Sign in to a Windows virtual machine in Azure by using Microsoft Entra ID including passwordless

Organizations can improve the security of Windows virtual machines (VMs) in Azure by integrating with Microsoft Entra authentication. You can now use Microsoft Entra ID as a core authentication platform to Remote Desktop Protocol (RDP) into Windows Server 2019 Datacenter edition and later, or Windows 10 1809 and later. You can then centrally control and enforce Azure role-based access control (RBAC) and Conditional Access policies that allow or deny access to the VMs.

This article shows you how to create and configure a Windows VM and log in by using Microsoft Entra ID-based authentication.

There are many security benefits of using Microsoft Entra ID-based authentication to sign in to Windows VMs in Azure. They include:

  • Use Microsoft Entra authentication including passwordless to sign in to Windows VMs in Azure.

  • Reduce reliance on local administrator accounts.

  • Password complexity and password lifetime policies that you configure for Microsoft Entra ID also help secure Windows VMs.

  • With Azure RBAC:

    • Specify who can sign in to a VM as a regular user or with administrator privileges.
    • When users join or leave your team, you can update the Azure RBAC policy for the VM to grant access as appropriate.
    • When employees leave your organization and their user accounts are disabled or removed from Microsoft Entra ID, they no longer have access to your resources.
  • Use Azure Policy to deploy and audit policies to require Microsoft Entra login for Windows VMs and to flag the use of unapproved local accounts on the VMs.

  • Use Intune to automate and scale Microsoft Entra join with mobile device management (MDM) autoenrollment of Azure Windows VMs that are part of your virtual desktop infrastructure (VDI) deployments.

    MDM autoenrollment requires Microsoft Entra ID P1 licenses. Windows Server VMs don't support MDM enrollment.

Note

After you enable this capability, your Windows VMs in Azure will be Microsoft Entra joined. You cannot join them to another domain, like on-premises Active Directory or Microsoft Entra Domain Services. If you need to do so, disconnect the VM from Microsoft Entra ID by uninstalling the extension.

Requirements

Supported Azure regions and Windows distributions

This feature currently supports the following Windows distributions:

  • Windows Server 2019 Datacenter and later
  • Windows 10 1809 and later
  • Windows 11 21H2 and later

This feature is now available in the following Azure clouds:

  • Azure Global
  • Azure Government
  • Microsoft Azure operated by 21Vianet

Network requirements

To enable Microsoft Entra authentication for your Windows VMs in Azure, you need to ensure that your VM's network configuration permits outbound access to the following endpoints over TCP port 443.

Microsoft Azure operated by 21Vianet:

  • https://enterpriseregistration.partner.microsoftonline.cn: For device registration.
  • http://169.254.169.254: Azure Instance Metadata Service endpoint.
  • https://login.chinacloudapi.cn: For authentication flows.
  • https://pas.chinacloudapi.cn: For Azure RBAC flows.

Authentication requirements

Microsoft Entra Guest accounts can't connect to Azure VMs or Azure Bastion enabled VMs via Microsoft Entra authentication.

Enable Microsoft Entra login for a Windows VM in Azure

To use Microsoft Entra login for a Windows VM in Azure, you must:

  1. Enable the Microsoft Entra login option for the VM.
  2. Configure Azure role assignments for users who are authorized to sign in to the VM.

There are two ways to enable Microsoft Entra login for your Windows VM:

  • The Azure portal, when you're creating a Windows VM.
  • Azure CLI, when you're creating a Windows VM or using an existing Windows VM.

Note

If a device object with the same displayName as the hostname of a VM where an extension is installed exists, the VM fails to join Microsoft Entra ID with a hostname duplication error. Avoid duplication by modifying the hostname.

Azure portal

You can enable Microsoft Entra login for VM images in Windows Server 2019 Datacenter or Windows 10 1809 and later.

