Login to Windows virtual machine in Azure using Azure AD authentication (and the pitfalls)!

MVP

 

Dear Microsoft Azure Friends,

 

This article is about the login to Windows virtual machine in Azure using Azure Active Directory authentication and what needs to be considered in the process. This article describes the procedure. So far, everything is actually in perfect order.
https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows

 

So I have worked through the steps and now I want to log on to the virtual machine with an Azure Active Directory account.

_Azure_0.JPG

 

Why does this error message appear now? Have I done something wrong? I am going through all the steps again. No fits. So I take another close look at the article and discover the following:

_Azure_11.JPG

But that's exactly not the case with me. I want to connect from my local system which is not registered or joined in Azure. Let's take it one step at a time. First of all, I create a group in Azure Active Directory. This will contain the account I will use later for the login.

_Azure_9.JPG

 

ATTENTION: Use the appropriate Windows OS => Windows Server 2019 Datacenter edition and later or Windows 10 1809 and later

 

Next I create a new virtual machine with the default settings (including a public IP address and yes this is not good, but this demo absolutely OK). Except for Management I set the following settings.

_Azure_10.JPG

 

If you want to work with an existing virtual machine you need to install the extension. You can do this with the Azure Cloud Shell, in a Bash terminal.

 

az vm extension set \
--publisher Microsoft.Azure.ActiveDirectory \
--name AADLoginForWindows \
--resource-group YourResourceGroup \
--vm-name YourVM

 

After the virtual machine is created we need to work with Role based Access Control RBAC. There are two roles that can be used.

 

Virtual Machine Administrator Login
or
Virtual Machine User Login

 

If you need local admin rights you need the first role. If you want to log in as a standard user, you can work with the second role.

_Azure_8.JPG

 

Now we connect to the virtual machine using RDP, but ATTENTION, I use the account I created when I created the virtual machine (not an Azurre AD account). In the virtual machine I start the command prompt and use dsregcmd /status. The machine is Azure AD Joined.

_Azure_1.JPG_Azure_2.JPG

 

In the virtual machine, navigate to Start and invoke "run". Type sysdm.cpl and navigate to the Remote tab. Remove the "Allow connections..." option and click "Select Users".

_Azure_4.JPG

 

When you click on "Locations" you will immediately see that you cannot select an account from Azure AD. We need the command prompt for this.

_Azure_5.JPG

 

Start the command prompt with elevated privileges and enter the following (customized with your information, of course).

net localgroup "remote desktop users" /add "AzureAD\Email address removed"

_Azure_6.JPG

 

Go back to the Azure Portal to your virtual machine. Download the RDP connection file.

_Azure_12.JPG

 

Open this RDP file with an editor and add the following lines.
enablecredsspsupport:i:0
authentication level:i:2

_Azure_3.JPG

 

Now double click on the RDP connection file and now use the Azure account for login. AND BINGO, we can now log in to our virtual machine using the Azure Active Directory account! Cool!

_Azure_7.JPG

 

I hope this article was useful. Thank you for taking the time to read the article.


Best regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler

10 Replies

@TomWechsler 

Thank you for this detailed post! The amount of hoops that you have to jump through is outrageous for what really should be fairly simple authentication.

 

The fact that we have to disable MFA without W10 Hello for Business deployed is crazy to me, and there are many intricate steps that must be performed "just so" to get this working. Even more outlandish is that the official MS KB article fails to mention a couple of these finer details and will leave you unable to get this working without a significant level of research and troubleshooting.

 

I wish I would have found your post a week ago! Lifesaver!!!

Thank you for your feedback. Regards, Tom
Expectation = Wow cool - very simple ..
Reality = Oh man ..

Kidding aside, this is a really helpful article. Thank you!

@TomWechsler 

I do think it should be noted that these settings do have security implications.

https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-security-support-provider

 Caution

CredSSP authentication delegates the user credentials from the local computer to a remote computer. This practice increases the security risk of the remote operation. If the remote computer is compromised, when credentials are passed to it, the credentials can be used to control the network session.

You are absolutely right, that is not the best solution. Should only be used when access needs to be made from a non Azure AD Joined machine.