Forum Discussion

jsk1's avatar
jsk1
Copper Contributor
Jul 01, 2026

Entra ID logins to Azure VMs.

Hello everyone.  I've posted a much longer, more detailed question about this on the Azure support forums, but I'm trying to get more people to look at this.

 

Basically, I'm trying to set up Entra accounts that can log into an Azure-based Windows VM, using the instructions Microsoft have put here:

https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows

 

I've treated the Microsoft instructions as a checklist, in order to be as precise as possible.  My own notes and records from 2024 seem to indicate I built a similar system then, following the same instructions.  I was surprised that it didn't work as easily this time. 

 

Does anyone know of changes that were made to Entra ID since 2024 (or 9 months ago, when most of the newest YouTube tutorials were made) to make it much harder to use? In addition to Microsoft's instructions, I have also experimented with alternative configurations (a lot of them) detailed on YouTube, none of which worked.

 

My VM (and Entra itself) both seem to indicate that my Entra accounts are valid, and that the VMs are correctly joined to Entra.  I am still able to log into the VMs with local accounts, so the VMs are correctly connected to Azure.  I've tried both with and without a Bastion, with the same results.  Local accounts work, but Entra doesn't.

 

I've so far been unable to log the Entra accounts in at all, as the passwords (all of them valid, and double-checked) have been rejected.  I think if I could find one method of using the Entra accounts which worked, I would settle on it, but so far I haven't found a single configuration that works.

 

Does anyone have a theory of what's blocking me?  I do have more test data, but I don't want to flood this post.  Thanks.

2 Replies

  • jsk1's avatar
    jsk1
    Copper Contributor

    I'm sorry, I missed your reply earlier.  Long story short....I've already assigned my test user the Virtual Machine Administrator Login role, and I've tried these formats for the username:

    (username alone)
    (username)@(domain)
    AzureAD\(username)@(domain)
    AzureAD\(username)

    None of those worked.  I'm assuming that conditional access isn't interfering with the login, since my subscription doesn't include it anyway (it's just Pay-As-You-Go).

    Still, is there any remote access role, for example, that needs to be activated?  Someone else suggested that, but they appeared to have more features (meaning more choices) on their subscription.  For comparison:

    Their account:


    My account:


    Do you think there's anything I COULD do to unlock RDP, if that's really my problem?  RDP does work for the local account.  Thanks.

  • Hi, I’d start by checking the sign-in format and RBAC side first. For Entra login to an Azure Windows VM, the user normally needs the right Azure role assignment, such as Virtual Machine User Login or Virtual Machine Administrator Login, scoped to the VM or resource group. Also make sure you are signing in with AzureAD\email address removed for privacy reasons or the expected Entra format, not just the short username. If local accounts work but Entra accounts are rejected, it often points to RBAC, device join state, Conditional Access, or the VM login extension rather than the password itself.