How to fix ""the target identifier in the request was not found in the tenant" when logging to AzureVM with AAD web credentials

IWSIT admin 60

New Azure VM joined to AzureAD. Followed-default setup. When logging into the AzureVM using web access over rdp client, we get prompted for web interactive login and once authentication completes we receive the error: "the target identifier "" in the request was not found in the tenant"* "*" is the FQDN domain of the VM needed for web access over rdp. How do we resolve this? It seems that the VM's FQDN is not being recognized over web session. No issue accessing with local user login with FQDN.

Tyler Sherman 120 Reputation points

2023-04-25T01:58:06.8133333+00:00

I am having this exact same issue with my VMSS VMs. I have the System-Assigned Managed Identity enabled and the microsoft.AADLogin-Windows Extension is installed successfully. My VM appears in my Azure AD Tenant under Devices. "dsregcmd /status" shows AzureAdJoined: Yes All my Azure networking rules and local VM firewalls are configured to allow Azure AD traffic both in and out. RBAC roles for Virtual Machine Login Administrator are assigned to my user account Nothing seems to work no matter what I do. In my case, my VMSS is sitting behind a Load Balancer, but the networking part is clearly working fine, since I'm able to RDP in with the local admin creds just fine. One thing I did find interesting is that when I run a curl request to grab my access token with the following CURL command: curl -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?resource=urn:ms-drs:enterpriseregistration.windows.net&api-version=2018-02-01" , then decode it with [http://calebb.net/], I can see the OID actually matches an "Enterprise Application" in my Azure Tenant, rather than the Object Identifier of the VM in Azure AD. If I had to wager a guess, there's an issue on Microsoft's back end that's causing the modern auth process to check against the wrong OID.
Limitless Technology 44,496 Reputation points

2023-04-26T11:44:44.6366667+00:00

Hello there, To enable Azure AD authentication for your Windows VMs in Azure, you need to ensure your VMs network configuration permits outbound access to the following endpoints over TCP port 443: If you are creating a new VM in Azure and you want to log in using Azure AD credentials, you must enable the Login with Azure AD option. There are two ways to enable Azure AD login for a VM in Azure: You can enable in Azure Portal while creating a VM. You can also use the Azure Cloud Shell experience when creating a Windows VM or on an existing Windows VM. Hope this resolves your Query !! --If the reply is helpful, please Upvote and Accept it as an answer--
Tyler Sherman 120 Reputation points

2023-04-26T15:17:33.9233333+00:00

That is not helpful. We've followed Microsoft's official documentation precisely (See document here: https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows). Everything you mentioned is already detailed in this article. Furthermore, I have Network Security Group Outbound rules for TCP 443 Any/Any configured as well as matching rules on the VM's Windows Firewall. The VM appears in my Azure AD Tenant under Devices. The "AADLoginForWindows" extension is installed and shows Status: Provisioning succeeded. Our issue with target identifier errors persists.
Cicero Junior 0 Reputation points

2023-04-28T01:15:25.6533333+00:00

Me too, same issue; followed the documentation and I'm receiving the same error.
Gunnar 0 Reputation points

2023-05-02T22:18:40.39+00:00

I am also running in this same issue. Currently working with a VM that has no public IP using a auto detected FQDN with a private DNS zone and private DNS resolver and tunned into with an Azure P2S VPN. The VPN I can authenticate to without issue but attempting to use my same login with the VM results in the same error OP is getting.
IWSIT admin 60 Reputation points

2023-05-05T00:40:03.8566667+00:00

This resolved the issue. Thanks!
vipullag-MSFT 26,411 Reputation points

2023-05-05T03:19:25.7466667+00:00

Hello IWSIT admin

Thanks for confirming that the solution provided by elexpander help solve your issue.

Please 'Accept as answer', so that it can help others in the community looking for help on similar topics.
vipullag-MSFT 26,411 Reputation points

2023-05-10T05:10:04.2066667+00:00

Hello IWSIT admin

We noticed your feedback that the above answer was not helpful.

Thank you for taking time to share feedback.
As you have mentioned in your recent comment "This resolved the issue." request you to take a resurvey.

Looking forward to your reply. Much appreciate your feedback!
Mika Mattila 0 Reputation points

2023-05-31T06:08:36.7+00:00

I wonder if anyone got this working with just private IP addresses for the VMs? I've only got it working by adding the VM's IP to etc/hosts, which is really not a very convenient way.
Piotr Karpala 0 Reputation points Microsoft Employee

2024-04-21T02:50:01.9833333+00:00

I followed all the posts in this thread an renamed my VM by adding the domain part.

