Sign in to a Windows virtual machine in Azure by using Microsoft Entra ID including passwordless
Organizations can improve the security of Windows virtual machines (VMs) in Azure by integrating with Microsoft Entra authentication. You can now use Microsoft Entra ID as a core authentication platform to Remote Desktop Protocol (RDP) into Windows Server 2019 Datacenter edition and later, or Windows 10 1809 and later. You can then centrally control and enforce Azure role-based access control (RBAC) and Conditional Access policies that allow or deny access to the VMs.
This article shows you how to create and configure a Windows VM and log in by using Microsoft Entra ID-based authentication.
There are many security benefits of using Microsoft Entra ID-based authentication to sign in to Windows VMs in Azure. They include:
Use Microsoft Entra authentication including passwordless to sign in to Windows VMs in Azure.
Reduce reliance on local administrator accounts.
Password complexity and password lifetime policies that you configure for Microsoft Entra ID also help secure Windows VMs.
With Azure RBAC:
- Specify who can sign in to a VM as a regular user or with administrator privileges.
- When users join or leave your team, you can update the Azure RBAC policy for the VM to grant access as appropriate.
- When employees leave your organization and their user accounts are disabled or removed from Microsoft Entra ID, they no longer have access to your resources.
Configure Conditional Access policies to "phishing resistant MFA" using require authentication strength grant control or require multifactor authentication and other signals, such as user sign-in risk, before you can RDP into Windows VMs.
Use Azure Policy to deploy and audit policies to require Microsoft Entra login for Windows VMs and to flag the use of unapproved local accounts on the VMs.
Use Intune to automate and scale Microsoft Entra join with mobile device management (MDM) autoenrollment of Azure Windows VMs that are part of your virtual desktop infrastructure (VDI) deployments.
MDM autoenrollment requires Microsoft Entra ID P1 licenses. Windows Server VMs don't support MDM enrollment.
Note
After you enable this capability, your Windows VMs in Azure will be Microsoft Entra joined. You cannot join them to another domain, like on-premises Active Directory or Microsoft Entra Domain Services. If you need to do so, disconnect the VM from Microsoft Entra ID by uninstalling the extension.
Requirements
Supported Azure regions and Windows distributions
This feature currently supports the following Windows distributions:
- Windows Server 2019 Datacenter and later
- Windows 10 1809 and later
- Windows 11 21H2 and later
This feature is now available in the following Azure clouds:
- Azure Global
- Azure Government
- Microsoft Azure operated by 21Vianet
Network requirements
To enable Microsoft Entra authentication for your Windows VMs in Azure, you need to ensure that your VM's network configuration permits outbound access to the following endpoints over TCP port 443.
Azure Global:
https://enterpriseregistration.windows.net
: For device registration.http://169.254.169.254
: Azure Instance Metadata Service endpoint.https://login.microsoftonline.com
: For authentication flows.https://pas.windows.net
: For Azure RBAC flows.
Azure Government:
https://enterpriseregistration.microsoftonline.us
: For device registration.http://169.254.169.254
: Azure Instance Metadata Service endpoint.https://login.microsoftonline.us
: For authentication flows.https://pasff.usgovcloudapi.net
: For Azure RBAC flows.
Microsoft Azure operated by 21Vianet:
https://enterpriseregistration.partner.microsoftonline.cn
: For device registration.http://169.254.169.254
: Azure Instance Metadata Service endpoint.https://login.chinacloudapi.cn
: For authentication flows.https://pas.chinacloudapi.cn
: For Azure RBAC flows.
Authentication requirements
Microsoft Entra Guest accounts can't connect to Azure VMs or Azure Bastion enabled VMs via Microsoft Entra authentication.
Enable Microsoft Entra login for a Windows VM in Azure
To use Microsoft Entra login for a Windows VM in Azure, you must:
- Enable the Microsoft Entra login option for the VM.
- Configure Azure role assignments for users who are authorized to sign in to the VM.
There are two ways to enable Microsoft Entra login for your Windows VM:
- The Azure portal, when you're creating a Windows VM.
- Azure Cloud Shell, when you're creating a Windows VM or using an existing Windows VM.
