Unable to get Entra login to function on Azure Arc enabled Windows Server 2025 hybrid system

Question

Unable to get Entra login to function on Azure Arc enabled Windows Server 2025 hybrid system

Anthony Ries 0

I have followed all the available documentation, but I am still getting the message when attempting to login to an Arc configured on prem Windows Server 2025 Standard system:

'The sign-in method you're trying to use isn't allowed. Try a different sign-in method or contact your system administrator.'

AAD Login extension is setup

VM Login Administrator permissions setup
Arc Registration complete

Extensions up to date

Conditional Access exception created

Azure VM login Enterprise app access granted

Azure Policy compliance requirement exception created

Server 20205 OS is up to date and activated

Managed Identity is enabled

I've spent days on this and MS will only send me here rather than allow me to submit a support ticket, even though we are paying for it...

Also concerning that I have to use Chrome because edge wouldn't allow me to register for this portal.

Siva shunmugam Nadessin 9,880 Reputation points Microsoft External Staff Moderator

2026-04-15T17:37:53.1566667+00:00

Hello Anthony Ries,

Thank you for reaching out to the Microsoft Q&A forum.

When investigated wee see that you’ve completed all of the documented setup steps correctly. The error you’re encountering —

“The sign‑in method you’re trying to use isn’t allowed”

This is a known limitation and behavior when using Microsoft Entra (Azure AD) login on Azure Arc‑enabled Windows Server 2025 systems, rather than a misconfiguration on your side.

This happens When Microsoft Entra ID authentication is enabled through Azure Arc on Windows Server 2025, the sign‑in process uses a specific Entra enterprise application called Azure Windows VM Sign‑In. This sign‑in flow has strict authentication requirements and does not fully support Conditional Access or MFA policies in the same way that browser or cloud app sign‑ins do.

If any of the following apply, the login attempt is blocked and results in the error you’re seeing:

A Conditional Access policy (even indirectly) applies to the Azure Windows VM Sign‑In application, Legacy per‑user MFA is enabled on the account.

Entra Security Defaults are enabled

The Remote Desktop client is not using “Web account” sign‑in

In these cases, Entra rejects the authentication at the Windows logon stage, and Windows surfaces it as “sign‑in method not allowed”, even though permissions and extensions are correctly configured.

Important behavior to note This is not an Azure Arc registration issue, is not an RBAC or role‑assignment problem, is not caused by outdated extensions or OS patches

It is a sign‑in flow restriction by design for Entra‑based authentication on Arc‑enabled Windows Server 2025.

Required conditions for a successful login

For Microsoft Entra login to work on an Arc‑enabled Windows Server 2025 system, all of the following must be true at the same time:

The Azure Windows VM Sign‑In enterprise application is excluded from Conditional Access and MFA enforcement Legacy per‑user MFA is disabled for the user

Security Defaults (if enabled) are disabled Remote Desktop is launched with “Use a web account to sign in” enabled

If any one of these conditions isn’t met, Entra authentication is rejected at the Windows sign‑in layer.

About browser behavior

The issue you noticed where Chrome worked but Edge did not during registration is related to cached Entra sessions and consent artifacts. This is a known browser‑side behavior and does not indicate a problem with your environment or tenant.

Hope this helps and let us know if any questions?
Siva shunmugam Nadessin 9,880 Reputation points Microsoft External Staff Moderator

2026-04-16T21:37:31.0766667+00:00

Hello Anthony Ries,

Just checking in to see if the solution shared above help you to resolve your issue. please reach out to us If you have any further questions.

Thanks
Rukmini 39,475 Reputation points Microsoft External Staff Moderator

2026-04-22T00:55:41.37+00:00

Hello Anthony Ries,

When attempting to connect into a Windows server with Azure Arc enabled, the error "The sign-in method you're trying to use isn't allowed" usually results from a mismatch in RBAC scope, a Conditional Access policy, or an inappropriate login method rather than a platform problem.

