Forum Discussion
GlossyChops
Mar 26, 2022Copper Contributor
Azure AD Sign-in to Azure VMs fails due to enforced MFA (I think)?
Hi, I have an Azure AD Tenant (Free) and I have connected an Azure VM to it, but find that I cannot login with my Azure AD account (with VM Administrator RBAC role) from my home Win10 machine (th...
GlossyChops
Mar 28, 2022Copper Contributor
I have discovered that if I disconnect the Azure VM from Azure AD and then re-join using my Azure AD (Global Admin, Work/School account) - then I can RDP to the Azure VM successfully using the same account (i.e. the one that does not work if the account is joined at deployment time).
It definitely seems to be something to do with MFA being enforced by the "Security defaults" Conditional Access policy (which I can't disable as it is a system policy) - I found this in the Azure AD Sign-In logs, which I think is related to the failure (even though the failure occurs on the Azure VM login screen):
Why is it insisting on MFA and failing the CA policy when joined at deployment time, but not if I join it manually after deployment?
Even if it insists on MFA, shouldn't I pass this OK with the strong authentication of Windows Hello and PIN from my Azure-AD joined home laptop (I have even tried when logged into the laptop as the Azure AD (Global Admin, Work/School account) instead of a local account, but this does not help.
GlossyChops
Mar 28, 2022Copper Contributor
I have discovered that it is definitely the Azure AD "Security Defaults" that are now enabled by default on new Azure AD Tenants:
If I set this to No - then I can login with the Azure AD (Global Admin, Work/School) account that I could not login with previously.
What I don't understand is why the strong Authentication of Windows Hello and PIN from my Azure AD joined home laptop does not allow this MFA requirement to be passed when the "Security Defaults" is enabled?
- joeyvldnMar 28, 2022Brass ContributorYou can’t combina CA and Security Defaults. Defaults being enabled on new tenants is a for quite a while now.
So, your issue is solved?- GlossyChopsMar 28, 2022Copper ContributorNo, not really, I want "Security Defaults" enabled for security, but also to still be able to login to my Azure AD joined VM with my Azure AD user accounts.
With the Azure AD Free tenant, it is not possible to turn off MFA for the Windows Sign-In cloud app (listed as a work-around) as there is no access to CA policies.
Also Windows Hello with PIN should allow the MFA requirement to be passed shouldn't it - but I am not seeing this?
And, why is it if I disconnect the Azure VM from Azure AD and then re-join it manually from within Windows, I can then login successfully with the account that I could not login with before with Security Defaults still enabled on the Azure AD tenant properties?- WaltmscottOct 22, 2022Copper Contributor
sounds like Microsoft is saying you need P1 or higher to work with anything related to azure ad joined resources. You have the same problem with AVD and there is no workaround other disabling default security settings