Login to Windows virtual machine in Azure using Azure AD authentication (and the pitfalls)!
Dear Microsoft Azure Friends, This article is about the login to Windows virtual machine in Azure using Azure Active Directory authentication and what needs to be considered in the process. This article describes the procedure. So far, everything is actually in perfect order. https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows So I have worked through the steps and now I want to log on to the virtual machine with an Azure Active Directory account. Why does this error message appear now? Have I done something wrong? I am going through all the steps again. No fits. So I take another close look at the article and discover the following: But that's exactly not the case with me. I want to connect from my local system which is not registered or joined in Azure. Let's take it one step at a time. First of all, I create a group in Azure Active Directory. This will contain the account I will use later for the login. ATTENTION: Use the appropriate Windows OS => Windows Server 2019 Datacenter edition and later or Windows 10 1809 and later Next I create a new virtual machine with the default settings (including a public IP address and yes this is not good, but this demo absolutely OK). Except for Management I set the following settings. If you want to work with an existing virtual machine you need to install the extension. You can do this with the Azure Cloud Shell, in a Bash terminal. az vm extension set \ --publisher Microsoft.Azure.ActiveDirectory \ --name AADLoginForWindows \ --resource-group YourResourceGroup \ --vm-name YourVM After the virtual machine is created we need to work with Role based Access Control RBAC. There are two roles that can be used. Virtual Machine Administrator Login or Virtual Machine User Login If you need local admin rights you need the first role. If you want to log in as a standard user, you can work with the second role. Now we connect to the virtual machine using RDP, but ATTENTION, I use the account I created when I created the virtual machine (not an Azure AD account). In the virtual machine I start the command prompt and use dsregcmd /status. The machine is Azure AD Joined. In the virtual machine, navigate to Start and invoke "run". Type sysdm.cpl and navigate to the Remote tab. Remove the "Allow connections..." option and click "Select Users". When you click on "Locations" you will immediately see that you cannot select an account from Azure AD. We need the command prompt for this. Start the command prompt with elevated privileges and enter the following (customized with your information, of course). net localgroup "remote desktop users" /add "AzureAD\Email address removed" Go back to the Azure Portal to your virtual machine. Download the RDP connection file. Open this RDP file with an editor and add the following lines. enablecredsspsupport:i:0 authentication level:i:2 Now double click on the RDP connection file and now use the Azure account for login. AND BINGO, we can now log in to our virtual machine using the Azure Active Directory account! Cool! I hope this article was useful. Thank you for taking the time to read the article. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechslerAzure VMs stuck at status unknown or updating (solution)
Hi all, I want to share this action plan. Issue after deallocating Azure VMs: - Azure Portal: VMs status is "Unknown" - PowerShell: VMs ProvisioningState is "Updating" Cause: The VMs are stuck because of an issue with the deallocation process. Resolution: Please raise a ticket with Azure support to get the VMs locked. Update 05/18/2023 The Azure PG will fix the code to avoid these failures in the future. They said: "When there are multiple thread updating the same internal resource, the code take a lock to avoid saving conflict, one of the code paths fail to release the lock in one specific partition where this customer’s data lives, it make consequently update for same resource return a retry error, we fix the code by ensuring the lock is released”.
Sigin Logs of Azure Virtual Machine
Hi, Is there any way to find out number of users logged in into each azure vm's and signed in user information from azure portal. In log Analytics workspace also we verified, we couldn't able to see any parameters required to collect the user signed in information and count of users. Could u please let us know to configure the same from azure portal.
