Sign in to an Azure Arc-enabled server using Microsoft Entra ID and Azure Roles Based Access Control

Organizations can improve the security of on-premises Azure Arc enabled servers by integrating with Microsoft Entra authentication. You can now use Microsoft Entra ID as a core authentication platform to Remote Desktop Protocol (RDP) into Windows Server 2025 or later and Windows 11 24H2 or later. You can then centrally control and enforce Azure role-based access control policies that allow or deny access to the servers.

This article shows you how to create and configure an Azure Arc-enabled Windows Server and sign in by using Microsoft Entra ID-based authentication.

There are many security benefits of using Microsoft Entra ID-based authentication to sign in to Windows Server machines connected using Azure Arc. They include:

  • Use Microsoft Entra authentication including passwordless to sign in to Windows Server machines. Reduce reliance on local administrator accounts.
  • Use Password complexity and password lifetime policies that you configure for Microsoft Entra ID also help secure Windows Server machines.
  • Use Azure role-based access control:
    • Specify who can sign in as a regular user or with administrator privileges through the Virtual Machine Administrator Login and Virtual Machine User Login roles.
    • When users join or leave your team, you can update Azure role-based access control policy to grant access as appropriate.
    • When employees leave your organization and their user accounts are disabled or removed from Microsoft Entra ID, they no longer have access to your resources.
  • Use Azure Policy to deploy and audit policies to require Microsoft Entra sign in for Windows Server machines and to flag the use of unapproved local accounts on the machines.
  • Support for passwordless authentication methods and password-based authentication depending on your security requirements and Windows Server version.

Important

After you enable this capability, your Arc-enabled machine will be Microsoft Entra joined. You can't join them to another domain, like on-premises Active Directory or Microsoft Entra Domain Services. If you need to do so, disconnect the device from Microsoft Entra by uninstalling the extension. In addition, if you deploy a supported golden image, you can enable Microsoft Entra ID authentication by installing the extension. Conditional Access isn't supported with Windows Server with Microsoft Entra join extension in Azure Arc-enabled servers.

Requirements

Supported Azure regions and Windows distributions

This feature currently supports the following Windows Server distributions:

  • Windows 11 24H2 or later installed.
  • Windows Server 2025 or later installed with Desktop Experience.

This feature is now available in the Microsoft Azure operated by 21Vianet.

Note

CIS hardened images support Microsoft Entra ID authentication for Microsoft Windows Enterprise and Microsoft Windows Server offerings. For more information, see: CIS Hardened Images on Microsoft Windows Enterprise.

Network requirements

To enable Microsoft Entra authentication for Arc-enabled Windows Servers, you need to ensure that your network configuration permits outbound access to the following endpoints over TCP port 443.

Microsoft Azure operated by 21Vianet:

  • https://enterpriseregistration.partner.microsoftonline.cn: Device registration.

  • http://localhost:40342: Arc Instance Metadata Service endpoint.

  • https://login.chinacloudapi.cn: Authentication flows.

  • https://pas.chinacloudapi.cn: Azure role-based access control flows.

More network requirements are provided in the Arc-connected server documentation.

For Azure Arc-enabled Windows Servers, more network requirements are provided in the Arc-connected server documentation.

Authentication requirements

To successfully authenticate and sign in to an Azure Arc-enabled Windows Server using Microsoft Entra ID, the following requirements must be met:

  • User account type: Only standard Microsoft Entra user accounts from the same tenant as the Azure Arc-enabled server are supported. Guest accounts (B2B users) cannot be used for authentication.

  • Role assignments: Users must be assigned one of the following Azure roles:

    • Virtual Machine Administrator Login: Grants administrator privileges on the server.
    • Virtual Machine User Login: Grants standard user privileges on the server.

      Note

      Manually elevating a user to become a local administrator on the device by adding the user to a member of the local administrators' group or by running net localgroup administrators /add "AzureAD\UserUpn" command isn't supported. You need to use roles in Azure to authorize sign in.

Note

An Azure user who has the Owner or Contributor role assigned doesn't automatically have privileges to sign in to devices. The reason is to provide audited separation between the set of people who control virtual machines and the set of people who can access virtual machines.

  • Authentication methods: The following authentication methods are supported:

    • Password-based authentication: Users on Microsoft Entra registered devices must use the AzureAD\UPN format (for example, AzureAD\john@contoso.com).

  • Client device requirements: The device initiating the RDP connection must be:

    • Microsoft Entra joined to the same directory as the Arc-enabled server, or
    • Microsoft Entra hybrid joined to the same directory, or
    • Microsoft Entra registered (Windows 10 20H1 or later) to the same directory.

  • Password restrictions: Temporary passwords cannot be used for remote desktop connections. Users with temporary passwords must change their password through another method (such as the Azure portal) before attempting to connect.

Enable Microsoft Entra sign in for an Arc-enabled Windows Server

To use Microsoft Entra sign in for an Arc-enabled Windows Server, you must:

  1. Enable the Microsoft Entra sign in extension for the device.
  2. Configure Azure role assignments for users.

Enable Microsoft Entra sign in extension

For Arc-enabled windows servers how-to's and further examples, see: Arc-enabled Windows Server.

You must enable a system-assigned managed identity on your Arc-enabled Windows Server before you install the Microsoft Entra sign in virtual machine extension. Managed Identities are stored in a single Microsoft Entra tenant, and currently don't support cross directory scenarios.

The following sample demonstrates an Azure template for Arc-enabled Windows Server extensions:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "vmName": {
      "type": "string"
    },
    "location": {
      "type": "string"
    }
  },
  "resources": [
    {
      "name": "[concat(parameters('vmName'),'/AADLogin')]",
      "type": "Microsoft.HybridCompute/machines/extensions",
      "location": "[parameters('location')]",
      "apiVersion": "2024-07-10",
      "properties": {
        "publisher": "Microsoft.Azure.ActiveDirectory",
        "type": "AADLoginForWindows",
        "typeHandlerVersion": "2.1.0.0",
        "autoUpgradeMinorVersion": true,
        "settings": {
          "mdmId": ""
        }
      }
    }
  ]
}

Note

The Microsoft Entra sign in extension for Arc-enabled Windows Server requires the mdmId property nested within settings. The value of the property can be left as an empty string.

After the extension is installed on the device, provisioningState shows Succeeded.

Configure role assignments

A User account in Microsoft Entra must be added to a role assignment in Azure before the user is allowed to sign in to an Arc-connected Windows Server.

The following documentation provides step-by-step details to add user accounts to role assignments in Azure:

Sign in by using Microsoft Entra credentials to an Arc-enabled Windows Server

You can sign in over RDP using one of two methods:

  • Passwordless using any of the supported Microsoft Entra credentials (recommended)
  • Password/passwordless using Windows Hello for Business deployed using certificate trust model

Sign in using passwordless authentication with Microsoft Entra ID

To use passwordless authentication for your Arc-enabled Windows Servers, the server must be running Windows Server 2025 or later.

Note

When using the web account to sign in to the remote computer option, there is no requirement for the local device to be joined to a domain or Microsoft Entra ID.

To connect to the remote computer:

  • Launch Remote Desktop Connection from Windows Search, or by running mstsc.exe.
  • Select Use a web account to sign in to the remote computer option in the Advanced tab. This option is equivalent to the enablerdsaadauth RDP property. For more information, see Supported RDP properties with Remote Desktop Services.
  • Specify the name of the remote computer and select Connect.

Important

IP address can't be used with Use a web account to sign in to the remote computer option. The name must match the hostname of the remote device in Microsoft Entra ID and be network addressable, resolving to the IP address of the remote device.

  • When prompted for credentials, specify your user name in user@domain.com format.
  • You're then prompted to allow the remote desktop connection when connecting to a new PC. Microsoft Entra remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select Yes to connect.

Note

The Windows lock screen in the remote session doesn't support Microsoft Entra authentication tokens or passwordless authentication methods like FIDO keys. The lack of support for these authentication methods means that users can't unlock their screens in a remote session. When you try to lock a remote session, either through user action or system policy, the session is instead disconnected and the service sends a message to the user. Disconnecting the session also ensures that when the connection is relaunched after a period of inactivity, Microsoft Entra ID reevaluates the applicable Conditional Access policies.

Sign in using password/passwordless authentication with Microsoft Entra ID

Password-based authentication is supported to sign in to Arc-enabled Windows Servers.

Important

Remote connection to Arc-enabled servers that are joined to Microsoft Entra ID is allowed only from client devices that are either Microsoft Entra registered or Microsoft Entra joined or Microsoft Entra hybrid joined to the same directory as the server. Additionally, to RDP by using Microsoft Entra credentials, users must belong to one of the two Azure roles, Virtual Machine Administrator Login, or Virtual Machine User Login.

If you're using a Microsoft Entra registered client device, you must enter credentials in the AzureAD\UPN format (for example, AzureAD\john@contoso.com). At this time, you can use Azure Bastion to sign in with Microsoft Entra authentication via the Azure CLI and the native RDP client mstsc.

To sign in to your Arc-enabled Windows Server by using Microsoft Entra ID:

  1. Launch Remote Desktop Connection from Windows Search, or by running mstsc.exe.
  2. Specify the name of the Arc-enabled server and select Connect.
  3. When prompted, enter your credentials in the AzureAD\UPN format (for example, AzureAD\john@contoso.com).
  4. Sign in by using your Microsoft Entra credentials.

