Microsoft Entra authentication on Windows Server onboarded on Azure Arc

AADLoginForWindows Extension Compatibility

While the AADLoginForWindows extension allows you to authenticate to native Windows VMs using Azure AD, it isn't currently supported on Azure Arc-enabled Windows Servers. Azure Arc is still evolving, and the support for using Azure AD authentication on these servers is limited compared to native Azure-hosted VMs.

2. The Null Reference Error

The error you're seeing about the MDM ID suggests that Azure Arc is not seeing the same device management context as native Azure VMs. Azure Arc relies on a hybrid agent for management, but the device management (MDM) ID is typically required when you're working with a fully managed Azure resource. Since your Windows machine is hybrid (Azure Arc), it's possible that it does not fully recognize or have the proper management context to apply the extension.

This can be due to:

• MDM Context Missing: Azure Arc does not use Microsoft Intune (MDM) as a device management solution for non-Azure VMs, so the machine may not have an associated MDM ID.
• Extension Limitations: The AADLoginForWindows extension may have dependencies or features that are unavailable in a hybrid setup, leading to the null reference error.

3. Current Workaround Options

While direct Azure AD authentication via AADLoginForWindows isn't supported yet on Azure Arc, you can consider a few alternative approaches:

A. Enable Hybrid Join with Azure AD

For authentication through Azure AD on Windows servers onboarded to Azure Arc, ensure that the Windows server is properly Hybrid Azure AD-joined:

1. Set up Azure AD Join on your on-premise machines to allow Azure AD-based authentication. You can configure hybrid Azure AD join with Azure AD Connect if it's not already done.
2. Ensure your on-premises Active Directory is synchronized with Azure AD.
3. This configuration allows you to authenticate using Azure AD credentials when logging into the machine locally or remotely.

B. Azure AD Authentication for RDP

If the goal is to use Azure AD credentials for Remote Desktop Protocol (RDP), you can enable Azure AD-based RDP for the on-premises Windows Server through the following steps:

1. Set up Azure AD Join on the server.
2. Configure the RDP settings to allow authentication via Azure AD users.
3. You can do this through the Remote Desktop settings in the Azure portal or using PowerShell to enable Azure AD-based authentication.

C. Custom Solutions

You might also want to consider Custom Solutions such as:

• Using PowerShell scripts or a custom extension to sync Azure AD identities with local user accounts on your Windows servers.
• If you're using Windows Server 2019 or later, you can enable the Azure AD Join functionality on the server, allowing Azure AD users to log in directly.

D. Azure AD Passwordless Authentication

Another potential solution (if supported by your environment) is to enable Passwordless Authentication for your users through Azure AD (using Windows Hello for Business or FIDO2 keys). This setup would allow Azure AD credentials to be used for login even if the server is hybrid.

4. Potential Future Updates

Microsoft may release updates to Azure Arc or extend support for Azure AD authentication via extensions like AADLoginForWindows in future releases. Be sure to check the Azure Arc and Azure Active Directory documentation for any updates.

It seems like you're encountering a known limitation with the AADLoginForWindows extension on Azure Arc-enabled servers. Currently, the AADLoginForWindows extension is not supported for hybrid machines managed by Azure Arc.

This extension is primarily designed for native Azure VMs, which is why you're seeing issues when trying to deploy it on Arc-enabled servers.