Share via

Microsoft Entra authentication on Windows Server

Danae Panagiotopoulou 20 Reputation points
2024-10-22T10:56:12.97+00:00

I've been trying to enforce authentication with entra id credentials on on-premise servers instead of local user credentials by managing the vms using Azure Arc. It works just fine with linux servers by adding the extension aadloginforlinux but the same does not seem to be possible for windows servers. The equivalent extension aadloginforwindows does not seem to be supported on the hybrid azure arc machine. I could not find any relevant documentation for it either, only for native windows vms. Nevertheless, I used this command az connectedmachine extension image list --publisher Microsoft.Azure.ActiveDirectory --extension-type AADLoginForWindows --location <machinelocation> --output table and I can see the list of available versions for the extension but when trying to install it using az connectedmachine extension create it fails. Specifically it returns a null reference error when trying to retrieve the MDM ID.

Azure Arc
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
436 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,221 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,093 questions
0 comments
Accepted answer
  1. Bhasker Donthu 535 Reputation points Microsoft Vendor
    2024-10-23T08:03:21.29+00:00

    Hello @Danae Panagiotopoulou,

    Thank you for posting your query on Microsoft Q&A.

    You are correct that the AADLoginForWindows extension is not fully supported for on-premises Windows servers managed through Azure Arc.

    Azure Arc enables you to manage on-premises and multi-cloud resources through Azure. While it supports Linux servers using the AADLoginForLinux extension, support for Windows servers is still evolving.

    Currently, the AADLoginForWindows extension is primarily designed for Azure VMs and is not yet supported for hybrid Azure Arc machines. You can find more details in the official documentation: https://learn.microsoft.com/en-us/azure/azure-arc/servers/manage-vm-extensions

    https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows

    Alternatives to Consider:

    ·       You can continue using Active Directory Federation Services (AD FS) or Azure AD Connect to maintain a hybrid identity setup. This allows you to enforce Entra ID-based authentication

    ·       Azure Automation Hybrid Runbook Worker: This extension supports both Windows and Linux servers. It allows you to run automation tasks locally on your hybrid machines, which can help with various management and configuration tasks

    Please find the below Azure Automation hybrid runbook worker extension and Azure Arc Enable links for your reference:

    https://techcommunity.microsoft.com/t5/azure-governance-and-management/azure-automation-hybrid-extension-support-for-azure-vms-and-arc/ba-p/2811630

    https://azure.microsoft.com/en-us/updates/azure-automation-hybrid-runbook-worker-extension-general-availability/

    I hope this information is helpful. Please feel free to reach out if you have any further questions. If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.