AAD joined personal host machines administrator login

%3CLINGO-SUB%20id%3D%22lingo-sub-3061663%22%20slang%3D%22en-US%22%3EAAD%20joined%20personal%20host%20machines%20administrator%20login%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3061663%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20the%20following%20issue%3A%3C%2FP%3E%3CP%3E-%20Users%20have%20an%20AVD%20machine%20assigned%20and%20are%20member%20from%20%22%3CSPAN%3EVirtual%20Machine%20User%20Login%22%20through%20group%20assignment.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E-%20We%20have%20groups%20assignments%20for%20RBAC%20role%20%22Virtual%20Machine%20Administrator%20Login%22%20-%20but%20the%20user%20is%20not%20member%20of%20any%20group%20in%20here%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E-%20An%20administrator%20must%20support%20the%20user%20on%20Personal%20Host%20machine%20and%20is%20member%20of%20one%20of%20the%20groups%20assigned%20to%26nbsp%3B%22Virtual%20Machine%20Administrator%20Login%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E-%20The%20administrator%20access%20the%20machine%20through%20TeamViewer%3C%2FP%3E%3CP%3E-%20administrator%20tries%20to%20open%20app%20in%20admin%20mode%20and%20UAC%20comes%20up%20but%20admin%20cannot%20login%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20anything%20I%20did%20not%20consider%3F%20Is%20this%20even%20possible%3F%20How%20can%20administrators%20support%20users%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%20and%20best%20regards%3C%2FP%3E%3CP%3EAndreas%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3061724%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20joined%20personal%20host%20machines%20administrator%20login%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3061724%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3EMaybe%20this%20blogpost%20can%20help.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.linkedin.com%2Fpulse%2Fazure-virtual-desktop-avd-x-ad-privileged-identity-management-baur%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.linkedin.com%2Fpulse%2Fazure-virtual-desktop-avd-x-ad-privileged-identity-management-baur%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3061733%22%20slang%3D%22en-US%22%3ERE%3A%20AAD%20joined%20personal%20host%20machines%20administrator%20login%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3061733%22%20slang%3D%22en-US%22%3EHI%2C%20thanks%20for%20your%20answer.%20Unfortunately%20this%20only%20covers%20access%20for%20the%20user%20and%20not%20for%20an%20external%20administrator.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3062734%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20joined%20personal%20host%20machines%20administrator%20login%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3062734%22%20slang%3D%22en-US%22%3EWhat%20error%20are%20they%20getting%3F%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20the%20UAC%20prompt%20just%20a%20black%20screen%20(ie%20the%20admin%20can't%20enter%20in%20any%20credentials)%20if%20that's%20the%20case%20it%20is%20because%20its%20a%20Secure%20Desktop%20-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fuser-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fuser-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3063466%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20joined%20personal%20host%20machines%20administrator%20login%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3063466%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F108279%22%20target%3D%22_blank%22%3E%40Luke%20Murray%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3Ethanks%20for%20your%20response.%3CBR%20%2F%3EThe%20UAC%20comes%20up%20and%20the%20admin%20who%20is%20connected%20over%20TeamViewer%20can%20view%20the%20UAC.%20But%20we%20get%20always%20the%20following%20error%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22AndreasR_0-1642415277127.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F340019i7EB412D4753C0865%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22AndreasR_0-1642415277127.png%22%20alt%3D%22AndreasR_0-1642415277127.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EWe%20tried%20the%20following%20login%20schemas%3A%3C%2FP%3E%3CP%3EAzureAD%5CUPN%3C%2FP%3E%3CP%3EUPN%3C%2FP%3E%3CP%3ELocalDomain%5CSamAccountName%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlways%20getting%20the%20same%20error.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3072015%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20joined%20personal%20host%20machines%20administrator%20login%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3072015%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F918371%22%20target%3D%22_blank%22%3E%40AndreasR%3C%2FA%3E%20check%20out%20this%20page%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fhowto-vm-sign-in-azure-ad-windows%23mfa-sign-in-method-required%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fhowto-vm-sign-in-azure-ad-windows%23mfa-sign-in-method-required%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EWhen%20setting%20this%20up%20in%20my%20lab%2C%20I%20had%20issues%20with%20my%20admin%20account%20b%2Fc%20MFA%20is%20enabled%20in%20Azure%20AD.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3072269%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20joined%20personal%20host%20machines%20administrator%20login%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3072269%22%20slang%3D%22en-US%22%3EHi%2C%20thanks%20for%20this%20page.%20We%20tried%20this%20already%20and%20it%20did%20not%20change%20anything%20%3A(%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3291192%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20joined%20personal%20host%20machines%20administrator%20login%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3291192%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20MS%20Ticket%20open%20since%20some%20weeks%20and%20one%20thing%20that%20worked%20was%20to%20use%20the%20role%20%22%3CSPAN%3EAzure%20AD%20joined%20device%20local%20administrator%22.%20Unfortunately%20this%20role%20is%20to%20oversized%20for%20us%20and%20we%20wanted%20to%20declare%20if%20we%20can%20use%20a%20custom%20group.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThis%20is%20still%20without%20a%20real%20answer.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EJust%20for%20update%20if%20someone%20else%20has%20this%20problem.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello everyone,

 

I have the following issue:

- Users have an AVD machine assigned and are member from "Virtual Machine User Login" through group assignment.

- We have groups assignments for RBAC role "Virtual Machine Administrator Login" - but the user is not member of any group in here

- An administrator must support the user on Personal Host machine and is member of one of the groups assigned to "Virtual Machine Administrator Login"

- The administrator access the machine through TeamViewer

- administrator tries to open app in admin mode and UAC comes up but admin cannot login

 

Is there anything I did not consider? Is this even possible? How can administrators support users?

 

Thanks in advance and best regards

Andreas

7 Replies
HI, thanks for your answer. Unfortunately this only covers access for the user and not for an external administrator.
What error are they getting?

Is the UAC prompt just a black screen (ie the admin can't enter in any credentials) if that's the case it is because its a Secure Desktop - https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-ac...

@Luke Murray 

Hello,

thanks for your response.
The UAC comes up and the admin who is connected over TeamViewer can view the UAC. But we get always the following error:

AndreasR_0-1642415277127.png

We tried the following login schemas:

AzureAD\UPN

UPN

LocalDomain\SamAccountName

 

Always getting the same error.

 

Thanks in advance

@AndreasR check out this page: https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows#mf...

When setting this up in my lab, I had issues with my admin account b/c MFA is enabled in Azure AD.
Hi, thanks for this page. We tried this already and it did not change anything :(

I have a MS Ticket open since some weeks and one thing that worked was to use the role "Azure AD joined device local administrator". Unfortunately this role is to oversized for us and we wanted to declare if we can use a custom group.

This is still without a real answer.

 

Just for update if someone else has this problem.