Forum Discussion
AAD joined personal host machines administrator login
Hello everyone,
I have the following issue:
- Users have an AVD machine assigned and are member from "Virtual Machine User Login" through group assignment.
- We have groups assignments for RBAC role "Virtual Machine Administrator Login" - but the user is not member of any group in here
- An administrator must support the user on Personal Host machine and is member of one of the groups assigned to "Virtual Machine Administrator Login"
- The administrator access the machine through TeamViewer
- administrator tries to open app in admin mode and UAC comes up but admin cannot login
Is there anything I did not consider? Is this even possible? How can administrators support users?
Thanks in advance and best regards
Andreas
I have a MS Ticket open since some weeks and one thing that worked was to use the role "Azure AD joined device local administrator". Unfortunately this role is to oversized for us and we wanted to declare if we can use a custom group.
This is still without a real answer.
Just for update if someone else has this problem.
- What error are they getting?
Is the UAC prompt just a black screen (ie the admin can't enter in any credentials) if that's the case it is because its a Secure Desktop - https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevationHello,
thanks for your response.
The UAC comes up and the admin who is connected over TeamViewer can view the UAC. But we get always the following error:We tried the following login schemas:
AzureAD\UPN
UPN
LocalDomain\SamAccountName
Always getting the same error.
Thanks in advance
JasonMastenMicrosoft
AndreasR check out this page: https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows#mfa-sign-in-method-required
When setting this up in my lab, I had issues with my admin account b/c MFA is enabled in Azure AD.
- HI, thanks for your answer. Unfortunately this only covers access for the user and not for an external administrator.
- Hi,
Maybe this blogpost can help.
https://www.linkedin.com/pulse/azure-virtual-desktop-avd-x-ad-privileged-identity-management-baur/
