Azure AD Sign-in to Azure VMs fails due to enforced MFA (I think) - how to resolve?

Gary Mansell 111 Reputation points
2022-03-26T15:34:41.96+00:00

I have an Azure AD Tenant (Free) and I have connected an Azure VM to it, but find that I cannot login with my Azure AD account (with VM Administrator RBAC role) from my home Win10 machine (that is also connected to the Azure AD Tenant) - I think this must be because my Azure AD account has enforced MFA configured?

If I create another Azure AD account (with VM Admistrator RBAC role), then login via the portal to change the initial password set at user creation, but decline to set MFA (can only do this for 14 days) - I can then use this account to RDP to the Azure VM successfully.

Is this expected behaviour? Is there some way that I can login using Azure AD accounts that have enforced MFA, as it seems all Azure AD accounts in the free AD tenant have enforced MFA (as I have to login to the Azure portal using the account to change the initial password before I can login via RDP with it - and portal access requires enforced MFA)?

Or, am I missing something here...

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,158 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Devaraj G 2,091 Reputation points
    2022-03-27T13:34:55.917+00:00

    Hi Gary, thanks for posting.
    It looks like a expected behaviour. can you please confirm the error message when trying to login through RDP ?

    you need to ensure that the Windows 10 initiating the remote desktop connection to your VM signs in using a strong authentication method such as Windows Hello else the auth might fail. Else remove the MFA for per user.

    Check the section "MFA sign-in method required " in the below link:

    https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows

    0 comments No comments

  2. Gary Mansell 111 Reputation points
    2022-03-27T14:03:20.627+00:00

    Hey Dev073, thanks for getting back to me on this issue.

    I am signing in to me Win 10 21/H2 laptop using Windows Hello PIN auth - which I understand is considered a strong authentication method.

    I can't remove the MFA requirement for my user account as it is the account that I use as Global Admin for my tenant and also when logging in to Azure portal - On the free Azure AD Tenant, both of these force MFA which can't be turned off.

    If I create another user account in Azure AD to use as the login account for the Azure VM, I have to first try and login to the portal with this user account to reset the initial password, before I can login to the Azure VM with it. At this point, as I have tried to login to the Azure Portal with the account, then it sets a timer of 14 days until it will enforce MFA. The account works in the short-term for logging in to the Azure VM, but I presume this will stop working in 14 days.

    When I look at the Azure User's sign-in logs, you can see that the Windows Sign-In shows as successful:

    187168-image.png

    But it is the pass-through authentication that is sent to the Azure VM's Windows OS that then fails to login to the Windows session on the VM:

    187209-image.png

    When I look at the security logs on the VM, all I see is a Windows 4625 error which does not give me much of a clue as to why it did not allow the login:

    187210-image.png

    187291-image.png

    0 comments No comments

  3. Devaraj G 2,091 Reputation points
    2022-03-28T05:36:41.23+00:00

    Thanks for the detailed reply. Yes, indeed its a strong form of authentication.

    Looks we are hitting a limitation here. How is the MFA enabled its though Conditional access policy or MFA portal.

    Per-user Enabled/Enforced Azure AD Multi-Factor Authentication is not supported for VM Sign-In.
    https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows#using-conditional-access

    Similar issue discussed here:
    https://learn.microsoft.com/en-us/answers/questions/291301/aad-joined-azure-vm-and-mfa.html

    0 comments No comments

  4. Gary Mansell 111 Reputation points
    2022-03-28T16:06:23.027+00:00

    I have discovered that if I disconnect the Azure VM from Azure AD and then re-join using my Azure AD (Global Admin, Work/School account) - then I can RDP to the Azure VM successfully using the same account (i.e. the one that does not work if the account is joined at deployment time).

    It definitely seems to be something to do with MFA being enforced by the "Security defaults" Conditional Access policy (which I can't disable as it is a system policy) - I found this in the Azure AD Sign-In logs, which I think is related to the failure (even though the failure occurs on the Azure VM login screen):

    187530-image.png

    Why is it insisting on MFA and failing the CA policy when joined at deployment time, but not if I join it manually after deployment?

    Even if it insists on MFA, shouldn't I pass this with the strong authentication of Windows Hello and PIN from my Azure-AD joined home laptop (I have even tried when logged into the laptop as the Azure AD (Global Admin, Work/School account) instead of a local account, but this does not help.

    0 comments No comments

  5. Gary Mansell 111 Reputation points
    2022-03-28T16:39:47.67+00:00

    I have discovered that it is definitely the Azure AD "Security Defaults" that are now enabled by default on new Azure AD Tenants:

    187614-image.png

    If I set this to No - then I can login with the Azure AD (Global Admin, Work/School) account that I could not login with previously

    What I don't understand is why the strong Authentication of Windows Hello and PIN from my Azure AD joined home laptop does not allow this MFA requirement to be passed when the "Security Defaults" is enabled?

    0 comments No comments