Blog Post

Azure Infrastructure Blog
3 MIN READ

Entra ID Login via Azure Bastion Fails After VM Recreation

Balajiranganathan's avatar
Balajiranganathan
Icon for Microsoft rankMicrosoft
Apr 22, 2026

In large-scale Azure environments, enabling Microsoft Entra ID (formerly Azure Active Directory) authentication for Windows virtual machines is a widely adopted security best practice. It removes the dependency on local accounts, supports centralized identity governance, and works seamlessly with Azure Bastion for password less VM access.

However, you may encounter a confusing scenario where:

An Entra ID user attempts to sign in to a Windows VM through Azure Bastion

  • The connection appears to succeed in the backend logs
  • The session is disconnected within a second
  • Bastion returns a generic sign-in error to the user

 

At first glance, everything looks correctly configured. Terraform applies cleanly, permissions are in place, and Bastion access is allowed. This blog walks through a real-world troubleshooting journey that exposes a non-obvious Entra ID device registration issue, explains the root cause, and provides a clean resolution.

Scenario

We manage Azure infrastructure using Terraform, with Entra ID login enabled via the AADLoginForWindows VM extension. Azure Bastion is used to provide secure, inbound‑port‑free access to Windows VMs.

After deleting and recreating a Windows VM with the same hostname, Entra ID login through Bastion started failing. Traditional local admin login worked, but Entra ID–based access did not.

Key Terraform Configuration

The VM was deployed with Entra ID login enabled using Infrastructure as Code:

  • AADLoginForWindows extension
  • Role assignments:
    • Virtual Machine Administrator Login or
    • Virtual Machine User Login
  • Bastion configured for Entra ID authentication

From an IaC perspective, nothing was misconfigured.

 

Symptoms Observed

The issue manifested in multiple subtle ways:

  • Bastion login using Entra ID fails with a generic error message
  • Backend logs show authentication success
  • Session disconnects immediately after connection establishment
  • Running the following on the VM:

dsregcmd /status

shows:

IsDeviceJoined: NO

 

This explains why Entra ID authentication succeeds initially but instantly fails during session creation.

Root Cause Explained

When a Windows VM is joined to Microsoft Entra ID, a device object is created in Entra ID, keyed to the VM’s Windows hostname.

If the VM is later deleted without removing the device object, and a new VM is recreated using the same hostname, the Entra ID join process fails silently due to a hostname collision.

Key points:

  • The old Entra ID device object still exists
  • The new VM cannot complete Entra ID registration
  • Bastion authentication succeeds, but authorization fails immediately
  • The VM therefore disconnects the session

This is why backend logs look “successful” even though the user experience is not.

Resolution Steps

Identify the Stale Device Object

  1. Navigate to: Azure Portal → Microsoft Entra ID → Devices → All devices
  2. Search for the VM hostname (for example, VM01)
  3. Open the device object and note the Object ID
  4. Confirm it matches the Object ID referenced in the extension logs.                                                                                                                                                                                                                                                 

Delete the Stale Device

This does not delete the VM or any Azure resources. Only the Entra ID registration is removed.

You can delete the device using either method:

Azure Portal

  • Select the device
  • Choose Delete

Azure CLI

az ad device delete --id <ObjectId>

Retry the Entra ID Join

  1. Restart the VM or restart the AADLoginForWindows extension
  2. Wait for the extension to re‑execute
  3. Verify the join status:

dsregcmd /status

Expected output:

IsDeviceJoined: YES

 

 

  1. Retry Bastion login using Entra ID

The session should now remain connected and function normally

Why This Issue Is Easy to Miss

  • Azure VM deletion does not automatically clean up Entra ID device objects
  • Terraform recreations with identical hostnames are common in non‑prod environments
  • Bastion logs are not explicit about device join failures
  • Authentication succeeds, but authorization fails post‑connection

Key Takeaways

  • Deleting a device from Microsoft Entra ID does not impact the VM itself
  • Always check for stale Entra ID device objects when reusing hostnames
  • dsregcmd /status is the fastest way to validate join state
  • AADLoginForWindows extension logs are critical for root cause analysis
  • Bastion disconnections immediately after login often indicate identity‑level issues, not networking problems

References

  • Troubleshoot Microsoft Entra ID device registration issues
  • Manage and delete stale Entra ID devices
  • AADLoginForWindows extension documentation
Updated Apr 07, 2026
Version 1.0
azure security
azure virtual machines
No CommentsBe the first to comment