You're now signed in to the Arc-enabled Windows Server with the role permissions as assigned, such as VM User or VM Administrator.

Use Azure Policy to meet standards and assess compliance

Use Azure Policy to:

  • Ensure that Microsoft Entra sign in is enabled for your new and existing Arc-enabled Windows Servers.
  • Assess compliance of your environment at scale on a compliance dashboard.

With this capability, you can use many levels of enforcement. You can flag new and existing Arc-enabled Windows Servers within your environment that don't have Microsoft Entra sign in enabled. You can also use Azure Policy to deploy the Microsoft Entra extension to the Arc-enabled Windows Server.

In addition to these capabilities, you can use Azure Policy to detect and flag Windows machines that have unapproved local accounts created on their devices. To learn more, review Azure Policy.

Troubleshoot deployment problems

The AADLoginForWindows extension must be installed successfully for the device to complete the Microsoft Entra join process. If the extension fails to be installed correctly, perform the following steps:

  1. Connect to the device and examine the CommandExecution.log file under C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.ActiveDirectory.AADLoginForWindows\1.0.0.1.

    If the extension restarts after the initial failure, the log with the deployment error will be saved as CommandExecution_YYYYMMDDHHMMSSSSS.log.

  2. Open a PowerShell window on the device. Verify that the following queries against the Azure Instance Metadata Service endpoint running on the host return the expected output:

    For Arc-enabled Windows Servers:

    Command to run Expected output
    curl.exe -H Metadata:true "http://localhost:40342/metadata/instance?api-version=2017-08-01" Correct information about the Azure Arc-enabled Windows Server
    curl.exe -H Metadata:true "http://localhost:40342/metadata/identity/info?api-version=2018-02-01" Valid tenant ID associated with the Azure subscription
    curl.exe -H Metadata:true "http://localhost:40342/metadata/identity/oauth2/token?resource=urn:ms-drs:enterpriseregistration.partner.microsoftonline.cn&api-version=2018-02-01" Valid access token issued by Microsoft Entra ID for the managed identity that is assigned to this Azure Arc-enabled Windows Server

    You can decode the access token by using a tool like https://jwt.ms/. Verify that the oid value in the access token matches the managed identity of the device.

  3. Ensure that the required endpoints are accessible from the device via PowerShell:

    • curl.exe https://login.partner.microsoftonline.cn/ -D -
    • curl.exe https://login.partner.microsoftonline.cn/<TenantID>/ -D -
    • curl.exe https://enterpriseregistration.partner.microsoftonline.cn/ -D -
    • curl.exe https://device.login.partner.microsoftonline.cn/ -D -
    • curl.exe https://pas.chinacloudapi.cn/ -D -

    Replace <TenantID> with the Microsoft Entra tenant ID associated with the Azure subscription. login.partner.microsoftonline.cn/<TenantID>, enterpriseregistration.partner.microsoftonline.cn, and pas.chinacloudapi.cn should return 404 Not Found, which is expected behavior.

  4. View the device state by running dsregcmd /status. The goal is for the device state to show as AzureAdJoined : YES.

    Microsoft Entra join activity is captured in Event Viewer under the User Device Registration\Admin log at Event Viewer (local)\Applications and Services Logs\Microsoft\Windows\User Device Registration\Admin.

If the AADLoginForWindows extension fails with an error code, you can perform the following steps.

Terminal error code 1007 and exit code -2145648574

Terminal error code 1007 and exit code -2145648574 translate to DSREG_E_MSI_TENANTID_UNAVAILABLE. The extension can't query the Microsoft Entra tenant information.

Connect to the device as a local administrator and verify that the endpoint returns a valid tenant ID from Azure Instance Metadata Service. Run the following command from an elevated PowerShell window on the device:

curl -H Metadata:true http://localhost:40342/metadata/identity/info?api-version=2018-02-01

This problem can also happen when the admin attempts to install the AADLoginForWindows extension, but the device doesn't have a system-assigned managed identity. In that case, go to the Identity pane of the device. On the System assigned tab, verify that the Status toggle is set to On.

Exit code -2145648607

Exit code -2145648607 translates to DSREG_AUTOJOIN_DISC_FAILED. The extension can't reach the https://enterpriseregistration.partner.microsoftonline.cn endpoint.

  1. Verify that the required endpoints are accessible from the device via PowerShell:

    • curl https://login.partner.microsoftonline.cn/ -D -
    • curl https://login.partner.microsoftonline.cn/<TenantID>/ -D -
    • curl https://enterpriseregistration.partner.microsoftonline.cn/ -D -
    • curl https://device.login.partner.microsoftonline.cn/ -D -
    • curl https://pas.chinacloudapi.cn/ -D -

    Replace <TenantID> with the Microsoft Entra tenant ID of the Azure subscription. If you need to find the tenant ID, you can hover over your account name or select Entra ID > Overview > Properties > Tenant ID.

