Log in to a Windows virtual machine in Azure by using Azure AD

Organizations can improve the security of Windows virtual machines (VMs) in Azure by integrating with Azure Active Directory (Azure AD) authentication. You can now use Azure AD as a core authentication platform to RDP into Windows Server 2019 Datacenter edition and later, or Windows 10 1809 and later. You can then centrally control and enforce Azure role-based access control (RBAC) and Conditional Access policies that allow or deny access to the VMs.

This article shows you how to create and configure a Windows VM and log in by using Azure AD-based authentication.

There are many security benefits of using Azure AD-based authentication to log in to Windows VMs in Azure. They include:

• Use Azure AD credentials to log in to Windows VMs in Azure. The result is federated and managed domain users.

• Reduce reliance on local administrator accounts.

• Password complexity and password lifetime policies that you configure for Azure AD also help secure Windows VMs.

• With Azure RBAC:

  • Specify who can log in to a VM as a regular user or with administrator privileges.
  • When users join or leave your team, you can update the Azure RBAC policy for the VM to grant access as appropriate.
  • When employees leave your organization and their user accounts are disabled or removed from Azure AD, they no longer have access to your resources.

• Configure Conditional Access policies to require multifactor authentication (MFA) and other signals, such as user sign-in risk, before you can RDP into Windows VMs.

• Use Azure deploy and audit policies to require Azure AD login for Windows VMs and to flag the use of unapproved local accounts on the VMs.

• Use Intune to automate and scale Azure AD join with mobile device management (MDM) auto-enrollment of Azure Windows VMs that are part of your virtual desktop infrastructure (VDI) deployments.

  MDM auto-enrollment requires Azure AD Premium P1 licenses. Windows Server VMs don't support MDM enrollment.

Note

After you enable this capability, your Windows VMs in Azure will be Azure AD joined. You cannot join them to another domain, like on-premises Active Directory or Azure Active Directory Domain Services. If you need to do so, disconnect the VM from Azure AD by uninstalling the extension.

Requirements

Supported Azure regions and Windows distributions

This feature currently supports the following Windows distributions:

• Windows Server 2019 Datacenter and later
• Windows 10 1809 and later

Important

Remote connection to VMs that are joined to Azure AD is allowed only from Windows 10 or later PCs that are Azure AD registered (starting with Windows 10 20H1), Azure AD joined, or hybrid Azure AD joined to the same directory as the VM.

This feature is now available in the following Azure clouds:

• Azure Global
• Azure Government
• Azure China 21Vianet

Network requirements

To enable Azure AD authentication for your Windows VMs in Azure, you need to ensure that your VM's network configuration permits outbound access to the following endpoints over TCP port 443.

Azure Global:

• https://enterpriseregistration.windows.net: For device registration.
• http://169.254.169.254: Azure Instance Metadata Service endpoint.
• https://login.microsoftonline.com: For authentication flows.
• https://pas.windows.net: For Azure RBAC flows.

Azure Government:

• https://enterpriseregistration.microsoftonline.us: For device registration.
• http://169.254.169.254: Azure Instance Metadata Service endpoint.
• https://login.microsoftonline.us: For authentication flows.
• https://pasff.usgovcloudapi.net: For Azure RBAC flows.

Azure China 21Vianet:

• https://enterpriseregistration.partner.microsoftonline.cn: For device registration.
• http://169.254.169.254: Azure Instance Metadata Service endpoint.
• https://login.chinacloudapi.cn: For authentication flows.
• https://pas.chinacloudapi.cn: For Azure RBAC flows.

Enable Azure AD login for a Windows VM in Azure

To use Azure AD login for a Windows VM in Azure, you must:

1. Enable the Azure AD login option for the VM.
2. Configure Azure role assignments for users who are authorized to log in to the VM.

There are two ways to enable Azure AD login for your Windows VM:

• The Azure portal, when you're creating a Windows VM.
• Azure Cloud Shell, when you're creating a Windows VM or using an existing Windows VM.

Azure portal

You can enable Azure AD login for VM images in Windows Server 2019 Datacenter or Windows 10 1809 and later.

To create a Windows Server 2019 Datacenter VM in Azure with Azure AD login:

1. Sign in to the Azure portal by using an account that has access to create VMs, and select + Create a resource.

2. In the Search the Marketplace search bar, type Windows Server.

3. Select Windows Server, and then choose Windows Server 2019 Datacenter from the Select a software plan dropdown list.

4. Select Create.

5. On the Management tab, select the Login with Azure AD checkbox in the Azure AD section.

   

6. Make sure that System assigned managed identity in the Identity section is selected. This action should happen automatically after you enable login with Azure AD.