Note
If a device object with the same displayName as the hostname of a VM where an extension is installed exists, the VM fails to join Microsoft Entra ID with a hostname duplication error. Avoid duplication by modifying the hostname.
Azure portal
You can enable Microsoft Entra login for VM images in Windows Server 2019 Datacenter or Windows 10 1809 and later.
To create a Windows Server 2019 Datacenter VM in Azure with Microsoft Entra login:
Sign in to the Azure portal by using an account that has access to create VMs, and select + Create a resource.
In the Search the Marketplace search bar, type Windows Server.
Select Windows Server, and then choose Windows Server 2019 Datacenter from the Select a software plan dropdown list.
Select Create.
On the Management tab, select the Login with Microsoft Entra ID checkbox in the Microsoft Entra ID section.
Make sure that System assigned managed identity in the Identity section is selected. This action should happen automatically after you enable login with Microsoft Entra ID.
Go through the rest of the experience of creating a virtual machine. You have to create an administrator username and password for the VM.
Note
To sign in to the VM by using your Microsoft Entra credentials, you first need to configure role assignments for the VM.
Azure Cloud Shell
Azure Cloud Shell is a free, interactive shell that you can use to run the steps in this article. Common Azure tools are preinstalled and configured in Cloud Shell for you to use with your account. Just select the Copy button to copy the code, paste it in Cloud Shell, and then select the Enter key to run it. There are a few ways to open Cloud Shell:
- Select Try It in the upper-right corner of a code block.
- Open Cloud Shell in your browser.
- Select the Cloud Shell button on the menu in the upper-right corner of the Azure portal.
This article requires you to run Azure CLI version 2.0.31 or later. Run az --version
to find the version. If you need to install or upgrade, see the article Install the Azure CLI.
- Create a resource group by running az group create.
- Create a VM by running az vm create. Use a supported distribution in a supported region.
- Install the Microsoft Entra login VM extension.
The following example deploys a VM named myVM
(that uses Win2019Datacenter
) into a resource group named myResourceGroup
, in the southcentralus
region. In this example and the next one, you can provide your own resource group and VM names as needed.
az group create --name myResourceGroup --location southcentralus
az vm create \
--resource-group myResourceGroup \
--name myVM \
--image Win2019Datacenter \
--assign-identity \
--admin-username azureuser \
--admin-password yourpassword
Note
You must enable system-assigned managed identity on your virtual machine before you install the Microsoft Entra login VM extension. Managed Identities are stored in a single Microsoft Entra tenant and currently do not support cross directory scenarios.
It takes a few minutes to create the VM and supporting resources.
Finally, install the Microsoft Entra login VM extension to enable Microsoft Entra login for Windows VMs. VM extensions are small applications that provide post-deployment configuration and automation tasks on Azure Virtual Machines. Use az vm extension set to install the AADLoginForWindows extension on the VM named myVM
in the myResourceGroup
resource group.
You can install the AADLoginForWindows extension on an existing Windows Server 2019 or Windows 10 1809 and later VM to enable it for Microsoft Entra authentication. The following example uses the Azure CLI to install the extension:
az vm extension set \
--publisher Microsoft.Azure.ActiveDirectory \
--name AADLoginForWindows \
--resource-group myResourceGroup \
--vm-name myVM
After the extension is installed on the VM, provisioningState
shows Succeeded
.
Configure role assignments for the VM
Now that you've created the VM, you need to assign one of the following Azure roles to determine who can sign in to the VM. To assign these roles, you must have the Virtual Machine Data Access Administrator role, or any role that includes the Microsoft.Authorization/roleAssignments/write
action such as the Role Based Access Control Administrator role. However, if you use a different role than Virtual Machine Data Access Administrator, we recommend you add a condition to reduce the permission to create role assignments.
- Virtual Machine Administrator Login: Users who have this role assigned can sign in to an Azure virtual machine with administrator privileges.
- Virtual Machine User Login: Users who have this role assigned can sign in to an Azure virtual machine with regular user privileges.
To allow a user to sign in to the VM over RDP, you must assign the Virtual Machine Administrator Login or Virtual Machine User Login role to the Virtual Machine resource.
Note
Manually elevating a user to become a local administrator on the VM by adding the user to a member of the local administrators group or by running net localgroup administrators /add "AzureAD\UserUpn"
command is not supported. You need to use Azure roles above to authorize VM login.