To create a Windows Server 2019 Datacenter VM in Azure with Microsoft Entra login:

  1. Sign in to the Azure portal by using an account that has access to create VMs, and select + Create a resource.

  2. In the Search the Marketplace search bar, type Windows Server.

  3. Select Windows Server, and then choose Windows Server 2019 Datacenter from the Select a software plan dropdown list.

  4. Select Create.

  5. On the Management tab, select the Login with Microsoft Entra ID checkbox in the Microsoft Entra ID section.

    Screenshot that shows the Management tab on the Azure portal page for creating a virtual machine.

  6. Make sure that System assigned managed identity in the Identity section is selected. This action should happen automatically after you enable login with Microsoft Entra ID.

  7. Go through the rest of the experience of creating a virtual machine. You have to create an administrator username and password for the VM.

Note

To sign in to the VM by using your Microsoft Entra credentials, you first need to configure role assignments for the VM.

Using the Azure powershell experience to enable Microsoft Entra login

This article requires you to run Azure CLI version 2.0.31 or later. Run az --version to find the version. If you need to install or upgrade, see the article Install the Azure CLI.

  1. Create a resource group by running az group create.
  2. Create a VM by running az vm create. Use a supported distribution in a supported region.
  3. Install the Microsoft Entra login VM extension.

The following example deploys a VM named myVM (that uses Win2019Datacenter) into a resource group named myResourceGroup, in the chinanorth region. In this example and the next one, you can provide your own resource group and VM names as needed.

az group create --name myResourceGroup --location chinanorth

az vm create \
    --resource-group myResourceGroup \
    --name myVM \
    --image Win2019Datacenter \
    --assign-identity \
    --admin-username azureuser \
    --admin-password yourpassword

Note

You must enable system-assigned managed identity on your virtual machine before you install the Microsoft Entra login VM extension. Managed Identities are stored in a single Microsoft Entra tenant and currently do not support cross directory scenarios.

It takes a few minutes to create the VM and supporting resources.

Finally, install the Microsoft Entra login VM extension to enable Microsoft Entra login for Windows VMs. VM extensions are small applications that provide post-deployment configuration and automation tasks on Azure Virtual Machines. Use az vm extension set to install the AADLoginForWindows extension on the VM named myVM in the myResourceGroup resource group.

You can install the AADLoginForWindows extension on an existing Windows Server 2019 or Windows 10 1809 and later VM to enable it for Microsoft Entra authentication. The following example uses the Azure CLI to install the extension:

az vm extension set \
    --publisher Microsoft.Azure.ActiveDirectory \
    --name AADLoginForWindows \
    --resource-group myResourceGroup \
    --vm-name myVM

After the extension is installed on the VM, provisioningState shows Succeeded.

Configure role assignments for the VM

Now that you've created the VM, you need to assign one of the following Azure roles to determine who can sign in to the VM. To assign these roles, you must have the Virtual Machine Data Access Administrator role, or any role that includes the Microsoft.Authorization/roleAssignments/write action such as the Role Based Access Control Administrator role.

  • Virtual Machine Administrator Login: Users who have this role assigned can sign in to an Azure virtual machine with administrator privileges.
  • Virtual Machine User Login: Users who have this role assigned can sign in to an Azure virtual machine with regular user privileges.

To allow a user to sign in to the VM over RDP, you must assign the Virtual Machine Administrator Login or Virtual Machine User Login role to the Virtual Machine resource.

Note

Manually elevating a user to become a local administrator on the VM by adding the user to a member of the local administrators group or by running net localgroup administrators /add "AzureAD\UserUpn" command is not supported. You need to use Azure roles above to authorize VM login.

An Azure user who has the Owner or Contributor role assigned for a VM doesn't automatically have privileges to sign in to the VM over RDP. The reason is to provide audited separation between the set of people who control virtual machines and the set of people who can access virtual machines.

There are two ways to configure role assignments for a VM:

  • Microsoft Entra admin center experience
  • Azure powershell experience

Note

The Virtual Machine Administrator Login and Virtual Machine User Login roles use dataActions, so they can't be assigned at the management group scope. Currently, you can assign these roles only at the subscription, resource group, or resource scope.