The error for "not finding in domain" went away, but I'm getting this weird thing - CAA2003 OAuth2 Authorization code was already redeemed.

IMHO - this looks like a bug in mstsc.
I reinstalled it with the latest version but that didn't help
Chris Peyton 11 Reputation points

2024-05-27T04:48:16.5666667+00:00

Hi, I found an answer to my problem with this. Same Error - CAA20002 / AADSTS293004.

The server name you are logging into needs to be the same in its DNS suffix. For example, you're logging into server01.location.cloudapps.azure.com in the RDC, but the server name is set to server01 only.

In my case, the server was not on a domain, and I had to add the DNS suffix to the server name by going to Advanced system properties, Computer Name, Change, More, and add the primary DNS suffix there.

One restart later, and I'm on.

I hope this helps you.
Iain McEwen 0 Reputation points

2024-08-12T16:31:12.2233333+00:00
@Chris Peyton add DNS suffix solved it for me - makes sense and is simplest answer around !
François Dufour 0 Reputation points

2024-10-17T17:26:31.6333333+00:00

For all of those still encountering this issue, i had the same problem using Bastion. I had to rename the HOSTNAME of the machine the same as the VM name in azure for it to work. It seems azure to trying to log you in the machine using the VM name and can't find it.

6 answers

Tyler Sherman 120 Reputation points

2023-05-05T17:19:32.5+00:00
After weeks of troubleshooting, I found a solution for this issue. Below are my steps to resolve the issue.

Add an A-Record on my company domain registrar's DNS, such that the Azure VM's name is a sub-domain of our public-facing domain. In our case, the record name reads as "[VM's hostname].[my company's domain name]". The record value is the Azure VM's public IP (or load balancer's public IP if using an Azure LB).

(Optional, depends on if you use hybrid Azure AD like we do) Log into our on-prem/local DNS host and add a forward lookup zone for the new sub-domain added in step 1 and create an A-Record there that points to the Azure VM's public IP.

Log into the Azure VM using local admin credentials, then set the system-wide "Primary DNS Suffix" to equal the public-facing domain (I.E., "contoso.com") and reboot the server. Below are three different ways to make this change happen:

Navigate to Advanced System Settings/System Properties > Computer Name tab > click the "Change" button to rename the computer > Click "More..." under the existing computer name > type in your public-facing domain and click OK > Save and reboot.

On the Azure VM, open the Registry Editor and navigate to this path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters > Adjust value for "NV Domain" to your public-facing domain > Save and reboot.

On the Azure VM, open an elevated Powershell session and run this command (be sure to replace "contoso.com" with your public-facing domain: Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -Name 'Domain' -Value 'contoso.com'

After completing the above steps, I am now able to RDP into the VM using the "Use a web account to sign in to the remote computer" option checked in mstsc.exe. For the Computer Name, I simply type the, "sub-domain.public domain name" hostname we created with DNS records earlier.

I'm shocked that none of this is included anywhere in Microsoft's documentation.
Please sign in to rate this answer.

22 people found this answer helpful.
vipullag-MSFT 26,411 Reputation points

2023-05-08T06:08:46.68+00:00

Hello Tyler Sherman

Thanks for sharing the resolution for the benefit of community.

Jason Holloway 25 Reputation points

2023-05-24T17:48:24.1+00:00

I've signed up especially to thank you for adding this - thank you! This really, really needs to be better covered in the official docs - the "out of box experience" here is terrible and will be scaring many people away from using this feature

Serge Tche 0 Reputation points

2023-07-14T11:57:14.8166667+00:00

Tyler Sherman's advice on adding DNS suffix was very helpful and solved this error on one of my VMs. On the other one I was still getting it ("the target identifier ... in the request was not found in the tenant") even after adding the correct DNS suffix. I was able to solve it by disconnecting the VM from AAD, removing everything from the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments, and then joining the VM back to AAD.

I'd like to note that we clear the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments on our computers rather often. In our company, we just recently switched from traditional AD domain on-premises to AAD joined/registered model with Intune and conditional access. Now we are on a hybrid configuration: we still have AD domain on-premises, but almost all our users have already been disconnected from AD and joined/registered to AAD instead. When we disconnect laptops from AD and connect to AAD, we often have weird problems, like: a device shows up in AAD but doesn't show up in Intune/Endpoint; a device is showing up everywhere but policies never applied, and so on. The root cause are artifacts from old/other/incomplete enrollments in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments. When you delete the contents of this key, the device forgets all enrollments and you can join it anywhere from scratch. I'd still recommend to disconnect the device from AD/AAD before cleaning the key, otherwise you'll need to manually delete computer account from AD/AAD.