An Azure user who has the Owner or Contributor role assigned for a VM doesn't automatically have privileges to sign in to the VM over RDP. The reason is to provide audited separation between the set of people who control virtual machines and the set of people who can access virtual machines.
There are two ways to configure role assignments for a VM:
- Microsoft Entra admin center experience
- Azure Cloud Shell experience
Note
The Virtual Machine Administrator Login and Virtual Machine User Login roles use dataActions
, so they can't be assigned at the management group scope. Currently, you can assign these roles only at the subscription, resource group, or resource scope.
Microsoft Entra admin center
To configure role assignments for your Microsoft Entra ID-enabled Windows Server 2019 Datacenter VMs:
For Resource Group, select the resource group that contains the VM and its associated virtual network, network interface, public IP address, or load balancer resource.
Select Access control (IAM).
Select Add > Add role assignment to open the Add role assignment page.
Assign the following role. For detailed steps, see Assign Azure roles by using the Azure portal.
Setting Value Role Virtual Machine Administrator Login or Virtual Machine User Login Assign access to User, group, service principal, or managed identity
Azure Cloud Shell
The following example uses az role assignment create to assign the Virtual Machine Administrator Login role to the VM for your current Azure user. You obtain the username of your current Azure account by using az account show, and you set the scope to the VM created in a previous step by using az vm show.
You can also assign the scope at a resource group or subscription level. Normal Azure RBAC inheritance permissions apply.
$username=$(az account show --query user.name --output tsv)
$rg=$(az group show --resource-group myResourceGroup --query id -o tsv)
az role assignment create \
--role "Virtual Machine Administrator Login" \
--assignee $username \
--scope $rg
Note
If your Microsoft Entra domain and login username domain don't match, you must specify the object ID of your user account by using --assignee-object-id
, not just the username for --assignee
. You can obtain the object ID for your user account by using az ad user list.
For more information about how to use Azure RBAC to manage access to your Azure subscription resources, see the following articles:
- Assign Azure roles by using the Azure CLI
- Assign Azure roles by using the Azure portal
- Assign Azure roles by using Azure PowerShell
Log in by using Microsoft Entra credentials to a Windows VM
You can sign in over RDP using one of two methods:
- Passwordless using any of the supported Microsoft Entra credentials (recommended)
- Password/limited passwordless using Windows Hello for Business deployed using certificate trust model
Log in using passwordless authentication with Microsoft Entra ID
To use passwordless authentication for your Windows VMs in Azure, you need the Windows client machine and the session host (VM) on the following operating systems:
- Windows 11 with 2022-10 Cumulative Updates for Windows 11 (KB5018418) or later installed.
- Windows 10, version 20H2 or later with 2022-10 Cumulative Updates for Windows 10 (KB5018410) or later installed.
- Windows Server 2022 with 2022-10 Cumulative Update for Microsoft server operating system (KB5018421) or later installed.
Note
When using the web account to sign in to the remote computer option, there is no requirement for the local device to be joined to a domain or Microsoft Entra ID.
To connect to the remote computer:
- Launch Remote Desktop Connection from Windows Search, or by running
mstsc.exe
. - Select Use a web account to sign in to the remote computer option in the Advanced tab. This option is equivalent to the
enablerdsaadauth
RDP property. For more information, see Supported RDP properties with Remote Desktop Services. - Specify the name of the remote computer and select Connect.
Important
IP address cannot be used with Use a web account to sign in to the remote computer option. The name must match the hostname of the remote device in Microsoft Entra ID and be network addressable, resolving to the IP address of the remote device.
- When prompted for credentials, specify your user name in
user@domain.com
format. - You're then prompted to allow the remote desktop connection when connecting to a new PC. Microsoft Entra remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select Yes to connect.
Important
If your organization has configured and is using Microsoft Entra Conditional Access, your device must satisfy the Conditional Access requirements to allow connection to the remote computer. Conditional Access policies might be applied to the application Microsoft Remote Desktop (a4a365df-50f1-4397-bc59-1a1564b8bb9c) for controlled access.