Microsoft Entra admin center

To configure role assignments for your Microsoft Entra ID-enabled Windows Server 2019 Datacenter VMs:

  1. For Resource Group, select the resource group that contains the VM and its associated virtual network, network interface, public IP address, or load balancer resource.

  2. Select Access control (IAM).

  3. Select Add > Add role assignment to open the Add role assignment page.

  4. Assign the following role. For detailed steps, see Assign Azure roles by using the Azure portal.

    Setting Value
    Role Virtual Machine Administrator Login or Virtual Machine User Login
    Assign access to User, group, service principal, or managed identity

    Screenshot that shows the page for adding a role assignment.

Using the Azure powershell experience

The following example uses az role assignment create to assign the Virtual Machine Administrator Login role to the VM for your current Azure user. You obtain the username of your current Azure account by using az account show, and you set the scope to the VM created in a previous step by using az vm show.

You can also assign the scope at a resource group or subscription level. Normal Azure RBAC inheritance permissions apply.

$username=$(az account show --query user.name --output tsv)
$rg=$(az group show --resource-group myResourceGroup --query id -o tsv)

az role assignment create \
    --role "Virtual Machine Administrator Login" \
    --assignee $username \
    --scope $rg

Note

If your Microsoft Entra domain and login username domain don't match, you must specify the object ID of your user account by using --assignee-object-id, not just the username for --assignee. You can obtain the object ID for your user account by using az ad user list.

For more information about how to use Azure RBAC to manage access to your Azure subscription resources, see the following articles:

Log in by using Microsoft Entra credentials to a Windows VM

You can sign in over RDP using one of two methods:

  1. Passwordless using any of the supported Microsoft Entra credentials (recommended)
  2. Password/limited passwordless using Windows Hello for Business deployed using certificate trust model

Log in using passwordless authentication with Microsoft Entra ID

To use passwordless authentication for your Windows VMs in Azure, you need the Windows client machine and the session host (VM) on the following operating systems:

Important

The Windows client machine is required to be either Microsoft Entra registered, or Microsoft Entra joined or Microsoft Entra hybrid joined to the same directory as the VM. Additionally, to RDP by using Microsoft Entra credentials, users must belong to one of the two Azure roles, Virtual Machine Administrator Login or Virtual Machine User Login. This requirement doesn't exist for passwordless sign-in.

To connect to the remote computer:

  • Launch Remote Desktop Connection from Windows Search, or by running mstsc.exe.
  • Select Use a web account to sign in to the remote computer option in the Advanced tab. This option is equivalent to the enablerdsaadauth RDP property. For more information, see Supported RDP properties with Remote Desktop Services.
  • Specify the name of the remote computer and select Connect.

Note

IP address cannot be used when Use a web account to sign in to the remote computer option is used. The name must match the hostname of the remote device in Microsoft Entra ID and be network addressable, resolving to the IP address of the remote device.

  • When prompted for credentials, specify your user name in user@domain.com format.
  • You're then prompted to allow the remote desktop connection when connecting to a new PC. Microsoft Entra remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select Yes to connect.

Important

If your organization has configured and is using Microsoft Entra Conditional Access, your device must satisfy the Conditional Access requirements to allow connection to the remote computer. Conditional Access policies might be applied to the application Microsoft Remote Desktop (a4a365df-50f1-4397-bc59-1a1564b8bb9c) for controlled access.

Note

The Windows lock screen in the remote session doesn't support Microsoft Entra authentication tokens or passwordless authentication methods like FIDO keys. The lack of support for these authentication methods means that users can't unlock their screens in a remote session. When you try to lock a remote session, either through user action or system policy, the session is instead disconnected and the service sends a message to the user explaining they've been disconnected. Disconnecting the session also ensures that when the connection is relaunched after a period of inactivity, Microsoft Entra ID reevaluates the applicable Conditional Access policies.