Persistent Virtual Machines provisioningState "Updating"
Hi, I'm trying to use Ansible to manage my Virtual Machine state via Ansible and some unexpected behaviour popped up. The Azure VM provisioningState never changed from "Updating" to "Succeeded" while the VM is running and available. I've validated this by querying the API using the Azure-CLI tool and checking : > az vm show -g cloudVMrg -n cloudVM |jq '.provisioningState' "Updating" After some searching it seems that this state is represented as is registered in Azure for the Virtual Machine. The state value "Updating" seems to me as an intermediate state whereafter Completed should be set. It seems that this doesn't or didn't happen in my case. The VM is started and available (I can SSH on to the machine) but its provisioningState is still "Updating". On Azure (see attached images) the changes logged on the VM confirm that the value was changed from "Succeeded" to "Updating" when the VM was changed from deallocated powerState. Is this a bug? What is a valid less intrusive and sustainable (automatable) workflow to resolve this issue? What is an effective (stateless) way to monitor this? I've followed this instruction however it doesn't exactly match my case, but it fixed the provisioningState; command ran like 10 minutes. Resolution - https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/vm-stuck-in-failed-state?tabs=cli
Upgrade Windows Datacenter Server from 2019 to 2022
Microsoft have just released Windows Server 2022 for Azure. Is it possible to update an existing Windows Server 2019 Datacenter to 2022? If so, how do you do it? One could, of course, build another server, but I should like to update the existing one. What are the cost implications if any? I realise a standalone server can be updated, but doing it under Azure may have other implications.
Not being able to pull images on docker
Hi, I'm here posting, trying to understand if am I missing anything in trying to make Docker work on an Azure VM. I can set up correctly everything on the Windows Server 2019 VM, as it is stated in this document(https://blog.foldersecurityviewer.com/how-to-install-docker-and-run-docker-containers-on-windows-server-2019/) but when it comes to perform a docker pull, of even if I have a swarm configured, I simply can't download any docker image. The error I get: PS C:\Users\thatuser> docker pull windows/nanoserver Using default tag: latest Error response from daemon: pull access denied for windows/nanoserver, repository does not exist or may require 'docker login': denied: requested access to the resource is denied well, I tried first doing a docker login, as they suggest, but no matter what image I try (windows or linux) I simply can't get anything. Of course for linux it complains about other issue, due to the platform, which I don't think it's relevant, because I only want to deploy windows based containers. If anyone can help out, would be great. It kind of seems to me this is not possible to do, the way I seem to be doing(Simple Standard D2s v3 (2 vcpus, 8 GiB memory) VM with Windows Server 2019) Thanks, NunoHow to avoid "This Size is not available in zone. . ."
Hi, Anybody has found the optimal solution to avoiding the following text, when selecting the VM on Azure: This size is not available in zone 2. Zones '1' are supported. Of course the zone numbers can be mixing. I tried to use the Get-AzComputeResourceSku CMDlet, but did not got any smarter: PS C:\> Get-AzComputeResourceSku -Location "westeurope" | Where-Object { $_.name -EQ "Standard_D4_v5" } ResourceType Name Location Zones RestrictionInfo ------------ ---- -------- ----- --------------- virtualMachines Standard_D4_v5 westeurope {1, 2, 3} type: Zone, locations: westeurope, zones: 2, 3 Basically Zones says, this should be available, but when trying to select that on portal or run PS. PowerShell gives the following error: New-AzVM: The requested size for resource '/subscriptions/.../virtualMachines/myVM' is currently not available in location 'westeurope' zones '2' for subscription '111.....111'. Please try another size or deploy to a different location or zones. ErrorCode: SkuNotAvailable ErrorTarget: StatusCode: 409 ReasonPhrase: Conflict The funny thing is, this speaks about "subscription" and if I choose a different subscription this VM size is available on the same zone. So I'm interest to hear what others are using for listing available VM sizes, to see how to choose similar VMs on all zones? I have tested with different sizes, and seems to be the case a bit randomly.
log into a VM in Azure using my Azure AD credentials via RDP
Hello, I would like to be able to log into a VM in Azure using my Azure AD credentials via RDP. The login should be done over the internet from MAC and Linux clients (clients are not members in Azure AD). For security I use Just in Time Access. Is this possible? How can I implement the project? Thanks for the support Stefan Edit: The client, from which I try to log in via RDP, is not Azure AD joined or connectet Edit: I have no activate MFA. This is my problem
