Log in to a Windows virtual machine in Azure by using Azure AD
Organizations can improve the security of Windows virtual machines (VMs) in Azure by integrating with Azure Active Directory (Azure AD) authentication. You can now use Azure AD as a core authentication platform to RDP into Windows Server 2019 Datacenter edition and later, or Windows 10 1809 and later. You can then centrally control and enforce Azure role-based access control (RBAC) and Conditional Access policies that allow or deny access to the VMs.
This article shows you how to create and configure a Windows VM and log in by using Azure AD-based authentication.
There are many security benefits of using Azure AD-based authentication to log in to Windows VMs in Azure. They include:
Use Azure AD credentials to log in to Windows VMs in Azure. The result is federated and managed domain users.
Reduce reliance on local administrator accounts.
Password complexity and password lifetime policies that you configure for Azure AD also help secure Windows VMs.
With Azure RBAC:
- Specify who can log in to a VM as a regular user or with administrator privileges.
- When users join or leave your team, you can update the Azure RBAC policy for the VM to grant access as appropriate.
- When employees leave your organization and their user accounts are disabled or removed from Azure AD, they no longer have access to your resources.
Configure Conditional Access policies to require multifactor authentication (MFA) and other signals, such as user sign-in risk, before you can RDP into Windows VMs.
Use Azure Policy to deploy and audit policies to require Azure AD login for Windows VMs and to flag the use of unapproved local accounts on the VMs.
Use Intune to automate and scale Azure AD join with mobile device management (MDM) auto-enrollment of Azure Windows VMs that are part of your virtual desktop infrastructure (VDI) deployments.
MDM auto-enrollment requires Azure AD Premium P1 licenses. Windows Server VMs don't support MDM enrollment.
After you enable this capability, your Windows VMs in Azure will be Azure AD joined. You cannot join them to another domain, like on-premises Active Directory or Azure Active Directory Domain Services. If you need to do so, disconnect the VM from Azure AD by uninstalling the extension.
Supported Azure regions and Windows distributions
This feature currently supports the following Windows distributions:
- Windows Server 2019 Datacenter and later
- Windows 10 1809 and later
Remote connection to VMs that are joined to Azure AD is allowed only from Windows 10 or later PCs that are Azure AD registered (starting with Windows 10 20H1), Azure AD joined, or hybrid Azure AD joined to the same directory as the VM.
This feature is now available in the following Azure clouds:
- Azure Global
- Azure Government
- Azure China 21Vianet
To enable Azure AD authentication for your Windows VMs in Azure, you need to ensure that your VM's network configuration permits outbound access to the following endpoints over TCP port 443.
https://enterpriseregistration.windows.net: For device registration.
http://169.254.169.254: Azure Instance Metadata Service endpoint.
https://login.microsoftonline.com: For authentication flows.
https://pas.windows.net: For Azure RBAC flows.
https://enterpriseregistration.microsoftonline.us: For device registration.
http://169.254.169.254: Azure Instance Metadata Service endpoint.
https://login.microsoftonline.us: For authentication flows.
https://pasff.usgovcloudapi.net: For Azure RBAC flows.
Azure China 21Vianet:
https://enterpriseregistration.partner.microsoftonline.cn: For device registration.
http://169.254.169.254: Azure Instance Metadata Service endpoint.
https://login.chinacloudapi.cn: For authentication flows.
https://pas.chinacloudapi.cn: For Azure RBAC flows.
Enable Azure AD login for a Windows VM in Azure
To use Azure AD login for a Windows VM in Azure, you must:
- Enable the Azure AD login option for the VM.
- Configure Azure role assignments for users who are authorized to log in to the VM.
There are two ways to enable Azure AD login for your Windows VM:
- The Azure portal, when you're creating a Windows VM.
- Azure Cloud Shell, when you're creating a Windows VM or using an existing Windows VM.
You can enable Azure AD login for VM images in Windows Server 2019 Datacenter or Windows 10 1809 and later.
To create a Windows Server 2019 Datacenter VM in Azure with Azure AD login:
Sign in to the Azure portal by using an account that has access to create VMs, and select + Create a resource.
In the Search the Marketplace search bar, type Windows Server.
Select Windows Server, and then choose Windows Server 2019 Datacenter from the Select a software plan dropdown list.
On the Management tab, select the Login with Azure AD checkbox in the Azure AD section.