Log in using password/limited passwordless authentication with Microsoft Entra ID

Important

Remote connection to VMs that are joined to Microsoft Entra ID is allowed only from Windows 10 or later PCs that are either Microsoft Entra registered (minimum required build is 20H1) or Microsoft Entra joined or Microsoft Entra hybrid joined to the same directory as the VM. Additionally, to RDP by using Microsoft Entra credentials, users must belong to one of the two Azure roles, Virtual Machine Administrator Login or Virtual Machine User Login.

If you're using a Microsoft Entra registered Windows 10 or later PC, you must enter credentials in the AzureAD\UPN format (for example, AzureAD\john@contoso.com). At this time, you can use Azure Bastion to log in with Microsoft Entra authentication via the Azure CLI and the native RDP client mstsc.

To sign in to your Windows Server 2019 virtual machine by using Microsoft Entra ID:

  1. Go to the overview page of the virtual machine that has been enabled with Microsoft Entra login.
  2. Select Connect to open the Connect to virtual machine pane.
  3. Select Download RDP File.
  4. Select Open to open the Remote Desktop Connection client.
  5. Select Connect to open the Windows login dialog.
  6. Log in by using your Microsoft Entra credentials.

You're now signed in to the Windows Server 2019 Azure virtual machine with the role permissions as assigned, such as VM User or VM Administrator.

Note

You can save the .RDP file locally on your computer to start future remote desktop connections to your virtual machine, instead of going to the virtual machine overview page in the Azure portal and using the connect option.

Use Azure Policy to meet standards and assess compliance

Use Azure Policy to:

  • Ensure that Microsoft Entra login is enabled for your new and existing Windows virtual machines.
  • Assess compliance of your environment at scale on a compliance dashboard.

With this capability, you can use many levels of enforcement. You can flag new and existing Windows VMs within your environment that don't have Microsoft Entra login enabled. You can also use Azure Policy to deploy the Microsoft Entra extension on new Windows VMs that don't have Microsoft Entra login enabled, and remediate existing Windows VMs to the same standard.

In addition to these capabilities, you can use Azure Policy to detect and flag Windows VMs that have unapproved local accounts created on their machines. To learn more, review Azure Policy.

Troubleshoot deployment problems

The AADLoginForWindows extension must be installed successfully for the VM to complete the Microsoft Entra join process. If the VM extension fails to be installed correctly, perform the following steps:

  1. RDP to the VM by using the local administrator account and examine the CommandExecution.log file under C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.ActiveDirectory.AADLoginForWindows\1.0.0.1.

    Note

    If the extension restarts after the initial failure, the log with the deployment error will be saved as CommandExecution_YYYYMMDDHHMMSSSSS.log.

  2. Open a PowerShell window on the VM. Verify that the following queries against the Azure Instance Metadata Service endpoint running on the Azure host return the expected output:

    Command to run Expected output
    curl.exe -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" Correct information about the Azure VM
    curl.exe -H Metadata:true "http://169.254.169.254/metadata/identity/info?api-version=2018-02-01" Valid tenant ID associated with the Azure subscription
    curl.exe -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?resource=urn:ms-drs:enterpriseregistration.partner.microsoftonline.cn&api-version=2018-02-01" Valid access token issued by Microsoft Entra ID for the managed identity that is assigned to this VM

    Note

    You can decode the access token by using a tool like https://jwt.ms/. Verify that the oid value in the access token matches the managed identity that's assigned to the VM.

  3. Ensure that the required endpoints are accessible from the VM via PowerShell:

    • curl.exe https://login.partner.microsoftonline.cn/ -D -
    • curl.exe https://login.partner.microsoftonline.cn/<TenantID>/ -D -
    • curl.exe https://enterpriseregistration.partner.microsoftonline.cn/ -D -
    • curl.exe https://device.login.partner.microsoftonline.cn/ -D -
    • curl.exe https://pas.chinacloudapi.cn/ -D -

    Note

    Replace <TenantID> with the Microsoft Entra tenant ID that's associated with the Azure subscription. login.partner.microsoftonline.cn/<TenantID>, enterpriseregistration.partner.microsoftonline.cn, and pas.chinacloudapi.cn should return 404 Not Found, which is expected behavior.

