cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Device account in AzureAD has been deleted

sstybel
Copper Contributor

‎May 05 2023 12:27 AM

‎May 05 2023 12:27 AM

Device account in AzureAD has been deleted

How to re-join the host AVD (Win11 Multisession) and Azure VM (Win2022) session in Azure, if the device account in AzureAD has been deleted?
The command: dsregcmd /forcerecovery returns an error on the AVD, and nothing happens on the WIn2022 VM.
The use of PS: New-AzureADDevice is problematic because it is not documented, i.e. how to create data for the -AlternativeSecurityIds parameter.
Currently the systems see that they are in AzureAD Join mode, however dsregcmd /status says: DeviceAuthStatus : FAILED. Device is either disabled or deleted .

 

4,321 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by sstybel (Copper Contributor)
sstybel

‎May 08 2023 01:58 AM

‎May 08 2023 01:58 AM

Solution

Re: Device account in AzureAD has been deleted

@sstybel 

My solution:
1. On the orphaned VM with AADJ station (no device account in AAD) you need to log in with a local administrator account (there should be at least one ;))
2. I run CMD with Admin privileges and issue the command to disconnect from AzureAD, although the device account is missing in AAD, but the station is still in AADJ mode: dsregcmd /leave
3. Restart the VM
4. When the VM wakes up, uninstall the extension (extension) AADLogin or AADLoginForWindows from the Azure Portal (this add-on is called differently, e.g. on the VM AVD it is called AADLoginForWindows)
5. Just in case, after uninstalling the add-on, I log into the VM and restart it
6. After starting the VM, we reinstall the AADLogin extension, which will cause AAD Join to your tenant (Tenanta) and create a device account which is AADJ.
This worked for me on both server VMs (Win Srv 2022) and AVD session hosts (Azure Virtual Desktop).
Conclusions: AADLogin (Azure AD based Windows Login) add-on is responsible for AzureAD Join VM in Azure, which supports logging in using AAD credentials and uses RBAC roles (Virtual Machine Administrator Login or Virtual Machine User Login) to log on to stations with credentials from AzureAD .
Possible diagnostics on the station: dsregcmd /status or Event Viewer
Interesting fact: the dsregcmd /leave command is for Hybrid AzureAD Join mode, although it also works for Azure AD Join, additionally you can add the /debug parameter
Additional materials: https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows

 

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by sstybel (Copper Contributor)
sstybel

‎May 08 2023 01:58 AM

‎May 08 2023 01:58 AM

Solution

Re: Device account in AzureAD has been deleted

@sstybel 

My solution:
1. On the orphaned VM with AADJ station (no device account in AAD) you need to log in with a local administrator account (there should be at least one ;))
2. I run CMD with Admin privileges and issue the command to disconnect from AzureAD, although the device account is missing in AAD, but the station is still in AADJ mode: dsregcmd /leave
3. Restart the VM
4. When the VM wakes up, uninstall the extension (extension) AADLogin or AADLoginForWindows from the Azure Portal (this add-on is called differently, e.g. on the VM AVD it is called AADLoginForWindows)
5. Just in case, after uninstalling the add-on, I log into the VM and restart it
6. After starting the VM, we reinstall the AADLogin extension, which will cause AAD Join to your tenant (Tenanta) and create a device account which is AADJ.
This worked for me on both server VMs (Win Srv 2022) and AVD session hosts (Azure Virtual Desktop).
Conclusions: AADLogin (Azure AD based Windows Login) add-on is responsible for AzureAD Join VM in Azure, which supports logging in using AAD credentials and uses RBAC roles (Virtual Machine Administrator Login or Virtual Machine User Login) to log on to stations with credentials from AzureAD .
Possible diagnostics on the station: dsregcmd /status or Event Viewer
Interesting fact: the dsregcmd /leave command is for Hybrid AzureAD Join mode, although it also works for Azure AD Join, additionally you can add the /debug parameter
Additional materials: https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows

 

View solution in original post

0 Likes
Reply