Make sure that System assigned managed identity in the Identity section is selected. This action should happen automatically after you enable login with Azure AD.
Go through the rest of the experience of creating a virtual machine. You'll have to create an administrator username and password for the VM.
To log in to the VM by using your Azure AD credentials, you first need to configure role assignments for the VM.
Azure Cloud Shell
Azure Cloud Shell is a free, interactive shell that you can use to run the steps in this article. Common Azure tools are preinstalled and configured in Cloud Shell for you to use with your account. Just select the Copy button to copy the code, paste it in Cloud Shell, and then select the Enter key to run it. There are a few ways to open Cloud Shell:
- Select Try It in the upper-right corner of a code block.
- Open Cloud Shell in your browser.
- Select the Cloud Shell button on the menu in the upper-right corner of the Azure portal.
This article requires you to run Azure CLI version 2.0.31 or later. Run
az --version to find the version. If you need to install or upgrade, see the article Install the Azure CLI.
- Create a resource group by running az group create.
- Create a VM by running az vm create. Use a supported distribution in a supported region.
- Install the Azure AD login VM extension.
The following example deploys a VM named
myVM (that uses
Win2019Datacenter) into a resource group named
myResourceGroup, in the
southcentralus region. In this example and the next one, you can provide your own resource group and VM names as needed.
az group create --name myResourceGroup --location southcentralus az vm create \ --resource-group myResourceGroup \ --name myVM \ --image Win2019Datacenter \ --assign-identity \ --admin-username azureuser \ --admin-password yourpassword
You must enable system-assigned managed identity on your virtual machine before you install the Azure AD login VM extension.
It takes a few minutes to create the VM and supporting resources.
Finally, install the Azure AD login VM extension to enable Azure AD login for Windows VMs. VM extensions are small applications that provide post-deployment configuration and automation tasks on Azure virtual machines. Use az vm extension set to install the AADLoginForWindows extension on the VM named
myVM in the
myResourceGroup resource group.
You can install the AADLoginForWindows extension on an existing Windows Server 2019 or Windows 10 1809 and later VM to enable it for Azure AD authentication. The following example uses the Azure CLI to install the extension:
az vm extension set \ --publisher Microsoft.Azure.ActiveDirectory \ --name AADLoginForWindows \ --resource-group myResourceGroup \ --vm-name myVM
After the extension is installed on the VM,
Configure role assignments for the VM
Now that you've created the VM, you need to configure an Azure RBAC policy to determine who can log in to the VM. Two Azure roles are used to authorize VM login:
- Virtual Machine Administrator Login: Users who have this role assigned can log in to an Azure virtual machine with administrator privileges.
- Virtual Machine User Login: Users who have this role assigned can log in to an Azure virtual machine with regular user privileges.
To allow a user to log in to the VM over RDP, you must assign the Virtual Machine Administrator Login or Virtual Machine User Login role to the resource group that contains the VM and its associated virtual network, network interface, public IP address, or load balancer resources.
Manually elevating a user to become a local administrator on the VM by adding the user to a member of the local administrators group or by running
net localgroup administrators /add "AzureAD\UserUpn" command is not supported. You need to use Azure roles above to authorize VM login.
An Azure user who has the Owner or Contributor role assigned for a VM does not automatically have privileges to log in to the VM over RDP. The reason is to provide audited separation between the set of people who control virtual machines and the set of people who can access virtual machines.
There are two ways to configure role assignments for a VM:
- Azure AD portal experience
- Azure Cloud Shell experience
The Virtual Machine Administrator Login and Virtual Machine User Login roles use
dataActions, so they can't be assigned at the management group scope. Currently, you can assign these roles only at the subscription, resource group, or resource scope.
Azure AD portal
To configure role assignments for your Azure AD-enabled Windows Server 2019 Datacenter VMs:
For Resource Group, select the resource group that contains the VM and its associated virtual network, network interface, public IP address, or load balancer resource.
Select Access control (IAM).
Select Add > Add role assignment to open the Add role assignment page.
Assign the following role. For detailed steps, see Assign Azure roles by using the Azure portal.
Setting Value Role Virtual Machine Administrator Login or Virtual Machine User Login Assign access to User, group, service principal, or managed identity
Azure Cloud Shell
The following example uses az role assignment create to assign the Virtual Machine Administrator Login role to the VM for your current Azure user. You obtain the username of your current Azure account by using az account show, and you set the scope to the VM created in a previous step by using az vm show.