7. Go through the rest of the experience of creating a virtual machine. You'll have to create an administrator username and password for the VM.

Note

To log in to the VM by using your Azure AD credentials, you first need to configure role assignments for the VM.

Azure Cloud Shell

Azure Cloud Shell is a free, interactive shell that you can use to run the steps in this article. Common Azure tools are preinstalled and configured in Cloud Shell for you to use with your account. Just select the Copy button to copy the code, paste it in Cloud Shell, and then select the Enter key to run it. There are a few ways to open Cloud Shell:

• Select Try It in the upper-right corner of a code block.
• Open Cloud Shell in your browser.
• Select the Cloud Shell button on the menu in the upper-right corner of the Azure portal.

This article requires you to run Azure CLI version 2.0.31 or later. Run az --version to find the version. If you need to install or upgrade, see the article Install the Azure CLI.

1. Create a resource group by running az group create.
2. Create a VM by running az vm create. Use a supported distribution in a supported region.
3. Install the Azure AD login VM extension.

The following example deploys a VM named myVM (that uses Win2019Datacenter) into a resource group named myResourceGroup, in the southcentralus region. In this example and the next one, you can provide your own resource group and VM names as needed.

az group create --name myResourceGroup --location southcentralus

az vm create \
    --resource-group myResourceGroup \
    --name myVM \
    --image Win2019Datacenter \
    --assign-identity \
    --admin-username azureuser \
    --admin-password yourpassword

Note

You must enable system-assigned managed identity on your virtual machine before you install the Azure AD login VM extension.

It takes a few minutes to create the VM and supporting resources.

Finally, install the Azure AD login VM extension to enable Azure AD login for Windows VMs. VM extensions are small applications that provide post-deployment configuration and automation tasks on Azure virtual machines. Use az vm extension set to install the AADLoginForWindows extension on the VM named myVM in the myResourceGroup resource group.

You can install the AADLoginForWindows extension on an existing Windows Server 2019 or Windows 10 1809 and later VM to enable it for Azure AD authentication. The following example uses the Azure CLI to install the extension:

az vm extension set \
    --publisher Microsoft.Azure.ActiveDirectory \
    --name AADLoginForWindows \
    --resource-group myResourceGroup \
    --vm-name myVM

After the extension is installed on the VM, provisioningState shows Succeeded.

Configure role assignments for the VM

Now that you've created the VM, you need to configure an Azure RBAC policy to determine who can log in to the VM. Two Azure roles are used to authorize VM login:

• Virtual Machine Administrator Login: Users who have this role assigned can log in to an Azure virtual machine with administrator privileges.
• Virtual Machine User Login: Users who have this role assigned can log in to an Azure virtual machine with regular user privileges.

To allow a user to log in to the VM over RDP, you must assign the Virtual Machine Administrator Login or Virtual Machine User Login role to the resource group that contains the VM and its associated virtual network, network interface, public IP address, or load balancer resources.

An Azure user who has the Owner or Contributor role assigned for a VM does not automatically have privileges to log in to the VM over RDP. The reason is to provide audited separation between the set of people who control virtual machines and the set of people who can access virtual machines.

There are two ways to configure role assignments for a VM:

• Azure AD portal experience
• Azure Cloud Shell experience

Note

The Virtual Machine Administrator Login and Virtual Machine User Login roles use dataActions, so they can't be assigned at the management group scope. Currently, you can assign these roles only at the subscription, resource group, or resource scope.

Azure AD portal

To configure role assignments for your Azure AD-enabled Windows Server 2019 Datacenter VMs:

1. For Resource Group, select the resource group that contains the VM and its associated virtual network, network interface, public IP address, or load balancer resource.

2. Select Access control (IAM).

3. Select Add > Add role assignment to open the Add role assignment page.

4. Assign the following role. For detailed steps, see Assign Azure roles by using the Azure portal.

   Setting	Value
   Role	Virtual Machine Administrator Login or Virtual Machine User Login
   Assign access to	User, group, service principal, or managed identity

   

Azure Cloud Shell

The following example uses az role assignment create to assign the Virtual Machine Administrator Login role to the VM for your current Azure user. You obtain the username of your current Azure account by using az account show, and you set the scope to the VM created in a previous step by using az vm show.

You can also assign the scope at a resource group or subscription level. Normal Azure RBAC inheritance permissions apply. For more information, see Log in to a Linux virtual machine in Azure by using Azure Active Directory authentication.