The first step in fixing issue is to make sure that the necessary role Virtual Machine Administrator Login (or Virtual Machine User Login) is assigned at the appropriate scope, which needs to be directly on the server resource that is Arc-enabled or its resource group/subscription. This exact failure will occur if the position is assigned at the wrong scope.

Next, examine the sign-in logs in Microsoft Entra ID to verify Conditional Access restrictions. Policies may still prevent access even after an exclusion was made if the test user or the Azure Windows VM Sign-In application are not correctly excluded. It is possible to determine whether CA is the cause by temporarily deactivating or excluding both the user and the program.

Additionally, make sure the right format is used while logging in: AzureAD******@domain.com Making use of Authentication will only fail if the username or email does not have the AzureAD prefix.

Make sure the Arc server has the AADLoginForWindows extension installed and in good working order. If necessary, restart the service. Additionally, run dsregcmd /status and make sure AzureAdJoined: YES appears to validate the device is correctly Azure AD linked.

For isolation, test with a cloud-only user account (not guest or synced) and temporarily remove Conditional Access policies. If the login succeeds in this scenario, the issue is confirmed to be related to identity type or CA configuration.

In conclusion, using the common validation procedures usually fixes this problem, which is most frequently caused by inaccurate RBAC assignment scope, Conditional Access enforcement, or poor login format.

Let me know if any further queries - feel free to reach out!
Raja Pothuraju 47,325 Reputation points Microsoft External Staff Moderator

2026-04-22T14:57:00.9466667+00:00

@Anthony Ries, Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

1 answer

Your answer

Siva shunmugam Nadessin 9,880 Reputation points Microsoft External Staff Moderator

2026-04-16T21:37:31.0766667+00:00

Hello Anthony Ries,

Just checking in to see if the solution shared above help you to resolve your issue. please reach out to us If you have any further questions.

Thanks
Raja Pothuraju 47,325 Reputation points Microsoft External Staff Moderator

2026-04-22T14:57:00.9466667+00:00

@Anthony Ries, Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

Answer 1

Posting it here too, cause there seem to be multiple threads about this.

We have spent several days troubleshooting the exact same issue and wanted to share our findings, because this does not appear to be a simple configuration problem.

Our setup:

Windows Server 2025 (on‑premises, not Azure VM)

Server successfully onboarded to Azure Arc
AADLoginForWindows extension installed and healthy
Server state:
- AzureAdJoined = YES
- DomainJoined = NO
Users:
- Cloud‑only Entra ID users (not synced from AD)
- Correct Azure RBAC assigned at the Arc machine scope:
  - Virtual Machine User Login
Client:
1. Windows 11, fresh install
2. Workplace‑joined to the same Entra tenant
3. RDP using “Use a web account to sign in”

RDP login opens Microsoft Entra sign‑in

Credentials are accepted
Login immediately loops back to the sign‑in prompt
No interactive error is shown to the user

Repeated entries in the server log like:

DoGetToken Diagnostic Event
Result: 0xC0000022
Endpoint Uri: https://pas.windows.net/CheckMyAccess
On-prem tgt error: On-prem configuration is missing

Important: this happens even for cloud‑only users, with no local AD involvement.

Things we have tested:

✅ Network connectivity to Entra endpoints is fine
✅ CheckMyAccess is called, so the server does reach Entra
✅ No Conditional Access policies
✅ Security Defaults disabled
✅ No per-user MFA enforcement
✅ No security-info registration prompt when logging into Office.com
✅ Azure AD Connect put into staging mode (sync fully paused)
✅ Tested with fresh users and fresh clients
✅ No firewall / proxy interference

Despite all of the above, the login loop continues.

The RDP login fails after Entra authentication but before a Windows logon token is issued. At that point Windows falls back into an internal “hybrid / on‑prem” code path, which results in the misleading:

On-prem tgt error: On-prem configuration is missing

Even though the documentation states this is supported, we were not able to make it work in a fully clean configuration.

Share via

Unable to get Entra login to function on Azure Arc enabled Windows Server 2025 hybrid system

1 answer

Your answer