My current configuration is:

Both VMs are Windows 10 Enterprise AAD joined, self-hosted (not in Azure!), with all the latest updates. Updates are very important as Microsoft implemented this functionality (connecting via RDP to AAD joined machines from non-AAD joined machines using AAD account) just recently.

My working computer from which I connect to VMs is Windows Server 2022 21H2, also with all recent updates, AD joined (didn't yet try other variants like stand-alone computers).

"Advanced->Use a web account to sign in to the remote computer" option has been enabled in my RDP client.

As Tyler Sherman said, DNS suffixes bust be correct. Use only FQDN names in your RDP client, IPs will never work. For example, if you connect to HOST.DOMAIN.COM, then HOST must be the name of your remote computer, and DOMAIN.COM must be its DNS suffix.

When I connect to the remote machines via RDP, I see standard web login window where I fill out my user name at first, then password on next window, then request for MFA - exactly what we see when we log in to any Office 365 application.

Michael Henry 10 Reputation points

2023-08-23T21:35:48.0333333+00:00

THANK YOU!!! I had already added the public DNS record but did not add the DNS suffix to the virtual machine. Adding that did the trick!

Xandven 0 Reputation points

2023-08-24T10:17:51.9133333+00:00

With a hybrid joined VM i added a DNS Label to the public IP address of the VM. Then I followed step 3a above and added [location].cloudapp.azure.com in "Primary DNS Suffix of this computer". This is quite handy for testing as it does not require a separate domain name or dns.

Michichael 0 Reputation points

2023-08-29T00:19:40.51+00:00

This is 100% the solution and I agree, it's shameful that these pre-reqs are not clearly explained in the documentation. I've opened an issue on their feedback page to suggest that they address it.

https://github.com/MicrosoftDocs/azure-docs/issues/114042

Mathias Sundman 30 Reputation points

2023-10-01T20:17:14.9666667+00:00

I'm struggeling with the same problem with AAD-joined Win2022-servers in Azure that I want to RDP to using AAD web-based auth. If I change the Primary DNS suffix manually under System Properties, it works. But if change "Domain" or both "Domain" and "NV Domain" in the registry and reboot, it shows the correct suffix in the UI, but I still get the same CAA20002 error when connecting. It seems to me like Windows or the AADLoginExtension is doing something more than updating the registry when the prefix is changed through the UI.

I also tried on a server to reg-change, reboot, no go. Then opened the System properties, changed the DNS suffix to something else, saved (but no reboot), changed it back to correct, saved and reboot - Again problem solved.

My problem is that I need to automate this process for deployment of new servers through Bicep templates and were hoping a scriptExtension that changed the reg though PS would do the trick, but so far no luck.

Anyone else have this working through the registry on Win2022 (AzureAD only-joined servers in Azure)?

Milan Kiss 1 Reputation point

2023-12-08T09:39:01.6733333+00:00

Exactly my problem too. I am using Intune policy to set up Primary DNS Suffix to the correct value, but this is not reflected on the GUI, and I have to manually readd it.

AlasdairCS 0 Reputation points

2024-04-04T10:54:33.53+00:00

This! Spot on - worked like a charm, thank you sir!

Tilo 16 Reputation points

2024-11-28T20:37:01.23+00:00

did you also run this Win Scheduled Task?
\Microsoft\Windows\Workplace Join\Device-Sync
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
eLeX 31 Reputation points

2023-05-04T16:34:50.72+00:00
IP address or computer DNS name will not work.

The computer name in mstsc needs to exactly match the computer name in Azure AD.

There are 2 ways to workaround this:

You add a DNS record to your corporate domain.

You add an entry to your hosts file: c:\windows\system32\drivers\etc\hosts

azure.computer.ip.address azurecomputername
Please sign in to rate this answer.

6 people found this answer helpful.
Kenneth Benjamin 0 Reputation points

2023-05-05T11:14:32.5366667+00:00

So far as I can tell, you should be using just the hostname, not the FQDN to connect.

Now, if you're in Azure Gov, there is a secondary problem related to the "Use web account" option. I can get past the initial issue but then run into this error:

Server message: AADSTS900384: JWT token failed signature validation [Reason - The key was not found
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Kari Halinen - ITC 5 Reputation points

2024-06-29T11:29:54.91+00:00
I was having this issue when connecting from remote network (home office) to a AzureAD joined Windows 11 Pro VM using a AzureAD joined Windows 11 Enterprise laptop (joined to a different Azure tenant). The VM is hosted in the public MS Azure cloud "North Europe (Zone 1)".

For me the solution required these steps:

Turn on the Azure RBAC as documented here if not already on. In my case this was off.

Configure the Azure role "Virtual Machine User Login" for the user. Note: as a security measure assign the minimum rights needed.

Add an entry ip-address hostname (with the same hostname as in the Azure VM Computer Name) in the HOSTS file which makes possible connecting with the hostname, not FQDN.

Turn on the Advanced -> Use web account option (equivalent to the enablerdsaadauth:i:1 property in the RDP file).

Add the targetisaadjoined:i:1 property in the RDP file.

Connect to the Remote Desktop using the username "AzureAD\user@domain" in the RDP client.

In the M365 login popup window choose "sign in with a different account" and enter the credentials "user@domain" (without "AzureAD" in the beginning).
Please sign in to rate this answer.

1 person found this answer helpful.
Kari Halinen - ITC 5 Reputation points

2024-06-29T13:19:12.2333333+00:00

The reason I chose not to use Bastion when connecting was the browser UI. Traditional RDP is just smoother to use IMHO.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Olle Johansson 0 Reputation points

2023-05-05T06:32:33.36+00:00
Settings up a custom DNS record or manually editing you hosts file can not be the expected solution to this problem? Its not even documented in the documentation (https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows).

I did however find a viable solution using Basition that seems to work. Bastion should anyhow be a more secure and reliable solutions.

Setup Bastion on the vnet using Standard tier and enable Native client support.

Setup a vm using the guide above and make sure its connected to the bastion vnet.

Connect using az network bastion rdp as follows:

az login az account set --subscription <my subscription name> az network bastion rdp --name "<bastion name>" --resource-group "<resource group>" --target-resource-id "/subscriptions/<subscription id>/resourceGroups/<resource group>/providers/Microsoft.Compute/virtualMachines/<vm name>" --enable-mfa

The last option: enable-mfa is important if you want the web based login window that enables MFA.

But I can not believe this is the only answer. I really think it should work out of the box somehow, even without Bastion or changing DNS record in external system.
Please sign in to rate this answer.
eLeX 31 Reputation points

2023-05-05T07:54:02.9233333+00:00

I'm also a bit disappointed about that but according to doc:

IP address cannot be used when Use a web account to sign in to the remote computer option is used. The name must match the hostname of the remote device in Azure AD and be network addressable, resolving to the IP address of the remote device.

Also, this method works with NLA enabled, other methods ask you to disable this security feature.

And also, because it's a web based login, it supports MFA even with third party authenticators.

carlintveld 26 Reputation points

2023-08-23T14:00:15.1333333+00:00

I believe windows system names are limited to 15 characters and regularly different from the azure virtual machine resource name. Currently when I try to run with az network bastion rdp --enable-mfa I am getting AADSTS293004: The target-device identifier in the request my-virtual-machine-resource-name was not found in the tenant <redacted>

It seems that az cli or Bastion erroneously uses the virtual machine resource name as the windows system name.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Kenneth Benjamin 0 Reputation points

2023-05-05T11:50:04.2433333+00:00
We're having this issue going VM to VM inside the same vNet (AVD to another VM). What worked for me (in Azure Government) was:

Only connect via hostname, not FQDN, e.g. myvm, not myvm.internal.cloudapp.net

Turn off the Advanced -> Use web account option (this removes the enablerdsaadauth:i:1 property. This property is in preview. It doesn't appear to work in Azure Gov, I suspect because it gets a JWT that is for the commercial cloud, not Azure Gov. If someone can test this in commercial cloud, that would be good.

Edit the RDP file with a text editor and add the targetisaadjoined:i:1 property.

User credentials work with either user@domain.tld or AzureAD\user@domain.tld but I suggest using the 1st one since that's the only format that works with enablerdsaadauth.

Reference: https://learn.microsoft.com/en-us/azure/virtual-desktop/rdp-properties
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to fix ""the target identifier in the request was not found in the tenant" when logging to AzureVM with AAD web credentials

6 answers

Your answer