$username=$(az account show --query user.name --output tsv)
$rg=$(az group show --resource-group myResourceGroup --query id -o tsv)

az role assignment create \
    --role "Virtual Machine Administrator Login" \
    --assignee $username \
    --scope $rg

Note

If your Azure AD domain and login username domain don't match, you must specify the object ID of your user account by using --assignee-object-id, not just the username for --assignee. You can obtain the object ID for your user account by using az ad user list.

For more information about how to use Azure RBAC to manage access to your Azure subscription resources, see the following articles:

• Assign Azure roles by using the Azure CLI
• Assign Azure roles by using the Azure portal
• Assign Azure roles by using Azure PowerShell

Enforce Conditional Access policies

You can enforce Conditional Access policies, such as multifactor authentication or user sign-in risk check, before you authorize access to Windows VMs in Azure that are enabled with Azure AD login. To apply a Conditional Access policy, you must select the Azure Windows VM Sign-In app from the cloud apps or actions assignment option. Then use sign-in risk as a condition and/or require MFA as a control for granting access.

Note

If you require MFA as a control for granting access to the Azure Windows VM Sign-In app, then you must supply an MFA claim as part of the client that initiates the RDP session to the target Windows VM in Azure. The only way to achieve this on a Windows 10 or later client is to use a Windows Hello for Business PIN or biometric authentication with the RDP client. Support for biometric authentication was added to the RDP client in Windows 10 version 1809.

Remote desktop using Windows Hello for Business authentication is available only for deployments that use a certificate trust model. It's currently not available for a key trust model.

Log in by using Azure AD credentials to a Windows VM

Important

Remote connection to VMs that are joined to Azure AD is allowed only from Windows 10 or later PCs that are either Azure AD registered (minimum required build is 20H1) or Azure AD joined or hybrid Azure AD joined to the same directory as the VM. Additionally, to RDP by using Azure AD credentials, users must belong to one of the two Azure roles, Virtual Machine Administrator Login or Virtual Machine User Login.

If you're using an Azure AD-registered Windows 10 or later PC, you must enter credentials in the AzureAD\UPN format (for example, AzureAD\john@contoso.com). At this time, you can use Azure Bastion to log in with Azure AD authentication via the Azure CLI and the native RDP client mstsc.

To log in to your Windows Server 2019 virtual machine by using Azure AD:

1. Go to the overview page of the virtual machine that has been enabled with Azure AD login.
2. Select Connect to open the Connect to virtual machine pane.
3. Select Download RDP File.
4. Select Open to open the Remote Desktop Connection client.
5. Select Connect to open the Windows login dialog.
6. Log in by using your Azure AD credentials.

You're now logged in to the Windows Server 2019 Azure virtual machine with the role permissions as assigned, such as VM User or VM Administrator.

Note

You can save the .rdp file locally on your computer to start future remote desktop connections to your virtual machine, instead of going to the virtual machine overview page in the Azure portal and using the connect option.

Use Azure Policy to meet standards and assess compliance

Use Azure Policy to:

• Ensure that Azure AD login is enabled for your new and existing Windows virtual machines.
• Assess compliance of your environment at scale on a compliance dashboard.

With this capability, you can use many levels of enforcement. You can flag new and existing Windows VMs within your environment that don't have Azure AD login enabled. You can also use Azure Policy to deploy the Azure AD extension on new Windows VMs that don't have Azure AD login enabled, and remediate existing Windows VMs to the same standard.

In addition to these capabilities, you can use Azure Policy to detect and flag Windows VMs that have unapproved local accounts created on their machines. To learn more, review Azure Policy.

Troubleshoot deployment problems

The AADLoginForWindows extension must be installed successfully for the VM to complete the Azure AD join process. If the VM extension fails to be installed correctly, perform the following steps:

1. RDP to the VM by using the local administrator account and examine the CommandExecution.log file under C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.ActiveDirectory.AADLoginForWindows\1.0.0.1.

   Note

   If the extension restarts after the initial failure, the log with the deployment error will be saved as CommandExecution_YYYYMMDDHHMMSSSSS.log.

2. Open a PowerShell window on the VM. Verify that the following queries against the Azure Instance Metadata Service endpoint running on the Azure host return the expected output:

   Command to run	Expected output
   curl -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01"	Correct information about the Azure VM
   curl -H Metadata:true "http://169.254.169.254/metadata/identity/info?api-version=2018-02-01"	Valid tenant ID associated with the Azure subscription
   curl -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?resource=urn:ms-drs:enterpriseregistration.windows.net&api-version=2018-02-01"	Valid access token issued by Azure Active Directory for the managed identity that is assigned to this VM

   Note

   You can decode the access token by using a tool like calebb.net. Verify that the oid value in the access token matches the managed identity that's assigned to the VM.

