Errors when AADLoginForWindows extension is enabled on the VM

Question

Errors when AADLoginForWindows extension is enabled on the VM

Garcia, Cha 40

I’m attempting to enable Microsoft Entra ID authentication for a Windows VM that I access through Azure Bastion.

User's image

However, when I try to enable the AADLoginForWindows extension, the deployment fails and I receive the following error:

The handler for VM extension type 'Microsoft.Azure.ActiveDirectory.AADLoginForWindows' has reported terminal failure for VM extension 'AADLogin' with error message: 'Install failed for plugin (name: Microsoft.Azure.ActiveDirectory.AADLoginForWindows, version 1.3.0.0) with exception Command C:\\Packages\\Plugins\\Microsoft.Azure.ActiveDirectory.AADLoginForWindows\\1.3.0.0\\AADLoginForWindowsHandler.exe of Microsoft.Azure.ActiveDirectory.AADLoginForWindows has exited with Exit code: 50. Error: '.\r\n    \r\n'Install handler failed for the extension. More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot'"

So far, I have:

Checked that the Microsoft Entra ID tenant is properly configured.

Confirmed the required RBAC roles are assigned.
- Virtual Machine Administrator Login for admin privileges
- Virtual Machine User Login for end users

Despite this, the extension installation continues to fail.

Has anyone encountered this issue before or can provide guidance on:

Common causes for AADLoginForWindows extension failures?

Required networking endpoints or firewall configurations?

Additional prerequisites that may be missing?

Any assistance would be greatly appreciated.

0 comments

Answer accepted by question author

1 additional answer

Your answer

Answer 1

Jilakara Hemalatha 11,785 Microsoft External Staff Moderator

Hello Garcia, Cha,

Thank you for sharing the details regarding the AADLoginForWindows extension deployment failure on your VM. Based on the error message and information provided, the issue appears to be related to prerequisites or connectivity required for enabling Microsoft Entra ID authentication on Windows VMs.

Below are the most common causes and recommended steps to resolve the issue:

Check OS Compatibility

The AADLoginForWindows extension supports the following Windows versions:

Windows Server 2022 or later

Windows 10 / 11 (22H2 or later)

If your VM is running an unsupported OS version, the extension will fail with Exit code 50.

Reference: https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows#prerequisites
2. Enable System Assigned Managed Identity

The extension requires a system-assigned managed identity on the VM. Without it, the extension cannot retrieve tenant information from Azure Instance Metadata Service.

Reference: https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-configure-managed-identities?pivots=qs-configure-portal-windows-vm

3.Validate Network and Firewall Configuration

The VM must have outbound HTTPS access to the following Microsoft identity endpoints:

https://login.microsoftonline.com
https://enterpriseregistration.windows.net
https://device.login.microsoftonline.com
https://pas.windows.net
Ensure NSGs, firewalls, or corporate proxies allow outbound HTTPS (443) traffic to these endpoints.
Confirm DNS resolution works correctly.

Reference: Troubleshooting Azure Windows VM extension failures

Troubleshoot AADLoginForWindows deployment

Once the above prerequisites are verified, reinstall the extension and let us know the outcome. This will help us further investigate if the issue persists.

Jilakara Hemalatha 11,785 Reputation points Microsoft External Staff Moderator

2026-03-11T00:23:56.8133333+00:00

Hello Garcia, Cha,

Just checking if above provided information was helpful! Please let me know if you have any queries.
Garcia, Cha 40 Reputation points

2026-03-11T13:02:25.8333333+00:00

@Jilakara Hemalatha I plan to spin up a new Windows 2022 VM today to verify the OS issue. If still fails, I will post the error logs. Thank you for suggestion. Helpfully, you can assist on next stoipper.
Jilakara Hemalatha 11,785 Reputation points Microsoft External Staff Moderator

2026-03-11T18:09:00.9866667+00:00

Please let me know if you were able to test it on the new Windows Server 2022 VM. If the issue still persists, kindly share the error logs so we can further investigate and assist you.
Garcia, Cha 40 Reputation points

2026-03-11T19:05:18.8466667+00:00
I create Windows 2022 server and installed the AAD Login extension successfully.

Select Identity under the Security section. Turned on.

I added myself to the Virtual Machine Administrator Login.

