The case of the... The Sign-in method you're using isn't allowed
In this category I publish blog post explaining a problem and the solution but more important the analysis that lead to the root cause.
The name is a homage to “The Case of the Unexplained” from Mark Russinovich.
Cannot login into Windows VM using AzureAD identity
Please help me get AzureAD connection in my Windows vm.
When I try to RDP into my Windows machine using my AzureAD login rather than admin login I set up for the machine, I get "login failed".
I added AzureAD login to the list of remote desktop users, ie
net local group "remote desktop users" /add "AzureAD\"
Network-level authentication is NOT required
but when I RDP and Windows then prompts me for login, after I enter details, the message is:
"This sign in method is not allowed,... "
Many thanks,
Sergei
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
Hi @SergeiVeinberg-1573 · Thank you for sharing the required information. In your case MFA must be required due to Security Defaults. Please set it to NO in your Azure AD properties, to disable MFA.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
Thanks @amanpreetsingh-msft - this worked!
Hi @SergeiVeinberg-1573 · Thank you for reaching out.
If you have configured a Conditional Access policy that requires multi-factor authentication [MFA] before you can access the resource, then you need to ensure that the Windows 10 PC initiating the remote desktop connection to your VM signs in using a strong authentication method such as Windows Hello. If you do not use a strong authentication method for your remote desktop connection, you will see below error.
If you have not deployed Windows Hello for Business and if that is not an option for now, you can exclude MFA requirement by configuring Conditional Access policy that excludes "Azure Windows VM Sign-In" app from the list of cloud apps that require MFA. If MFA is enabled on per user basis via MFA portal, you need to disable MFA for the user account.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
Hi @amanpreetsingh-msft
Thanks for replying to my query. The problem is - I did not specify MFA and/or Conditional Access.
I am on "Free Trial" subscription and I don't seem to have an option to configure Conditional Access
Is there something I am missing?
Thanks Amanpreet,
I don't recall setting up Conditional Access and in my Active Directory the MFA is disabled for all users.
However, when I tried to login in the morning, Azure made me setup MS Authenticator, so maybe it has MFA enabled somewhere...
I am on "Free Trial" subscription and I don't seem to have an option to configure Conditional Access
Is there something I am missing?
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
If you have configured a Conditional Access policy that requires multi-factor authentication [MFA] before you can access the resource, then you need to ensure that the Windows 10 PC initiating the remote desktop connection to your VM signs in using a strong authentication method such as Windows Hello. If you do not use a strong authentication method for your remote desktop connection, you will see the previous error.
Unable to sign into Windows Virtual Desktop session - Error: Sign in failed. Please check your username and password and try again.
Hi All,
Goal: Setup a cloud environment that allows cloud users to be able to log into the Windows Virtual Desktop
Context:
I have signed up for the 90 day trial Azure AD Premium P2 license which also supplies the Microsoft 365 E5 Developer [without Windows and Audio Conferencing].
Also using my admin account created within the trial tenant, I have signed up for the 12month of free services with USD200 credit.
I have configured the Azure AD DS [no errors when provisioned]. Kept the default domain name. I have set-up the Windows Virtual Desktop following the set-up wizard.
Issue:
I have successfully signed into my workspace using a cloud user credential via web client [//rdweb.wvd.microsoft.com/arm/webclient]. When attempting to launch the session desktop, it prompts me to re-enter my credentials in which it returns sign in error [see attached image]
Troubleshoot steps:
Updated my cloud user password after AAD DS was created
Created new cloud user
Recreated the Host pool - Multisession
If anyone could provide some assistance, it would be much appreciated.
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
@Ice-9041
Wanted to check few things here based on the issue description.
Firstly, have you enabled the diagnostics on the service or enabled the tracing in the browser client to identify further info?
Are you using the UPN or sAMAccountName?
Assuming cloud only identity, after the password reset I assume you have waited 15min for the password hash to sync?
Are the VMs properly joined to the AAD DS domain?
Are the users synced to AAD DS?
Hi @vipullag-MSFT
The issue is now resolved as I have just re-created the VM Host pool [not sure what exactly was the problem].
To answer your questions:
Yes, I have enabled diagnostics and it didn't really provide much regarding sign in issues.
I am using the UPN to sign in
I have reset the password and waited 20 or so minutes.
VM is joined to the AAD DS domain as I checked by utilises the run commands and users are synced to AAD DS.
Correction, so previously it was working and then I shutdown the VM to save spend.
2 hours later, I start up the VM and now I cannot login again. Receiving same error message as per image attached.
@Ice-9041 ,
I had the same issue, and it was intermittent. After checking with Microsoft Support, here's what it should be done :
1- User should be granted Virtual Machine User Login or Virtual Machine Administrator Login role. : DONE
2- If using the web, Android, macOS, and iOS clients, you must add targetisaadjoined:i:1 as an RDP property to the host pool. : DONE
3- Per-user MFA has not been supported in AAD joined AVD, you must disable the legacy per-user multifactor authentication. THAT'S WHAT WAS MISSING
I connected to Microsof365 admin center and disabled per-user MFA [You can run a PowerShell script as well], after that, all tested users successfully connected to the VM.
