Forum Discussion

GlossyChops's avatar
GlossyChops
Copper Contributor
Mar 26, 2022

Azure AD Sign-in to Azure VMs fails due to enforced MFA (I think)?

Hi,   I have an Azure AD Tenant (Free) and I have connected an Azure VM to it, but find that I cannot login with my Azure AD account (with VM Administrator RBAC role) from my home Win10 machine (th...
Azure Active Directory (AAD)
Conditional Access
joeyvldn's avatar
joeyvldn
Copper Contributor
Mar 28, 2022
For my information. You are logging in to a local Windows 10 device without any issue? While trying to connect to a Azure VM (via RDP) with SSO from the local Windows 10 device it fails after the 14 days expire?

When u have configured MFA for your user object it should not show the 14 days reminder. So i guess;

1: MFA is not configured for the user account logging in
2: There must be a CA policy requiring MFA?

Could you show your CA policies? What happens if u exclude the user from the CA policies?
GlossyChops's avatar
GlossyChops
Copper Contributor
Mar 28, 2022
This MFA requrement is not a CA Policy - it is a set of enforced security defaults for all user accounts that are Global Admins or access the Azure Portal.

MFA is setup on the account that I don't seem to be able to login to the Azure VM with - and gives the error in my original screenshot.

If I login using another account that is not a global admin, but had to change the user's initial password by logging first into the Azure Portal (as you can't do Azure VM logins with intial temp passwords) - I then get the message saying that I must enable MFA on the account. But, I chose not to do this and it gives you 14 days grace to set it up. This account can login to the Azure VM successfully - this is what leads me to believe that it must be the enforced MFA (not via a CA policy) that is preventing my original user from logging in as this is the only difference I can think exists between the two accounts.
  • GlossyChops's avatar
    GlossyChops
    Copper Contributor
    Mar 28, 2022

    I have discovered that if I disconnect the Azure VM from Azure AD and then re-join using my Azure AD (Global Admin, Work/School account) - then I can RDP to the Azure VM successfully using the same account (i.e. the one that does not work if the account is joined at deployment time).

     

    It definitely seems to be something to do with MFA being enforced by the "Security defaults" Conditional Access policy (which I can't disable as it is a system policy) - I found this in the Azure AD Sign-In logs, which I think is related to the failure (even though the failure occurs on the Azure VM login screen):

     

     

    Why is it insisting on MFA and failing the CA policy when joined at deployment time, but not if I join it manually after deployment?

     

    Even if it insists on MFA, shouldn't I pass this OK with the strong authentication of Windows Hello and PIN from my Azure-AD joined home laptop (I have even tried when logged into the laptop as the Azure AD (Global Admin, Work/School account) instead of a local account, but this does not help.

     

    • GlossyChops's avatar
      GlossyChops
      Copper Contributor
      Mar 28, 2022

      I have discovered that it is definitely the Azure AD "Security Defaults" that are now enabled by default on new Azure AD Tenants:

       

      If I set this to No - then I can login with the Azure AD (Global Admin, Work/School) account that I could not login with previously.

       

      What I don't understand is why the strong Authentication of Windows Hello and PIN from my Azure AD joined home laptop does not allow this MFA requirement to be passed when the "Security Defaults" is enabled?

      • joeyvldn's avatar
        joeyvldn
        Copper Contributor
        Mar 28, 2022
        You can’t combina CA and Security Defaults. Defaults being enabled on new tenants is a for quite a while now.

        So, your issue is solved?

Resources