Note
The Windows lock screen in the remote session doesn't support Microsoft Entra authentication tokens or passwordless authentication methods like FIDO keys. The lack of support for these authentication methods means that users can't unlock their screens in a remote session. When you try to lock a remote session, either through user action or system policy, the session is instead disconnected and the service sends a message to the user explaining they've been disconnected. Disconnecting the session also ensures that when the connection is relaunched after a period of inactivity, Microsoft Entra ID reevaluates the applicable Conditional Access policies.
Log in using password/limited passwordless authentication with Microsoft Entra ID
Important
Remote connection to VMs that are joined to Microsoft Entra ID is allowed only from Windows 10 or later PCs that are either Microsoft Entra registered (minimum required build is 20H1) or Microsoft Entra joined or Microsoft Entra hybrid joined to the same directory as the VM. Additionally, to RDP by using Microsoft Entra credentials, users must belong to one of the two Azure roles, Virtual Machine Administrator Login or Virtual Machine User Login.
If you're using a Microsoft Entra registered Windows 10 or later PC, you must enter credentials in the AzureAD\UPN
format (for example, AzureAD\john@contoso.com
). At this time, you can use Azure Bastion to log in with Microsoft Entra authentication via the Azure CLI and the native RDP client mstsc.
To sign in to your Windows Server 2019 virtual machine by using Microsoft Entra ID:
- Go to the overview page of the virtual machine that has been enabled with Microsoft Entra login.
- Select Connect to open the Connect to virtual machine pane.
- Select Download RDP File.
- Select Open to open the Remote Desktop Connection client.
- Select Connect to open the Windows login dialog.
- Log in by using your Microsoft Entra credentials.
You're now signed in to the Windows Server 2019 Azure virtual machine with the role permissions as assigned, such as VM User or VM Administrator.
Note
You can save the .RDP file locally on your computer to start future remote desktop connections to your virtual machine, instead of going to the virtual machine overview page in the Azure portal and using the connect option.
Enforce Conditional Access policies
You can enforce Conditional Access policies, such as "phishing resistant MFA" using require authentication strength grant control or multifactor authentication or user sign-in risk check, before you authorize access to Windows VMs in Azure that are enabled with Microsoft Entra login. To apply a Conditional Access policy, you must select the Microsoft Azure Windows Virtual Machine Sign-in app from the cloud apps or actions assignment option. Then use sign-in risk as a condition or "phishing resistant MFA" using require authentication strength grant control or require MFA as a control for granting access.
Note
If you require MFA as a control for granting access to the Microsoft Azure Windows Virtual Machine Sign-in app, then you must supply an MFA claim as part of the client that initiates the RDP session to the target Windows VM in Azure. This can be achieved using passwordless authentication method for RDP that satisfies the Conditional Access polices, however if you are using limited passwordless method for RDP then the only way to achieve this on a Windows 10 or later client is to use a Windows Hello for Business PIN or biometric authentication with the RDP client. Support for biometric authentication was added to the RDP client in Windows 10 version 1809. Remote desktop using Windows Hello for Business authentication is available only for deployments that use a certificate trust model. It's currently not available for a key trust model.
Use Azure Policy to meet standards and assess compliance
Use Azure Policy to:
- Ensure that Microsoft Entra login is enabled for your new and existing Windows virtual machines.
- Assess compliance of your environment at scale on a compliance dashboard.
With this capability, you can use many levels of enforcement. You can flag new and existing Windows VMs within your environment that don't have Microsoft Entra login enabled. You can also use Azure Policy to deploy the Microsoft Entra extension on new Windows VMs that don't have Microsoft Entra login enabled, and remediate existing Windows VMs to the same standard.
In addition to these capabilities, you can use Azure Policy to detect and flag Windows VMs that have unapproved local accounts created on their machines. To learn more, review Azure Policy.
Troubleshoot deployment problems
The AADLoginForWindows extension must be installed successfully for the VM to complete the Microsoft Entra join process. If the VM extension fails to be installed correctly, perform the following steps:
RDP to the VM by using the local administrator account and examine the CommandExecution.log file under C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.ActiveDirectory.AADLoginForWindows\1.0.0.1.
Note
If the extension restarts after the initial failure, the log with the deployment error will be saved as CommandExecution_YYYYMMDDHHMMSSSSS.log.
