario.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.