You can check this post : //docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows#mfa-sign-in-method-required
Hope this helps you.
Just an update I believe this is what resolved the problem.
I had to enable the PKU2U local policy on both client and VM.
See //docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities for more details.
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
Connections to Azure AD-joined VMs
- Article
- 12/05/2021
- 4 minutes to read
- 3 contributors
Is this page helpful?
Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services. Privacy policy.
Thank you.
In this article
Important
This content applies to Azure Virtual Desktop with Azure Resource Manager Azure Virtual Desktop objects.
Use this article to resolve issues with connections to Azure Active Directory [Azure AD]-joined VMs in Azure Virtual Desktop.
Login to Windows virtual machine in Azure using Azure Active Directory authentication
- Article
- 02/18/2022
- 19 minutes to read
- 25 contributors
Is this page helpful?
Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services. Privacy policy.
Thank you.
In this article
Organizations can now improve the security of Windows virtual machines [VMs] in Azure by integrating with Azure Active Directory [AD] authentication. You can now use Azure AD as a core authentication platform to RDP into a Windows Server 2019 Datacenter edition and later or Windows 10 1809 and later. Additionally, you will be able to centrally control and enforce Azure RBAC and Conditional Access policies that allow or deny access to the VMs. This article shows you how to create and configure a Windows VM and login with Azure AD based authentication.
There are many security benefits of using Azure AD based authentication to login to Windows VMs in Azure, including:
- Use your corporate AD credentials to login to Windows VMs in Azure.
- Reduce your reliance on local administrator accounts, you do not need to worry about credential loss/theft, users configuring weak credentials etc.
- Password complexity and password lifetime policies configured for your Azure AD directory help secure Windows VMs as well.
- With Azure role-based access control [Azure RBAC], specify who can login to a VM as a regular user or with administrator privileges. When users join or leave your team, you can update the Azure RBAC policy for the VM to grant access as appropriate. When employees leave your organization and their user account is disabled or removed from Azure AD, they no longer have access to your resources.
- With Conditional Access, configure policies to require multi-factor authentication and other signals such as low user and sign in risk before you can RDP to Windows VMs.
- Use Azure deploy and audit policies to require Azure AD login for Windows VMs and to flag use of no approved local account on the VMs.
- Login to Windows VMs with Azure Active Directory also works for customers that use Federation Services.
- Automate and scale Azure AD join with MDM auto enrollment with Intune of Azure Windows VMs that are part for your VDI deployments. Auto MDM enrollment requires Azure AD P1 license. Windows Server 2019 VMs do not support MDM enrollment.
Note
Once you enable this capability, your Windows VMs in Azure will be Azure AD joined. You cannot join it to other domain like on-premises AD or Azure AD DS. If you need to do so, you will need to disconnect the VM from your Azure AD tenant by uninstalling the extension.
Introduction
Deployment of Windows VMs in Azure is common, and a challenge everyone faces is securely managing the accounts and credentials used to log in to these VMs. Typically, when you create Windows virtual machines [VMs] in Azure, you add local administrator accounts to log in to these VMs and it becomes difficult to manage these accounts as people join or leave teams.
To make things simple people often follow the risky practice of sharing admin account passwords among big groups of people. This makes it very hard to protect your production Windows VMs and collaborate with your team when using shared Windows VMs.
By the end of 2019, Microsoft announced that you can use now Azure AD authentication to connect to Windows VMs in Azure. In this article, we will share with you the experience on how to set up and log in with Remote Desktop [RDP] to a Windows virtual machine deployed in Azure using Azure Active Directory [AAD].
Requirements:
- Azure AD P1 – Needed for conditional access
- Knowledge of Azure
- RBAC – Security Administrator
- Have set up Azure Virtual Desktop in the tenant, or the app will not show in the conditional access policy setup
1 Gotcha:
Make sure you do not have a per-user MFA set up on the user who will be accessing the virtual desktop; use conditional access policy instead. Per-user MFA is not supported, and if you have this on, you will not be able to log into your Virtual Desktop; see troubleshooting screenshots. When per user MFA is turned on, the sign-on logs do not report an entry, making it hard to troubleshoot the issue.
Turn off per user MFA
To turn off per user MFA for the user’s using Azure Virtual Desktop
Go to //portal.azure.com
- Open Azure Active Directory
- Click on users
- Click on Per-user MFA
Or use this URL //account.activedirectory.windowsazure.com/usermanagement/multifactorverification.aspx
Find the user who will be logging into Azure Virtual Desktop
Ensure it is set to Disabled. If not disable