You can also assign the scope at a resource group or subscription level. Normal Azure RBAC inheritance permissions apply.
$username=$(az account show --query user.name --output tsv) $rg=$(az group show --resource-group myResourceGroup --query id -o tsv) az role assignment create \ --role "Virtual Machine Administrator Login" \ --assignee $username \ --scope $rg
If your Azure AD domain and login username domain don't match, you must specify the object ID of your user account by using
--assignee-object-id, not just the username for
--assignee. You can obtain the object ID for your user account by using az ad user list.
For more information about how to use Azure RBAC to manage access to your Azure subscription resources, see the following articles:
- Assign Azure roles by using the Azure CLI
- Assign Azure roles by using the Azure portal
- Assign Azure roles by using Azure PowerShell
Enforce Conditional Access policies
You can enforce Conditional Access policies, such as multifactor authentication or user sign-in risk check, before you authorize access to Windows VMs in Azure that are enabled with Azure AD login. To apply a Conditional Access policy, you must select the Azure Windows VM Sign-In app from the cloud apps or actions assignment option. Then use sign-in risk as a condition and/or require MFA as a control for granting access.
If you require MFA as a control for granting access to the Azure Windows VM Sign-In app, then you must supply an MFA claim as part of the client that initiates the RDP session to the target Windows VM in Azure. The only way to achieve this on a Windows 10 or later client is to use a Windows Hello for Business PIN or biometric authentication with the RDP client. Support for biometric authentication was added to the RDP client in Windows 10 version 1809.
Remote desktop using Windows Hello for Business authentication is available only for deployments that use a certificate trust model. It's currently not available for a key trust model.
Log in by using Azure AD credentials to a Windows VM
Remote connection to VMs that are joined to Azure AD is allowed only from Windows 10 or later PCs that are either Azure AD registered (minimum required build is 20H1) or Azure AD joined or hybrid Azure AD joined to the same directory as the VM. Additionally, to RDP by using Azure AD credentials, users must belong to one of the two Azure roles, Virtual Machine Administrator Login or Virtual Machine User Login.
If you're using an Azure AD-registered Windows 10 or later PC, you must enter credentials in the
AzureAD\UPN format (for example,
AzureAD\email@example.com). At this time, you can use Azure Bastion to log in with Azure AD authentication via the Azure CLI and the native RDP client mstsc.
To log in to your Windows Server 2019 virtual machine by using Azure AD:
- Go to the overview page of the virtual machine that has been enabled with Azure AD login.
- Select Connect to open the Connect to virtual machine pane.
- Select Download RDP File.
- Select Open to open the Remote Desktop Connection client.
- Select Connect to open the Windows login dialog.
- Log in by using your Azure AD credentials.
You're now logged in to the Windows Server 2019 Azure virtual machine with the role permissions as assigned, such as VM User or VM Administrator.
You can save the .rdp file locally on your computer to start future remote desktop connections to your virtual machine, instead of going to the virtual machine overview page in the Azure portal and using the connect option.
Use Azure Policy to meet standards and assess compliance
Use Azure Policy to:
- Ensure that Azure AD login is enabled for your new and existing Windows virtual machines.
- Assess compliance of your environment at scale on a compliance dashboard.
With this capability, you can use many levels of enforcement. You can flag new and existing Windows VMs within your environment that don't have Azure AD login enabled. You can also use Azure Policy to deploy the Azure AD extension on new Windows VMs that don't have Azure AD login enabled, and remediate existing Windows VMs to the same standard.
In addition to these capabilities, you can use Azure Policy to detect and flag Windows VMs that have unapproved local accounts created on their machines. To learn more, review Azure Policy.
Troubleshoot deployment problems
The AADLoginForWindows extension must be installed successfully for the VM to complete the Azure AD join process. If the VM extension fails to be installed correctly, perform the following steps:
RDP to the VM by using the local administrator account and examine the CommandExecution.log file under C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.ActiveDirectory.AADLoginForWindows\188.8.131.52.
If the extension restarts after the initial failure, the log with the deployment error will be saved as CommandExecution_YYYYMMDDHHMMSSSSS.log.
