A common issue that most of us encounter is unable to RDP VM using Azure AD credentials. If you are unable to log in to Azure Win 10 VM with Azure AD credentials, this troubleshooting article will surely help you.
Few months ago I was in a similar situation where I couldn’t RDP VM using Azure AD credentials. Not just a single VM but it seemed like the Azure AD credentials weren’t working on any VM.
Based on my research, many people have issues in logging to Azure VM with AAD credentials. You create a VM in Azure and you cannot login with Azure AD credentials and that’s so irritating.
Most of us don’t know where to begin troubleshooting this issue. Some of you may repeatedly assume that you are entering wrong passwords and attempt to reset them often.
When I attempted to RDP a VM in Azure with my AAD credentials, I saw the login attempt failed error. Initially, I thought I was entering wrong information on the login screen.
Some of you may also see Your credentials did not work error. It is so confusing and definitely not a good thing to see when you want to get in to VM quickly.
Troubleshooting the Azure VM RDP issue involves many steps but don’t worry, I have covered all of them in this article for you. I have written it in a way that is easier to understand and follow the steps. If you have questions, feel free to contact me and I will be happy to respond.
The Remote Desktop Protocol (RDP) connection to your Windows-based Azure virtual machine (VM) can fail for various reasons, leaving you unable to access your VM. The issue could be with the Azure VM, or it could be with the configuration in Azure.
Most of us are not aware of the configuration that is essential before you RDP VM with Azure AD credentials. If these configurations are not in-place, you will struggle with accessing the VM.
When you cannot RDP VM using Azure AD credentials, there is no single solution to this issue. Rather, there are certain steps that you need to follow to ensure you can successfully RDP to the Azure VM. For more information, refer to troubleshooting Remote Desktop connections to an Azure virtual machine.
Table of Contents
Fix Unable to RDP VM using Azure AD Credentials Issues
As mentioned earlier, I will cover the troubleshooting steps to resolve the common issue unable to RDP VM using Azure AD credentials. If you want to RDP a VM that is in Azure with Azure AD credentials, you need to ensure the required settings are in place.
Suppose that you are connecting with Remote Desktop (RDP) to an Azure AD joined computer with a user account. The connection we want to establish is to an Azure AD joined computer, logging on with an account from Azure AD.
To enable Azure AD authentication for your Windows VMs in Azure, you need to ensure your VMs network configuration permits outbound access to the following endpoints over TCP port 443:
For Azure Global
- https://enterpriseregistration.windows.net – For device registration.
- http://169.254.169.254 – Azure Instance Metadata Service endpoint.
- https://login.microsoftonline.com – For authentication flows.
- https://pas.windows.net – For Azure RBAC flows.
For Azure Government
- https://enterpriseregistration.microsoftonline.us – For device registration.
- http://169.254.169.254 – Azure Instance Metadata Service.
- https://login.microsoftonline.us – For authentication flows.
- https://pasff.usgovcloudapi.net – For Azure RBAC flows.
Step 1 – Enable Azure AD login for Windows VM
Long ago, Microsoft announced Azure AD authentication to Windows Virtual Machines (VMs) in Azure giving you the ability to manage and control who can access a VM.
The Azure AD login for Windows VM in Azure needs to be manually enabled. You can enable this option while creating a new Virtual Machine in Azure. With this option enabled you can use your corporate AD credentials to login to Windows VMs in Azure.
If you are creating a new VM in Azure and you want to Log in using Azure AD credentials, you must enable the Login with Azure AD option.
There are two ways to enable Azure AD login for a VM in Azure.
- You can enable in Azure Portal while creating a VM.
- You can also use the Azure Cloud Shell experience when creating a Windows VM or for an existing Windows VM.
In the Azure portal, on the Create a Virtual machine window, select Management and under Azure AD, select Login with Azure AD. With this option enabled, you can log in to the VM using the Azure AD credentials.
Step 2 – Configure RBAC Role Assignment for Azure AD login
After you enable the login with Azure option in step 1, the next step is important before you RDP VM using Azure AD credentials.
To log in to the VM using your Azure AD credential, you will first need to configure role assignments for the VM. You cannot skip this step as it is an important step.
You must configure Azure role assignments for users who are authorized to login in to the VM. The RBAC role assignment of Virtual Machine Administrator Login or Virtual Machine User Login is required when using Azure AD login.
There are two Azure roles used to authorize VM login. Each of these roles are unique, and you can assign either of these two roles for the users.
- Virtual Machine Administrator Login – Users with this role assigned can log in to an Azure virtual machine with administrator privileges.
- Virtual Machine User Login – Users with this role assigned can log in to an Azure virtual machine with regular user privileges.
To configure RBAC Role assignments for Azure AD login, you can either use the Azure portal or Azure cloud shell. I haven’t used the Azure cloud shell much. Therefore, I prefer the Azure portal because it’s easy to complete the steps.
Let’s configure RBAC Role assignments for Azure AD login. In the Azure portal, go to Resource Groups and select your resource group. Select Access Control (IAM) and click Add > Add Role Assignment.
On the Add role assignment window, select the following.
- Role – Select either Virtual Machine Administrator Login or Virtual Machine User Login role.
- Assign access to – Select User, group or service principal.
- In the Select box, type the username and select the users and click Save.
Monitor the notifications where you can confirm the users were added to the selected roles.
You can verify the RBAC role assignments are actually applied. In the Azure portal, click the Role assignments tab, and you should be able to see the assignments that you just configured in the above step. I have got three users, and they are now assigned to Virtual Machine Administrator Login role.
Step 3 – Verify AADLoginForWindows Extension in Azure
The AADLoginForWindows extension must install successfully in order for the VM to complete the Azure AD join process. This is a critical step to troubleshoot if you are unable to RDP VM using Azure AD credentials.