3. Ensure that the required endpoints are accessible from the VM via PowerShell:

   • curl.exe https://login.microsoftonline.com/ -D -
   • curl.exe https://login.microsoftonline.com/<TenantID>/ -D -
   • curl.exe https://enterpriseregistration.windows.net/ -D -
   • curl.exe https://device.login.microsoftonline.com/ -D -
   • curl.exe https://pas.windows.net/ -D -

   Note

   Replace <TenantID> with the Azure AD tenant ID that's associated with the Azure subscription. login.microsoftonline.com/<TenantID>, enterpriseregistration.windows.net, and pas.windows.net should return 404 Not Found, which is expected behavior.

4. View the device state by running dsregcmd /status. The goal is for the device state to show as AzureAdJoined : YES.

   Note

   Azure AD join activity is captured in Event Viewer under the User Device Registration\Admin log at Event Viewer (local)\Applications and Services Logs\Windows\Microsoft\User Device Registration\Admin.

If the AADLoginForWindows extension fails with an error code, you can perform the following steps.

Terminal error code 1007 and exit code -2145648574.

Terminal error code 1007 and exit code -2145648574 translate to DSREG_E_MSI_TENANTID_UNAVAILABLE. The extension can't query the Azure AD tenant information.

Connect to the VM as a local administrator and verify that the endpoint returns a valid tenant ID from Azure Instance Metadata Service. Run the following command from an elevated PowerShell window on the VM:

curl -H Metadata:true http://169.254.169.254/metadata/identity/info?api-version=2018-02-01

This problem can also happen when the VM admin attempts to install the AADLoginForWindows extension, but a system-assigned managed identity hasn't enabled the VM first. In that case, go to the Identity pane of the VM. On the System assigned tab, verify that the Status toggle is set to On.

Exit code -2145648607

Exit code -2145648607 translates to DSREG_AUTOJOIN_DISC_FAILED. The extension can't reach the https://enterpriseregistration.windows.net endpoint.

1. Verify that the required endpoints are accessible from the VM via PowerShell:

   • curl https://login.microsoftonline.com/ -D -
   • curl https://login.microsoftonline.com/<TenantID>/ -D -
   • curl https://enterpriseregistration.windows.net/ -D -
   • curl https://device.login.microsoftonline.com/ -D -
   • curl https://pas.windows.net/ -D -

   Note

   Replace <TenantID> with the Azure AD tenant ID that's associated with the Azure subscription. If you need to find the tenant ID, you can hover over your account name or select Azure Active Directory > Properties > Directory ID in the Azure portal.

   Attempts to connect to enterpriseregistration.windows.net might return 404 Not Found, which is expected behavior. Attempts to connect to pas.windows.net might prompt for PIN credentials or might return 404 Not Found. (You don't need to enter the PIN.) Either one is sufficient to verify that the URL is reachable.

2. If any of the commands fails with "Could not resolve host <URL>," try running this command to determine which DNS server the VM is using:

   nslookup <URL>

   Note

   Replace <URL> with the fully qualified domain names that the endpoints use, such as login.microsoftonline.com.

3. See whether specifying a public DNS server allows the command to succeed:

   nslookup <URL> 208.67.222.222

4. If necessary, change the DNS server that's assigned to the network security group that the Azure VM belongs to.

Exit code 51

Exit code 51 translates to "This extension is not supported on the VM's operating system."

The AADLoginForWindows extension is intended to be installed only on Windows Server 2019 or Windows 10 (Build 1809 or later). Ensure that your version or build of Windows is supported. If it isn't supported, uninstall the extension.

Troubleshoot sign-in problems

Use the following information to correct sign-in problems.

You can view the device and single sign-on (SSO) state by running dsregcmd /status. The goal is for the device state to show as AzureAdJoined : YES and for the SSO state to show AzureAdPrt : YES.

RDP sign-in via Azure AD accounts is captured in Event Viewer under the AAD\Operational event logs.

Azure role not assigned

You might get the following error message when you initiate a remote desktop connection to your VM: "Your account is configured to prevent you from using this device. For more info, contact your system administrator."

Verify that you've configured Azure RBAC policies for the VM that grant the user the Virtual Machine Administrator Login or Virtual Machine User Login role.

