Forum Discussion

GlossyChops's avatar
GlossyChops
Copper Contributor
Mar 26, 2022

Azure AD Sign-in to Azure VMs fails due to enforced MFA (I think)?

Hi,   I have an Azure AD Tenant (Free) and I have connected an Azure VM to it, but find that I cannot login with my Azure AD account (with VM Administrator RBAC role) from my home Win10 machine (th...
Azure Active Directory (AAD)
Conditional Access
joeyvldn's avatar
joeyvldn
Brass Contributor
Mar 27, 2022
I don’t think MFA is your issue. Try to disable Enforced MFA for testing. Check Azure AD sign-in logs for the user you are using. Which credential provider are you using? Password?
  • GlossyChops's avatar
    GlossyChops
    Copper Contributor
    Mar 27, 2022

    Hijoeyvldn thanks for taking the time to reply to my question.

     

    I am signing in to my local Win 10 21/H2 laptop using Windows Hello PIN auth - which I understand is considered a strong authentication method.

     

    I can't remove the MFA requirement for my user account as it is the account that I use as Global Admin for my tenant and also when logging in to Azure portal - On the free Azure AD Tenant, both of these force MFA which can't be turned off.

     

    If I create another user account in Azure AD to use as the login account for the Azure VM, I have to first try and login to the portal with this user account to reset the initial password, before I can login to the Azure VM with it. At this point, as I have tried to login to the Azure Portal with the account, then it sets a timer of 14 days until it will enforce MFA. The account works in the short-term for logging in to the Azure VM, but I presume this will stop working in 14 days.

     

    When I look at the Azure User's sign-in logs, you can see that the Windows Sign-In shows as successful:

     

     

    But it is the pass-through authentication that is sent to the Azure VM's Windows OS that then fails to login to the Windows session on the VM:

     

     

     

    When I look at the security logs on the VM, all I see is a Windows 4625 error which does not give me much of a clue as to why it did not allow the login:

     

     

     

     

     

     

     

    • joeyvldn's avatar
      joeyvldn
      Brass Contributor
      Mar 28, 2022
      For my information. You are logging in to a local Windows 10 device without any issue? While trying to connect to a Azure VM (via RDP) with SSO from the local Windows 10 device it fails after the 14 days expire?

      When u have configured MFA for your user object it should not show the 14 days reminder. So i guess;

      1: MFA is not configured for the user account logging in
      2: There must be a CA policy requiring MFA?

      Could you show your CA policies? What happens if u exclude the user from the CA policies?
      • GlossyChops's avatar
        GlossyChops
        Copper Contributor
        Mar 28, 2022
        This MFA requrement is not a CA Policy - it is a set of enforced security defaults for all user accounts that are Global Admins or access the Azure Portal.

        MFA is setup on the account that I don't seem to be able to login to the Azure VM with - and gives the error in my original screenshot.

        If I login using another account that is not a global admin, but had to change the user's initial password by logging first into the Azure Portal (as you can't do Azure VM logins with intial temp passwords) - I then get the message saying that I must enable MFA on the account. But, I chose not to do this and it gives you 14 days grace to set it up. This account can login to the Azure VM successfully - this is what leads me to believe that it must be the enforced MFA (not via a CA policy) that is preventing my original user from logging in as this is the only difference I can think exists between the two accounts.

Resources