Share via

Issues logging into the Azure VM using our Entra IDs

Admin User 0 Reputation points
2025-03-03T20:00:39.49+00:00

We ended up deleting our Microsoft Entra Domain Services domain and shortly realized that we were facing issues. We could not connect to a VM for which we were actually using our Entra IDs. Since we were dead in the water. I went ahead and recreated our Microsoft Entra Domain Services domain. However, we are still having issues logging into the Azure VM using our Entra IDs. To me this seems to be a messed up RDS licensing issue. I am able to login with a local account.

Event Viewer --> Applications and Services Logs --> Microsoft --> Windows --> Terminal Services-Licensing --> Admin, I have the following error. I suspect that is the issue.  

 

The Remote Desktop license server could not be registered as a service connection point in Active Directory Domain Services (AD DS). Ensure that there is network connectivity between the license server and AD DS. To register the license server as a service connection point in AD DS, use Review Configuration in the RD Licensing Manager tool.

When logging in with the Entra ID username and password, I get the error "The user name or password is incorrect. Try again."

Any suggestions?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,564 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Venkata Jagadeep 255 Reputation points Microsoft External Staff
    2025-03-03T21:23:53.18+00:00

    Hello Admin User,

    Thank you for posting your query on Microsoft Q&A.

    We understand that you are not able to login to Azure VM with Entra ID credentials after re-creating Domain Services in the cloud, but able to login with local credentials of VM.

    Please find below the pre-requisites for VM to be able to login with Entra credentials.

    Network requirements

    To enable Microsoft Entra authentication for your Windows VMs in Azure, you need to ensure that your VM's network configuration permits outbound access to the following endpoints over TCP port 443.

    Azure Global:

    https://enterpriseregistration.windows.net: For device registration

    http://169.254.169.254: Azure Instance Metadata Service endpoint

    https://login.microsoftonline.com: For authentication flows.

    https://pas.windows.net: For Azure RBAC flows.

    Authentication requirements

    Microsoft Entra Guest accounts can't connect to Azure VMs or Azure Bastion enabled VMs via Microsoft Entra authentication.

    You need to assign one of the following Azure roles to determine who can sign in to the VM

    Virtual Machine Administrator Login: Users who have this role assigned can sign in to an Azure virtual machine with administrator privileges.

    Virtual Machine User Login: Users who have this role assigned can sign in to an Azure virtual machine with regular user privileges.

    If you are creating a Windows VM through Azure portal, please make sure to enable the Microsoft Entra login option for the VM by following the below mentioned steps.

    On the Management tab, select the Login with Microsoft Entra ID checkbox in the Microsoft Entra ID section.

    Please refer to the below Screenshot for your reference.

    azure-portal-login-with-azure-ad

    Make sure that System assigned managed identity in the Identity section is selected. This action should happen automatically after you enable login with Microsoft Entra ID.

    Note

    If the legacy Per-user MFA is Enabled/Enforced for your user account, please make sure to disable the Per-User MFA by following the below mentioned steps.

    To change the per-user Microsoft Entra multifactor authentication state for a user, complete the following steps:

    Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.

    1. Browse to Identity > Users > All users.
    2. Select a user account, and then select Per-user MFA.
    3. Search for the affected user and check the Per-user MFA status. If it is enabled, please select Disable MFA.

    Finally, install the Microsoft Entra login VM extension to enable Microsoft Entra login for Windows VMs.

    You can install the AADLoginForWindows extension on an existing Windows Server 2019 or Windows 10 1809 and later VM to enable it for Microsoft Entra authentication.

    The following example uses the Azure CLI to install the extension:

    az vm extension set --publisher Microsoft.Azure.ActiveDirectory --name AADLoginForWindows --resource-group myResourceGroup --vm-name myVM

    Please refer the below document

    https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

  2. Admin User 0 Reputation points
    2025-03-06T18:41:26.43+00:00

    Actually that didn't. However, I ended up un-domaining the VM and then re-domaining it. That took care of it. Also, had to change the password for it to be re-synced. I appreciate your prompt response and the follow-ups. Thanks for that!

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.