However, when I go to Bastion, Entra ID is not available? See dropdown - not seeing the option
Jilakara Hemalatha 11,785 Reputation points Microsoft External Staff Moderator

2026-03-11T19:29:46.3566667+00:00

Garcia, Cha

Thank you for your update.

As the original issue related to the extension installation appears to be resolved, the new concern you have raised seems to be a different scenario.

To ensure your query receives better visibility and focused assistance from the community and support engineers, I recommend creating a new thread in the same Microsoft Q&A forum with detailed information about the new issue you are experiencing.

Answer 2

Q&A Assist

AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

Exit code 50 for the AADLoginForWindows extension indicates that the extension cannot complete the Microsoft Entra join on the VM. Use the built‑in troubleshooting flow for the AADLoginForWindows extension and the VM’s device join state.

On the VM, check the extension logs
- Connect with local admin credentials (for example via Bastion local account).
- Open C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.ActiveDirectory.AADLoginForWindows\1.0.0.1.
- Review CommandExecution.log or CommandExecution_YYYYMMDDHHMMSSSSS.log for the detailed error that caused exit code 50.
Verify Azure Instance Metadata Service (AIMS) responses
- In an elevated PowerShell window on the VM run:
  - curl.exe -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01"
    - Must return correct information about the VM.
  - curl.exe -H Metadata:true "http://169.254.169.254/metadata/identity/info?api-version=2018-02-01"
    - Must return a valid tenant ID for the subscription.
  - curl.exe -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?resource=urn:ms-drs:enterpriseregistration.windows.net&api-version=2018-02-01"
    - Must return a valid access token from Microsoft Entra ID.
- If these calls fail or the tenant ID is missing, ensure the VM has a system‑assigned managed identity enabled on the Identity blade and that networking allows access to the metadata IP 169.254.169.254.
Confirm required outbound endpoints and DNS resolution
- From the VM, run in PowerShell:
  - curl.exe https://login.microsoftonline.com/ -D -
  - curl.exe https://login.microsoftonline.com/<TenantID>/ -D -
  - curl.exe https://enterpriseregistration.windows.net/ -D -
  - curl.exe https://device.login.microsoftonline.com/ -D -
  - curl.exe https://pas.windows.net/ -D -
- login.microsoftonline.com/<TenantID>, enterpriseregistration.windows.net, and pas.windows.net may legitimately return 404 Not Found; this still proves reachability.
- If any command fails with “Couldn't resolve host”, check DNS with:
  - nslookup <URL>
  - If that fails, try a public resolver: nslookup <URL> 208.67.222.222 and adjust the DNS server on the VM’s VNet/subnet/NSG as needed.
- If outbound Internet is restricted, ensure these endpoints (or the appropriate service tags, such as AzureActiveDirectory plus any required public discovery IPs) are allowed through firewalls/NSGs.
Validate device join state
- Run dsregcmd /status on the VM.
- For a successful configuration, Device State should show AzureAdJoined : YES.
- If not joined, use the errors in User Device Registration\Admin log in Event Viewer (Applications and Services Logs\Microsoft\Windows\User Device Registration\Admin) together with the extension logs to identify what is blocking the join (for example, tenant discovery, connectivity to enterpriseregistration.windows.net, or duplicate device name).
Check for common terminal error patterns
- If the extension logs show:
  - DSREG_E_MSI_TENANTID_UNAVAILABLE (terminal error code 1007, exit code -2145648574): the extension cannot obtain the tenant ID from AIMS. Confirm the managed identity is enabled and that curl .../metadata/identity/info returns a tenant ID.
  - DSREG_AUTOJOIN_DISC_FAILED (exit code -2145648607): the extension cannot reach https://enterpriseregistration.windows.net. Re‑check outbound access and DNS to that endpoint as in step 3.
- If the logs show exit code 51 (“This extension isn't supported on this operating system”), the OS is unsupported; AADLoginForWindows is only for Windows Server 2022 or later. In that case, uninstall the extension or upgrade the OS.
After fixing connectivity/identity issues
- Once AIMS responses, DNS, outbound endpoints, and OS support are confirmed, re‑run the extension deployment.
- Then re‑check dsregcmd /status to confirm AzureAdJoined : YES before using Bastion with Microsoft Entra sign‑in.

