May 04 2023 11:29 PM
I have a question regarding AVD (Win11 Multisession) and Azure VM (Win2022). How to re-join the host and VM session in Azure if the device account in AzureAD has been deleted?
The command: dsregcmd /forcerecovery returns an error on the AVD, and nothing happens on the WIn2022 VM.
The use of PS: New-AzureADDevice is problematic because it is not documented, i.e. how to create data for the -AlternativeSecurityIds parameter.
Currently the systems see that they are in AzureAD Join mode, however dsregcmd /status says: DeviceAuthStatus : FAILED. Device is either disabled or deleted .
May 07 2023 07:03 PM
Take a look on below, case are simalr:
May 08 2023 01:59 AM
My solution:
1. On the orphaned VM with AADJ station (no device account in AAD) you need to log in with a local administrator account (there should be at least one 😉)
2. I run CMD with Admin privileges and issue the command to disconnect from AzureAD, although the device account is missing in AAD, but the station is still in AADJ mode: dsregcmd /leave
3. Restart the VM
4. When the VM wakes up, uninstall the extension (extension) AADLogin or AADLoginForWindows from the Azure Portal (this add-on is called differently, e.g. on the VM AVD it is called AADLoginForWindows)
5. Just in case, after uninstalling the add-on, I log into the VM and restart it
6. After starting the VM, we reinstall the AADLogin extension, which will cause AAD Join to your tenant (Tenanta) and create a device account which is AADJ.
This worked for me on both server VMs (Win Srv 2022) and AVD session hosts (Azure Virtual Desktop).
Conclusions: AADLogin (Azure AD based Windows Login) add-on is responsible for AzureAD Join VM in Azure, which supports logging in using AAD credentials and uses RBAC roles (Virtual Machine Administrator Login or Virtual Machine User Login) to log on to stations with credentials from AzureAD .
Possible diagnostics on the station: dsregcmd /status or Event Viewer
Interesting fact: the dsregcmd /leave command is for Hybrid AzureAD Join mode, although it also works for Azure AD Join, additionally you can add the /debug parameter
Additional materials: https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows