Share via

Authentication using Entra ID for VM by using bastion not working

ChetanJavir-3158 25 Reputation points
2025-05-03T17:15:16.6533333+00:00

Hello,

I was testing implementation of authentication using Entra ID for azure virtual machine. I have followed

User has role Virtual Machine Administrator Login, installed extension on VM AADLoginForWindows by while creating Azure VM -> Management -> a. Identity check box ->

Enable system assigned managed identity b. Microsoft Entra ID check box ->

Login with Microsoft Entra ID, verified after deployment VM can be seen in Entra ID -> Devices -> All devices -> VM with Microsoft Entra joined also by using dsregcmd /status checked device state -> azure AD joined. Created bastion within virtual network where VM is deployed, For bastion authentication methods are only VM password and Password from azure key vault also associated public IP to VM NIC to test from RDP followed to enter username as AzureAD\UPN but it also not worked got error while login by using Entra ID credentials as your credentials did not work later after login by using VM password found error in Event viewer for failed login attempts from RDP for Entra credentials Status - 0xc000006d Invalid credentials and Sub-status - 0xc0000064 User does not exist, also checked and verified logs from extension if anything missing but extension logs are fine. Can anyone help for this, your help will be really appreciated!

Followed reference -
https://learn.microsoft.com/en-us/training/modules/implement-hybrid-identity-windows-server/07-enable-azure-active-directory-login
https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
8,743 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Chiugo Okpala 1,195 Reputation points MVP
    2025-05-03T22:20:02.11+00:00

    @ChetanJavir-3158 welcome to the Microsoft Q&A community.

    It sounds like you've followed all the necessary steps, but authentication using Entra ID for your Azure VM via Bastion is still failing. Based on similar cases, here are a few things you might want to check:

    Ensure VM OS Compatibility – Your Azure VM should be running Windows 10 version 20H2 or later, Windows 11, or Windows Server 2022 with the October 2022 Cumulative Update or later.

    Verify Client Machine Requirements – The Windows client machine you're using for RDP should be Microsoft Entra registered, joined, or hybrid joined to the same directory as the VM.

    Check Role Assignments – You mentioned that the user has the Virtual Machine Administrator Login role, but also ensure that the user has the Virtual Machine User Login role assigned.

    Use Correct Login Format – When logging in via RDP, ensure you're using the correct format:

    For Windows 10 or later PCs: AzureAD\UPN

      **For Windows Server:** `******@domain.com`.
  
  **Enable Native Client Support for Bastion** – Some users have reported that enabling **native client support** when deploying Bastion resolved their authentication issues.
  
  **Check Bastion Permissions** – Ensure that the user has the **Reader role** assigned on:
  
     The virtual machine
     
        The NIC with the private IP of the VM
        
           The Azure Bastion resource
           
              The virtual network of the target VM (if Bastion is deployed in a peered virtual network).
              
              **Review Kerberos Authentication** – If applicable, check whether **Kerberos authentication** is correctly configured for Bastion.

    You might also find additional troubleshooting steps in Microsoft's official documentation and this discussion on Microsoft Q&A.

    I hope these helps. Let me know if you have any further questions or need additional assistance.

    Also if these answers your query, do click the "Upvote" and click "Accept the answer" of which might be beneficial to other community members reading this thread.

    User's image

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.