  4. View the device state by running dsregcmd /status. The goal is for the device state to show as AzureAdJoined : YES.

    Note

    Microsoft Entra join activity is captured in Event Viewer under the User Device Registration\Admin log at Event Viewer (local)\Applications and Services Logs\Microsoft\Windows\User Device Registration\Admin.

If the AADLoginForWindows extension fails with an error code, you can perform the following steps.

Terminal error code 1007 and exit code -2145648574.

Terminal error code 1007 and exit code -2145648574 translate to DSREG_E_MSI_TENANTID_UNAVAILABLE. The extension can't query the Microsoft Entra tenant information.

Connect to the VM as a local administrator and verify that the endpoint returns a valid tenant ID from Azure Instance Metadata Service. Run the following command from an elevated PowerShell window on the VM:

curl -H Metadata:true http://169.254.169.254/metadata/identity/info?api-version=2018-02-01

This problem can also happen when the VM admin attempts to install the AADLoginForWindows extension, but a system-assigned managed identity hasn't enabled the VM first. In that case, go to the Identity pane of the VM. On the System assigned tab, verify that the Status toggle is set to On.

Exit code -2145648607

Exit code -2145648607 translates to DSREG_AUTOJOIN_DISC_FAILED. The extension can't reach the https://enterpriseregistration.partner.microsoftonline.cn endpoint.

  1. Verify that the required endpoints are accessible from the VM via PowerShell:

    • curl https://login.partner.microsoftonline.cn/ -D -
    • curl https://login.partner.microsoftonline.cn/<TenantID>/ -D -
    • curl https://enterpriseregistration.partner.microsoftonline.cn/ -D -
    • curl https://device.login.partner.microsoftonline.cn/ -D -
    • curl https://pas.chinacloudapi.cn/ -D -

    Note

    Replace <TenantID> with the Microsoft Entra tenant ID that's associated with the Azure subscription. If you need to find the tenant ID, you can hover over your account name or select Identity > Overview > Properties > Tenant ID.

    Attempts to connect to enterpriseregistration.partner.microsoftonline.cn might return 404 Not Found, which is expected behavior. Attempts to connect to pas.chinacloudapi.cn might prompt for PIN credentials or might return 404 Not Found. (You don't need to enter the PIN.) Either one is sufficient to verify that the URL is reachable.

  2. If any of the commands fails with "Could not resolve host <URL>," try running this command to determine which DNS server the VM is using:

    nslookup <URL>

    Note

    Replace <URL> with the fully qualified domain names that the endpoints use, such as login.partner.microsoftonline.cn.

  3. See whether specifying a public DNS server allows the command to succeed:

    nslookup <URL> 208.67.222.222

  4. If necessary, change the DNS server that's assigned to the network security group that the Azure VM belongs to.

Exit code 51

Exit code 51 translates to "This extension is not supported on the VM's operating system."

The AADLoginForWindows extension is intended to be installed only on Windows Server 2019 or Windows 10 (Build 1809 or later). Ensure that your version or build of Windows is supported. If it isn't supported, uninstall the extension.

Troubleshoot sign-in problems

Use the following information to correct sign-in problems.

You can view the device and single sign-on (SSO) state by running dsregcmd /status. The goal is for the device state to show as AzureAdJoined : YES and for the SSO state to show AzureAdPrt : YES.

RDP sign-in via Microsoft Entra accounts is captured in Event Viewer under the Applications and Services Logs\Microsoft\Windows\AAD\Operational event logs.

Azure role not assigned

You might get the following error message when you initiate a remote desktop connection to your VM: "Your account is configured to prevent you from using this device. For more info, contact your system administrator."