These steps address the common causes of AADLoginForWindows extension failures: missing managed identity/tenant information, blocked outbound endpoints or DNS, unsupported OS, and device join errors.

References:

Garcia, Cha 40

When enabled I Entra ID under Management for new VM (instead of enabling the extension to an existing VM), the extension failed during the deployment.

User's image

Error:

"error": {
        "code": "VMExtensionProvisioningError",
        "message": "VM has reported a failure when processing extension 'AADLoginForWindows' (publisher 'Microsoft.Azure.ActiveDirectory' and type 'AADLoginForWindows'). Error message: 'AAD Join failed with status code: -2145648509. AzureSecureVMJoinOperation: DeviceEnroller::AzureSecureVMEnroll failed 0x801c0083. The hostname is already used by another device in this tenant, please change the VM name to redeploy the extension.'. More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot"
    }
}

Garcia, Cha 40 Reputation points

2026-03-11T19:37:54.7533333+00:00

This is a Windows 2022 Server VM.
Jilakara Hemalatha 11,785 Reputation points Microsoft External Staff Moderator

2026-03-11T20:09:23.4+00:00
From the error message, the extension AADLoginForWindows failed because the VM could not complete the join operation with Microsoft Entra ID.

The error code -2145648509 (0x801c0083) typically occurs when a device with the same hostname already exists in the tenant. During the Entra ID join process, the VM attempts to register itself as a device. If another device object with the same name already exists (either active or left behind from a previous VM), the join operation fails.

This can happen in scenarios such as:

A VM with the same name was previously joined to Entra ID in the tenant.

The earlier VM was deleted but the device object still exists in Entra ID.

Another VM in the tenant is already registered with the same hostname.

As a suggestion, you may want to check the Devices section in Microsoft Entra ID and verify whether a device with the same VM hostname is already present. If an older or unused device entry exists, removing it and then retrying the extension deployment may help resolve the issue. Alternatively, deploying the VM with a different hostname can also avoid the duplicate device name conflict.
Garcia, Cha 40 Reputation points

2026-03-11T20:22:43.9133333+00:00

When I went to Entra ID / Devices - I didn't see any VMs listed. Is there another area to check?

Looking at Entra ID => Devices=>Manage =>Device Settings

Also, I checked Devices=>All Devices
Garcia, Cha 40 Reputation points

2026-03-11T20:25:59.6233333+00:00

Does a MS Entra domain service need to be in place? Currently none.
Jilakara Hemalatha 11,785 Reputation points Microsoft External Staff Moderator

2026-03-11T22:13:35.0066667+00:00

Thank you for checking. Even if the VM does not appear under All Devices, the AAD join extension can fail with error -2145648509 / DSREG_HOSTNAME_DUPLICATE if a device with the same hostname already exists or is in a stale/deleted state in the tenant.

To resolve the issue, we recommend to deploy the VM with a unique hostname that has not been used previously in the tenant. This is the fastest way to avoid the conflict.
Garcia, Cha 40 Reputation points

2026-03-12T17:47:18.6533333+00:00

I enabled WindowsAADLogin extension when creating the new VM "TESTA01". This is an unique name (never named a resource called TEST), we have a standardized naming convention. This VM is Windows 2022 DataCenter.

The deployment failed due to the WindowsAAD failed.

Error details:

When I ran dsregcmd /status on the new VM:
Garcia, Cha 40 Reputation points

2026-03-12T17:50:15.96+00:00

In addition to creating a new VM (with unique name) below. I tried to create a new VM (Windows 11) using Azure Virtual Desktop, I would get similar WindowsAAD login failure.
Garcia, Cha 40 Reputation points

2026-03-12T17:53:22.42+00:00

When I created a new VM called "ACF-ITAMS-STAGE-TESTA01" as a Windows 2022 Datacenter. I received this error:
Garcia, Cha 40 Reputation points

2026-03-12T17:55:43.81+00:00

When I Bastion into this new VM with a local account. I ran the cmd below:
Garcia, Cha 40 Reputation points

2026-03-12T18:01:27.4966667+00:00

BTW, the screenshot above says device name "ACF-ITAMS-STAGE", but I called the VM "ACF-ITAMS-STAGE-TESTA01"

Share via

Errors when AADLoginForWindows extension is enabled on the VM

1 additional answer

Your answer