Open a PowerShell window on the VM. Verify that the following queries against the Azure Instance Metadata Service endpoint running on the Azure host return the expected output:
Command to run Expected output
curl -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01"
Correct information about the Azure VM
curl -H Metadata:true "http://169.254.169.254/metadata/identity/info?api-version=2018-02-01"
Valid tenant ID associated with the Azure subscription
curl -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?resource=urn:ms-drs:enterpriseregistration.windows.net&api-version=2018-02-01"
Valid access token issued by Azure Active Directory for the managed identity that is assigned to this VM
You can decode the access token by using a tool like calebb.net. Verify that the
oidvalue in the access token matches the managed identity that's assigned to the VM.
Ensure that the required endpoints are accessible from the VM via PowerShell:
curl.exe https://login.microsoftonline.com/ -D -
curl.exe https://login.microsoftonline.com/<TenantID>/ -D -
curl.exe https://enterpriseregistration.windows.net/ -D -
curl.exe https://device.login.microsoftonline.com/ -D -
curl.exe https://pas.windows.net/ -D -
<TenantID>with the Azure AD tenant ID that's associated with the Azure subscription.
pas.windows.netshould return 404 Not Found, which is expected behavior.
View the device state by running
dsregcmd /status. The goal is for the device state to show as
AzureAdJoined : YES.
Azure AD join activity is captured in Event Viewer under the User Device Registration\Admin log at Event Viewer (local)\Applications and Services Logs\Microsoft\Windows\User Device Registration\Admin.
If the AADLoginForWindows extension fails with an error code, you can perform the following steps.
Terminal error code 1007 and exit code -2145648574.
Terminal error code 1007 and exit code -2145648574 translate to
DSREG_E_MSI_TENANTID_UNAVAILABLE. The extension can't query the Azure AD tenant information.
Connect to the VM as a local administrator and verify that the endpoint returns a valid tenant ID from Azure Instance Metadata Service. Run the following command from an elevated PowerShell window on the VM:
curl -H Metadata:true http://169.254.169.254/metadata/identity/info?api-version=2018-02-01
This problem can also happen when the VM admin attempts to install the AADLoginForWindows extension, but a system-assigned managed identity hasn't enabled the VM first. In that case, go to the Identity pane of the VM. On the System assigned tab, verify that the Status toggle is set to On.
Exit code -2145648607
Exit code -2145648607 translates to
DSREG_AUTOJOIN_DISC_FAILED. The extension can't reach the
Verify that the required endpoints are accessible from the VM via PowerShell:
curl https://login.microsoftonline.com/ -D -
curl https://login.microsoftonline.com/<TenantID>/ -D -
curl https://enterpriseregistration.windows.net/ -D -
curl https://device.login.microsoftonline.com/ -D -
curl https://pas.windows.net/ -D -
<TenantID>with the Azure AD tenant ID that's associated with the Azure subscription. If you need to find the tenant ID, you can hover over your account name or select Azure Active Directory > Properties > Directory ID in the Azure portal.
Attempts to connect to
enterpriseregistration.windows.netmight return 404 Not Found, which is expected behavior. Attempts to connect to
pas.windows.netmight prompt for PIN credentials or might return 404 Not Found. (You don't need to enter the PIN.) Either one is sufficient to verify that the URL is reachable.
If any of the commands fails with "Could not resolve host
<URL>," try running this command to determine which DNS server the VM is using:
<URL>with the fully qualified domain names that the endpoints use, such as
See whether specifying a public DNS server allows the command to succeed:
nslookup <URL> 184.108.40.206
If necessary, change the DNS server that's assigned to the network security group that the Azure VM belongs to.
Exit code 51
Exit code 51 translates to "This extension is not supported on the VM's operating system."
The AADLoginForWindows extension is intended to be installed only on Windows Server 2019 or Windows 10 (Build 1809 or later). Ensure that your version or build of Windows is supported. If it isn't supported, uninstall the extension.
Troubleshoot sign-in problems
Use the following information to correct sign-in problems.
You can view the device and single sign-on (SSO) state by running
dsregcmd /status. The goal is for the device state to show as
AzureAdJoined : YES and for the SSO state to show
AzureAdPrt : YES.
RDP sign-in via Azure AD accounts is captured in Event Viewer under the AAD\Operational event logs.
Azure role not assigned
You might get the following error message when you initiate a remote desktop connection to your VM: "Your account is configured to prevent you from using this device. For more info, contact your system administrator."