Screenshot of the message that says your account is configured to prevent you from using this device.

Verify that you've configured Azure RBAC policies for the VM that grant the user the Virtual Machine Administrator Login or Virtual Machine User Login role.

Note

If you're having problems with Azure role assignments, see Troubleshoot Azure RBAC.

Unauthorized client or password change required

You might get the following error message when you initiate a remote desktop connection to your VM: "Your credentials did not work."

Screenshot of the message that says your credentials did not work.

Try these solutions:

  • The Windows 10 or later PC that you're using to initiate the remote desktop connection must be Microsoft Entra joined, or Microsoft Entra hybrid joined to the same Microsoft Entra directory. For more information about device identity, see the article What is a device identity?.

    Note

    Windows 10 Build 20H1 added support for a Microsoft Entra registered PC to initiate an RDP connection to your VM. When you're using a PC that's Microsoft Entra registered (not Microsoft Entra joined or Microsoft Entra hybrid joined) as the RDP client to initiate connections to your VM, you must enter credentials in the format AzureAD\UPN (for example, AzureAD\john@contoso.com).

    Verify that the AADLoginForWindows extension wasn't uninstalled after the Microsoft Entra join finished.

    Also, make sure that the security policy Network security: Allow PKU2U authentication requests to this computer to use online identities is enabled on both the server and the client.

  • Verify that the user doesn't have a temporary password. Temporary passwords can't be used to sign in to a remote desktop connection.

    Sign in with the user account in a web browser. For instance, sign in to the Azure portal in a private browsing window. If you're prompted to change the password, set a new password. Then try connecting again.

MFA sign-in method required

You might see the following error message when you initiate a remote desktop connection to your VM: "The sign-in method you're trying to use isn't allowed. Try a different sign-in method or contact your system administrator."

Screenshot of the message that says the sign-in method you're trying to use isn't allowed.

If you've configured a Conditional Access policy that requires MFA or legacy per-user Enabled/Enforced Microsoft Entra multifactor authentication before you can access the resource, you need to ensure that the Windows 10 or later PC that's initiating the remote desktop connection to your VM signs in by using a strong authentication method such as Windows Hello. If you don't use a strong authentication method for your remote desktop connection, you see the error.

Another MFA-related error message is the one described previously: "Your credentials did not work."

Screenshot of the message that says your credentials didn't work.

If you've configured a legacy per-user Enabled/Enforced Microsoft Entra multifactor authentication setting and you see the error above, you can resolve the problem by removing the per-user MFA setting. For more information, see the article Enable per-user Microsoft Entra multifactor authentication to secure sign-in events.

If you haven't deployed Windows Hello for Business and if that isn't an option for now, you can configure a Conditional Access policy that excludes the Azure Windows Virtual Machine Sign-in app from the list of cloud apps that require MFA. To learn more about Windows Hello for Business, see Windows Hello for Business overview.

Note

Windows Hello for Business PIN authentication with RDP has been supported for several versions of Windows 10. Support for biometric authentication with RDP was added in Windows 10 version 1809. Using Windows Hello for Business authentication during RDP is available for deployments that use a certificate trust model or key trust model.

Share your feedback about this feature or report problems with using it on the Microsoft Entra feedback forum.

Missing application

If the Azure Windows Virtual Machine Sign-in application is missing from Conditional Access, make sure that the application is in the tenant:

  1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
  2. Browse to Identity > Applications > Enterprise applications.
  3. Remove the filters to see all applications, and search for VM. If you don't see Azure Windows Virtual Machine Sign-in as a result, the service principal is missing from the tenant.

Tip

Some tenants might see the application named Azure Windows VM Sign-in instead of Azure Windows Virtual Machine Sign-in. The application will have the same Application ID of 372140e0-b3b7-4226-8ef9-d57986796201.

Next steps

For more information about Microsoft Entra ID, see What is Microsoft Entra ID?.