Note

If you're having problems with Azure role assignments, see Troubleshoot Azure RBAC.

Unauthorized client or password change required

You might get the following error message when you initiate a remote desktop connection to your VM: "Your credentials did not work."

Try these solutions:

• The Windows 10 or later PC that you're using to initiate the remote desktop connection must be Azure AD joined, or hybrid Azure AD joined to the same Azure AD directory. For more information about device identity, see the article What is a device identity?.

  Note

  Windows 10 Build 20H1 added support for an Azure AD-registered PC to initiate an RDP connection to your VM. When you're using a PC that's Azure AD registered (not Azure AD joined or hybrid Azure AD joined) as the RDP client to initiate connections to your VM, you must enter credentials in the format AzureAD\UPN (for example, AzureAD\john@contoso.com).

  Verify that the AADLoginForWindows extension wasn't uninstalled after the Azure AD join finished.

  Also, make sure that the security policy Network security: Allow PKU2U authentication requests to this computer to use online identities is enabled on both the server and the client.

• Verify that the user doesn't have a temporary password. Temporary passwords can't be used to log in to a remote desktop connection.

  Sign in with the user account in a web browser. For instance, open the Azure portal in a private browsing window. If you're prompted to change the password, set a new password. Then try connecting again.

MFA sign-in method required

You might see the following error message when you initiate a remote desktop connection to your VM: "The sign-in method you're trying to use isn't allowed. Try a different sign-in method or contact your system administrator."

If you've configured a Conditional Access policy that requires MFA or legacy per-user Enabled/Enforced Azure AD MFA before you can access the resource, you need to ensure that the Windows 10 or later PC that's initiating the remote desktop connection to your VM signs in by using a strong authentication method such as Windows Hello. If you don't use a strong authentication method for your remote desktop connection, you'll see the error.

Another MFA-related error message is the one described previously: "Your credentials did not work."

If you've configured a legacy per-user Enabled/Enforced Azure AD Multi-Factor Authentication setting and you see the error above, you can resolve the problem by removing the per-user MFA setting through these commands:

# Get StrongAuthenticationRequirements configure on a user
(Get-MsolUser -UserPrincipalName username@contoso.com).StrongAuthenticationRequirements
 
# Clear StrongAuthenticationRequirements from a user
$mfa = @()
Set-MsolUser -UserPrincipalName username@contoso.com -StrongAuthenticationRequirements $mfa
 
# Verify StrongAuthenticationRequirements are cleared from the user
(Get-MsolUser -UserPrincipalName username@contoso.com).StrongAuthenticationRequirements

If you haven't deployed Windows Hello for Business and if that isn't an option for now, you can configure a Conditional Access policy that excludes the Azure Windows VM Sign-In app from the list of cloud apps that require MFA. To learn more about Windows Hello for Business, see Windows Hello for Business overview.

Note

Windows Hello for Business PIN authentication with RDP has been supported for several versions of Windows 10. Support for biometric authentication with RDP was added in Windows 10 version 1809. Using Windows Hello for Business authentication during RDP is available only for deployments that use a certificate trust model. It's currently not available for a key trust model.

Share your feedback about this feature or report problems with using it on the Azure AD feedback forum.

Missing application

If the Azure Windows VM Sign-In application is missing from Conditional Access, make sure that the application isn't in the tenant:

1. Sign in to the Azure portal.
2. Browse to Azure Active Directory > Enterprise applications.
3. Remove the filters to see all applications, and search for VM. If you don't see Azure Windows VM Sign-In as a result, the service principal is missing from the tenant.

Another way to verify it is via Graph PowerShell:

1. Install the Graph PowerShell SDK if you haven't already done so.
2. Run Connect-MgGraph -Scopes "ServicePrincipalEndpoint.ReadWrite.All", followed by "Application.ReadWrite.All".
3. Sign in with a Global Admin account.
4. Consent to the permission prompt.
5. Run Get-MgServicePrincipal -ConsistencyLevel eventual -Search '"DisplayName:Azure Windows VM Sign-In"'.

   • If this command results in no output and returns you to the PowerShell prompt, you can create the service principal with the following Graph PowerShell command:

     New-MgServicePrincipal -AppId 372140e0-b3b7-4226-8ef9-d57986796201

   • Successful output will show that the Azure Windows VM Sign-In app and its ID were created.

6. Sign out of Graph PowerShell by using the Disconnect-MgGraph command.

Next steps

For more information about Azure AD, see What is Azure Active Directory?.