Verify that you've configured Azure RBAC policies for the VM that grant the user the Virtual Machine Administrator Login or Virtual Machine User Login role.
If you're having problems with Azure role assignments, see Troubleshoot Azure RBAC.
Unauthorized client or password change required
You might get the following error message when you initiate a remote desktop connection to your VM: "Your credentials did not work."
Try these solutions:
The Windows 10 or later PC that you're using to initiate the remote desktop connection must be Azure AD joined, or hybrid Azure AD joined to the same Azure AD directory. For more information about device identity, see the article What is a device identity?.
Windows 10 Build 20H1 added support for an Azure AD-registered PC to initiate an RDP connection to your VM. When you're using a PC that's Azure AD registered (not Azure AD joined or hybrid Azure AD joined) as the RDP client to initiate connections to your VM, you must enter credentials in the format
Verify that the AADLoginForWindows extension wasn't uninstalled after the Azure AD join finished.
Also, make sure that the security policy Network security: Allow PKU2U authentication requests to this computer to use online identities is enabled on both the server and the client.
Verify that the user doesn't have a temporary password. Temporary passwords can't be used to log in to a remote desktop connection.
Sign in with the user account in a web browser. For instance, open the Azure portal in a private browsing window. If you're prompted to change the password, set a new password. Then try connecting again.
MFA sign-in method required
You might see the following error message when you initiate a remote desktop connection to your VM: "The sign-in method you're trying to use isn't allowed. Try a different sign-in method or contact your system administrator."
If you've configured a Conditional Access policy that requires MFA or legacy per-user Enabled/Enforced Azure AD MFA before you can access the resource, you need to ensure that the Windows 10 or later PC that's initiating the remote desktop connection to your VM signs in by using a strong authentication method such as Windows Hello. If you don't use a strong authentication method for your remote desktop connection, you'll see the error.
Another MFA-related error message is the one described previously: "Your credentials did not work."
If you've configured a legacy per-user Enabled/Enforced Azure AD Multifactor Authentication setting and you see the error above, you can resolve the problem by removing the per-user MFA setting through these commands:
# Get StrongAuthenticationRequirements configure on a user (Get-MsolUser -UserPrincipalName firstname.lastname@example.org).StrongAuthenticationRequirements # Clear StrongAuthenticationRequirements from a user $mfa = @() Set-MsolUser -UserPrincipalName email@example.com -StrongAuthenticationRequirements $mfa # Verify StrongAuthenticationRequirements are cleared from the user (Get-MsolUser -UserPrincipalName firstname.lastname@example.org).StrongAuthenticationRequirements
If you haven't deployed Windows Hello for Business and if that isn't an option for now, you can configure a Conditional Access policy that excludes the Azure Windows VM Sign-In app from the list of cloud apps that require MFA. To learn more about Windows Hello for Business, see Windows Hello for Business overview.
Windows Hello for Business PIN authentication with RDP has been supported for several versions of Windows 10. Support for biometric authentication with RDP was added in Windows 10 version 1809. Using Windows Hello for Business authentication during RDP is available for deployments that use a certificate trust model or key trust model.
Share your feedback about this feature or report problems with using it on the Azure AD feedback forum.
If the Azure Windows VM Sign-In application is missing from Conditional Access, make sure that the application is in the tenant:
- Sign in to the Azure portal.
- Browse to Azure Active Directory > Enterprise applications.
- Remove the filters to see all applications, and search for VM. If you don't see Azure Windows VM Sign-In as a result, the service principal is missing from the tenant.
Another way to verify it is via Graph PowerShell:
- Install the Graph PowerShell SDK if you haven't already done so.
Connect-MgGraph -Scopes "ServicePrincipalEndpoint.ReadWrite.All", followed by
- Sign in with a Global Administrator account.
- Consent to the permission prompt.
Get-MgServicePrincipal -ConsistencyLevel eventual -Search '"DisplayName:Azure Windows VM Sign-In"'.
If this command results in no output and returns you to the PowerShell prompt, you can create the service principal with the following Graph PowerShell command:
New-MgServicePrincipal -AppId 372140e0-b3b7-4226-8ef9-d57986796201
Successful output will show that the Azure Windows VM Sign-In app and its ID were created.
- Sign out of Graph PowerShell by using the
For more information about Azure AD, see What is Azure Active Directory?.
Submit and view feedback for