Open a PowerShell window on the VM. Verify that the following queries against the Azure Instance Metadata Service endpoint running on the Azure host return the expected output:
Command to run Expected output curl.exe -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01"
Correct information about the Azure VM curl.exe -H Metadata:true "http://169.254.169.254/metadata/identity/info?api-version=2018-02-01"
Valid tenant ID associated with the Azure subscription curl.exe -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?resource=urn:ms-drs:enterpriseregistration.windows.net&api-version=2018-02-01"
Valid access token issued by Microsoft Entra ID for the managed identity that is assigned to this VM Note
You can decode the access token by using a tool like https://jwt.ms/. Verify that the
oid
value in the access token matches the managed identity that's assigned to the VM.Ensure that the required endpoints are accessible from the VM via PowerShell:
curl.exe https://login.microsoftonline.com/ -D -
curl.exe https://login.microsoftonline.com/<TenantID>/ -D -
curl.exe https://enterpriseregistration.windows.net/ -D -
curl.exe https://device.login.microsoftonline.com/ -D -
curl.exe https://pas.windows.net/ -D -
Note
Replace
<TenantID>
with the Microsoft Entra tenant ID that's associated with the Azure subscription.login.microsoftonline.com/<TenantID>
,enterpriseregistration.windows.net
, andpas.windows.net
should return 404 Not Found, which is expected behavior.View the device state by running
dsregcmd /status
. The goal is for the device state to show asAzureAdJoined : YES
.Note
Microsoft Entra join activity is captured in Event Viewer under the User Device Registration\Admin log at Event Viewer (local)\Applications and Services Logs\Microsoft\Windows\User Device Registration\Admin.
If the AADLoginForWindows extension fails with an error code, you can perform the following steps.
Terminal error code 1007 and exit code -2145648574.
Terminal error code 1007 and exit code -2145648574 translate to DSREG_E_MSI_TENANTID_UNAVAILABLE
. The extension can't query the Microsoft Entra tenant information.
Connect to the VM as a local administrator and verify that the endpoint returns a valid tenant ID from Azure Instance Metadata Service. Run the following command from an elevated PowerShell window on the VM:
curl -H Metadata:true http://169.254.169.254/metadata/identity/info?api-version=2018-02-01
This problem can also happen when the VM admin attempts to install the AADLoginForWindows extension, but a system-assigned managed identity hasn't enabled the VM first. In that case, go to the Identity pane of the VM. On the System assigned tab, verify that the Status toggle is set to On.
Exit code -2145648607
Exit code -2145648607 translates to DSREG_AUTOJOIN_DISC_FAILED
. The extension can't reach the https://enterpriseregistration.windows.net
endpoint.
Verify that the required endpoints are accessible from the VM via PowerShell:
curl https://login.microsoftonline.com/ -D -
curl https://login.microsoftonline.com/<TenantID>/ -D -
curl https://enterpriseregistration.windows.net/ -D -
curl https://device.login.microsoftonline.com/ -D -
curl https://pas.windows.net/ -D -
Note
Replace
<TenantID>
with the Microsoft Entra tenant ID that's associated with the Azure subscription. If you need to find the tenant ID, you can hover over your account name or select Identity > Overview > Properties > Tenant ID.Attempts to connect to
enterpriseregistration.windows.net
might return 404 Not Found, which is expected behavior. Attempts to connect topas.windows.net
might prompt for PIN credentials or might return 404 Not Found. (You don't need to enter the PIN.) Either one is sufficient to verify that the URL is reachable.If any of the commands fails with "Could not resolve host
<URL>
," try running this command to determine which DNS server the VM is using:nslookup <URL>
Note
Replace
<URL>
with the fully qualified domain names that the endpoints use, such aslogin.microsoftonline.com
.See whether specifying a public DNS server allows the command to succeed:
nslookup <URL> 208.67.222.222
If necessary, change the DNS server that's assigned to the network security group that the Azure VM belongs to.
Exit code 51
Exit code 51 translates to "This extension is not supported on the VM's operating system."
The AADLoginForWindows extension is intended to be installed only on Windows Server 2019 or Windows 10 (Build 1809 or later). Ensure that your version or build of Windows is supported. If it isn't supported, uninstall the extension.