If the AADLoginForWindows extension fails to install, you must always make a note of the exit code. The failed AADLoginForWindows extension should have the following exit codes.
- AADLoginForWindows extension fails to install with terminal error code ‘1007’ and exit code: -2145648574.
- AADLoginForWindows extension fails to install with Exit code: -2145648607
- AADLoginForWindows extension fails to install with Exit code: 51
Each of these exit codes have a unique solution. You can refer to this excellent AADLoginForWindows extension troubleshooting guide by Microsoft to resolve deployment issues.
Now, I am going to show you the location of AADLoginForWindows extension. In the Azure portal, select the Virtual Machine and under Settings, click Extensions. Here you should see the AADLoginForWindows extension. The status of this extension must be Provisioning succeeded.
Step 4 – Unauthorized Client – The login attempt failed
From the Azure portal, when you download the RDP connection and attempt to connect, you may encounter Unauthorized Client The login attempt failed. This is the first error that you see when you RDP VM using Azure AD Credentials.
This may seem stupid, but sometimes we enter wrong credentials and try to find out why the login is not working. When you RDP VM using Azure AD credentials, ensure you are using the correct credentials. You may also reset the password and try logging in.
As per Microsoft, verify that the Windows 10 PC you are using to initiate the remote desktop connection is one that is either Azure AD joined, or hybrid Azure AD joined to the same Azure AD directory where your VM is joined to.
Note that per-user enabled/Enforced Azure AD Multi-Factor Authentication is not supported for VM Sign-In. This setting causes Sign-in to fail with “Your credentials do not work” error.
Step 5 – Ensure VM is joined to Azure AD Tenant
When you are unable to RDP VM using Azure AD credentials, ensure the Windows 10 VM in Azure is joined to Azure AD tenant. I have a post that details the steps to join Windows 10 VM to Azure AD. You can use those steps to verify if the VM is Azure AD joined.
You may have a question that when you are unable to RDP VM using Azure AD credentials, how can you login?. In this case, you have to login using the local administrator account or the account that you set up while creating VM in Azure.
On your Windows 10 Azure VM, open Settings, and then select Accounts. Select Access work or school. Here you can verify if your computer is Azure AD joined or not.
Step 6 – Disable Network Level Authentication
The network level authentication can sometimes restrict you to RDP VM using Azure AD credentials. You can disable network level authentication on your Azure VM.
Microsoft recommends keeping the network level authentication turned on. However, this step becomes mandatory if the RDP to Azure VM doesn’t work.
Use the local account to sign in to the Azure VM and perform the below steps.
On your Windows 10 Azure VM, under the System Properties, select Remote tab. Under Remote Desktop, select Allow remote connections to this computer. Untick Allow connections only from computers running Remote Desktop with Network Level Authentication. Click Apply and OK.
Step 7 – Add Azure AD user to the Remote Desktop Users Group
In order to successfully RDP VM using Azure AD credentials, you must add Azure AD user to the remote desktop users group on the VM.
Use the local account to sign in to the Azure VM and perform the below steps. You should have the user account ready to provide the access to the Azure VM.
To add the Azure AD user to remote desktop users group on the Azure VM, run the below command. Replace the UPN attribute with the Azure AD user. The account should be in
net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"
Run the command prompt as administrator and enter the above command. You should see the command executed successfully message.
You can confirm if the Azure AD user has been added to the VM by running the below PowerShell command.
Get-LocalGroupMember -Name "Remote Desktop users"
As you can see, we have successfully added the Azure AD user to the Remote Desktop Users Group. The Principal Source is Azure AD.
Step 8 – Modify the Azure VM RDP File
The last step before we test the RDP to Azure VM is to modify the Azure VM RDP file and add few lines to it. Navigate to the overview page of the virtual machine that has been enabled with Azure AD logon. Select Connect to open the Connect to virtual machine blade. Select Download RDP File.
Right-click the Azure VM RDP and open it with Notepad. You can use any other text editor. Since Notepad comes installed with Windows 10, it does the job.
In the notepad, append the below data.
So, the final data should look something like below. Save the file.
When you RDP an Azure VM, it usually prompts the user to enter the credentials. There is a way to bypass this by entering the account details within the RDP file. Let me show you how and explain the other details.
full address:s:IPADDRESS:3389 prompt for credentials:i:0 authentication level:i:2 enablecredsspsupport:i:0 username:s:USERNAME@DOMAIN.onmicrosoft.com domain:s:AzureAD
- Full Address – This is the IP address of your Azure VM. The 3389 is the Remote Desktop Protocol port.
- Prompt for credentials – Defines if you should enter credentials before you enter your session. Setting the value to 1 will prompt for credentials and value 0 will not prompt for credentials.
- Authentication level – You define the server authentication level settings here. The value 2 means if the server authentication fails, show a warning and allow connecting or refuse the connection.
- Enablecredsspsupport – This setting determines whether RDP will use the Credential Security Support Provider (CredSSP) for authentication if it is available. If you set the value to 0, RDP will not use CredSSP, even if the operating system supports CredSSP
- Username – You can specify the Azure AD user account name
- Domain – Specify AzureAD as the domain name.
After you have performed all the steps, let’s check if we can RDP VM using Azure AD credentials now. Double-click the Azure VM RDP file and enter the credentials.
I want to cover something important here. After following all the steps, some of us will still ignore this simple fact. If you are entering only the Azure AD user account without the domain on the login screen, you will never RDP into the VM. You will see The username or password is incorrect. Try again message.
The correct way to login to Azure VM is by prefixing the AzureAD as domain. You must enter the username as
AzureAD\firstname.lastname@example.org. Now you should be able to login to the Azure VM.