    Attempts to connect to enterpriseregistration.partner.microsoftonline.cn might return 404 Not Found, which is expected behavior. Attempts to connect to pas.chinacloudapi.cn might prompt for PIN credentials or might return 404 Not Found. (You don't need to enter the PIN.) Either one is sufficient to verify that the URL is reachable.

  2. If any of the commands fails with "Couldn't resolve host <URL>," try running this command to determine which DNS server Windows is using:

    nslookup <URL>

    Replace <URL> with the fully qualified domain names that the endpoints use, such as login.partner.microsoftonline.cn.

  3. See whether specifying a public DNS server allows the command to succeed:

    nslookup <URL> 208.67.222.222

  4. If necessary, change the DNS server assigned to the network security group that the device belongs to.

Exit code 51

Exit code 51 translates to "This extension isn't supported on this operating system."

The AADLoginForWindows extension is intended to be installed only on Arc-enabled Windows Servers with Windows Server 2025 or Windows 11 24H2 on Arc-enabled Windows Server. Ensure that your version of Windows Server is supported. If it isn't supported, uninstall the extension.

Troubleshoot sign-in problems

Use the following information to correct sign-in problems.

You can view the device and single sign-on (SSO) state by running dsregcmd /status. The goal is for the device state to show as AzureAdJoined : YES and for the SSO state to show AzureAdPrt : YES.

RDP sign-in via Microsoft Entra accounts is captured in Event Viewer under the Applications and Services Logs\Microsoft\Windows\AAD\Operational event logs.

Azure role not assigned

You might get the following error message when you initiate a remote desktop connection to your device: "Your account is configured to prevent you from using this device. For more info, contact your system administrator."

Screenshot of the message that says your account is configured to prevent you from using this device.

Verify the Azure role-based access control policies that grant the user the Virtual Machine Administrator Login or Virtual Machine User Login role.

If you're having problems with Azure role assignments, see Troubleshoot Azure role-based access control.

Unauthorized client or password change required

You might get the following error message when you initiate a remote desktop connection to your device: "Your credentials didn't work."

Screenshot of the message that says your credentials did not work.

Try these solutions:

  • The client device that you're using to initiate the remote desktop connection must be Microsoft Entra joined, or Microsoft Entra hybrid joined to the same Microsoft Entra directory. For more information about device identity, see the article What is a device identity?.

    A Microsoft Entra registered client device is also supported to initiate an RDP connection to your Arc-enabled Windows Server. When you're using a client device that's Microsoft Entra registered (not Microsoft Entra joined or Microsoft Entra hybrid joined) as the RDP client to initiate connections to your server, you must enter credentials in the format AzureAD\UPN (for example, AzureAD\john@contoso.com).

    Verify that the AADLoginForWindows extension wasn't uninstalled after the Microsoft Entra join finished.

    Also, make sure that the security policy Network security: Allow PKU2U authentication requests to this computer to use online identities is enabled on both the server and the client.

  • Verify that the user doesn't have a temporary password. Temporary passwords can't be used to sign in to a remote desktop connection.

    Sign in with the user account in a web browser. For instance, sign in to the Azure portal in a private browsing window. If you're prompted to change the password, set a new password. Then try connecting again.

MFA sign-in method required

You might see the following error message when you initiate a remote desktop connection to your device: "The sign-in method you're trying to use isn't allowed. Try a different sign-in method or contact your system administrator."

Screenshot of the message that says the sign-in method you're trying to use isn't allowed.

If you configure a Conditional Access policy that requires MFA, you need to ensure that the device initiating the connection uses strong authentication such as Windows Hello.

Another MFA-related error message is the one described previously: "Your credentials didn't work."

Screenshot of the message that says your credentials didn't work.

If you configure a legacy per-user Enabled/Enforced Microsoft Entra multifactor authentication setting and you see the error, you can resolve the problem by removing the per-user MFA setting. For more information, see the article Enable per-user Microsoft Entra multifactor authentication to secure sign-in events.

If Windows Hello for Business isn't an option, configure a Conditional Access policy that excludes the Azure Windows Virtual Machine Sign-in app. To learn more about Windows Hello for Business, see Windows Hello for Business overview.

Support for biometric authentication with RDP was added in Windows 10 version 1809. Using Windows Hello for Business authentication during RDP is available for deployments that use a certificate trust model or key trust model.

Share your feedback about this feature or report problems with using it on the Microsoft Entra feedback forum.

Next steps

For more information about Microsoft Entra ID, see What is Microsoft Entra ID?.

  • Last updated on