Forum Discussion
Adminstrators Cannot Log in to Entra ID Joined VMs if Security Defaults are Enabled
Setting up an AVD & File / App Server instance in Azure. Currently working primarily with the File Server VM (fs1) at the moment. FS1 is Entra Id Joined. I can log into the VM with a local administrator or a normal Entra user (non-administrator) without issue. When I attempt to log in with an Entra Admin (global administrator). I get the message "The sign-in method you're trying to use isn't allowed. Try a different sign-in method or contact your system administrator (me)". All users have MFA enabled...actually this is done by Security Defaults being enabled on my Tenant. Not using Conditional Access. Normal users have the Virtual Machine User Login role, and Admins have the Virtual Machine Administrator Login Role. Both are assigned at the Resource Group and inherited by the VM.
In the sign-in logs...Activity Details.,
Normal User
- Authentication Requirement: Single Factor Authentication.
- Status: Success...no additional details.
Admin User:
- Authentication Requirement: Multifactor Authentication,
- Status: Interrupted
- Additional details: "User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others."
I have determined that if I disable Security Defaults on my tenant I can then login both as a normal user and Admin user (both Entra users). Trying to figure out a way to get by this without having to have Security Defaults disabled. Seems that the role of Virtual Machine Administrator Login Role, should take care of the Admins. Why are the normal users allowed to bypass MFA but not the Admins?
Appreciate the feedback.
Lonnie