Troubleshoot sign-in problems
Use the following information to correct sign-in problems.
You can view the device and single sign-on (SSO) state by running dsregcmd /status
. The goal is for the device state to show as AzureAdJoined : YES
and for the SSO state to show AzureAdPrt : YES
.
RDP sign-in via Microsoft Entra accounts is captured in Event Viewer under the Applications and Services Logs\Microsoft\Windows\AAD\Operational event logs.
Azure role not assigned
You might get the following error message when you initiate a remote desktop connection to your VM: "Your account is configured to prevent you from using this device. For more info, contact your system administrator."
Verify that you've configured Azure RBAC policies for the VM that grant the user the Virtual Machine Administrator Login or Virtual Machine User Login role.
Note
If you're having problems with Azure role assignments, see Troubleshoot Azure RBAC.
Unauthorized client or password change required
You might get the following error message when you initiate a remote desktop connection to your VM: "Your credentials did not work."
Try these solutions:
The Windows 10 or later PC that you're using to initiate the remote desktop connection must be Microsoft Entra joined, or Microsoft Entra hybrid joined to the same Microsoft Entra directory. For more information about device identity, see the article What is a device identity?.
Note
Windows 10 Build 20H1 added support for a Microsoft Entra registered PC to initiate an RDP connection to your VM. When you're using a PC that's Microsoft Entra registered (not Microsoft Entra joined or Microsoft Entra hybrid joined) as the RDP client to initiate connections to your VM, you must enter credentials in the format
AzureAD\UPN
(for example,AzureAD\john@contoso.com
).Verify that the AADLoginForWindows extension wasn't uninstalled after the Microsoft Entra join finished.
Also, make sure that the security policy Network security: Allow PKU2U authentication requests to this computer to use online identities is enabled on both the server and the client.
Verify that the user doesn't have a temporary password. Temporary passwords can't be used to sign in to a remote desktop connection.
Sign in with the user account in a web browser. For instance, sign in to the Azure portal in a private browsing window. If you're prompted to change the password, set a new password. Then try connecting again.
MFA sign-in method required
You might see the following error message when you initiate a remote desktop connection to your VM: "The sign-in method you're trying to use isn't allowed. Try a different sign-in method or contact your system administrator."
If you've configured a Conditional Access policy that requires MFA or legacy per-user Enabled/Enforced Microsoft Entra multifactor authentication before you can access the resource, you need to ensure that the Windows 10 or later PC that's initiating the remote desktop connection to your VM signs in by using a strong authentication method such as Windows Hello. If you don't use a strong authentication method for your remote desktop connection, you see the error.
Another MFA-related error message is the one described previously: "Your credentials did not work."
If you've configured a legacy per-user Enabled/Enforced Microsoft Entra multifactor authentication setting and you see the error above, you can resolve the problem by removing the per-user MFA setting. For more information, see the article Enable per-user Microsoft Entra multifactor authentication to secure sign-in events.
If you haven't deployed Windows Hello for Business and if that isn't an option for now, you can configure a Conditional Access policy that excludes the Microsoft Azure Windows Virtual Machine Sign-in app from the list of cloud apps that require MFA. To learn more about Windows Hello for Business, see Windows Hello for Business overview.
Note
Windows Hello for Business PIN authentication with RDP has been supported for several versions of Windows 10. Support for biometric authentication with RDP was added in Windows 10 version 1809. Using Windows Hello for Business authentication during RDP is available for deployments that use a certificate trust model or key trust model.
Share your feedback about this feature or report problems with using it on the Microsoft Entra feedback forum.
Missing application
If the Microsoft Azure Windows Virtual Machine Sign-in application is missing from Conditional Access, make sure that the application is in the tenant:
- Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
- Browse to Identity > Applications > Enterprise applications.
- Remove the filters to see all applications, and search for VM. If you don't see Microsoft Azure Windows Virtual Machine Sign-in as a result, the service principal is missing from the tenant.
Tip
Some tenants might see the application named Azure Windows VM Sign-in instead of Microsoft Azure Windows Virtual Machine Sign-in. The application will have the same Application ID of 372140e0-b3b7-4226-8ef9-d57986796201.
Next steps
For more information about Microsoft Entra ID, see What is Microsoft Entra ID?.