question

IanBartram-3400 avatar image
1 Vote"
IanBartram-3400 asked harouny edited

Enable Azure AD login with Bastion on exisitng VM

I've been tasked with enabling login with Azure AD on all of our existing servers. I've followed the howto-vm-sign-in-azure-ad-windows guide on using Azure Cloud Shell to enable it on an existing VM. I'm able to run the commands with no errors but the VM will still only connect when using the admin credentials established. I've configured IAM as well. Any help would be useful as it's not an option to have to rebuild all 16 VMs and set them to use AAD creds during the initial configuration.


azure-virtual-machines
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@IanBartram-3400 Any updates on the issue?

Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.



0 Votes 0 ·
prmanhas-MSFT avatar image
1 Vote"
prmanhas-MSFT answered MattRonchetto-1 edited

@IanBartram-3400 Thank you for your query!!!

To allow a user to log in to the VM over RDP, you must assign either the Virtual Machine Administrator Login or Virtual Machine User Login role. An Azure user with the Owner or Contributor roles assigned for a VM do not automatically have privileges to log in to the VM over RDP so can you please confirm what role you have assigned to the user under IAM blade on the VM?

Remote connection to VMs joined to Azure AD is only allowed from Windows 10 PCs that are either Azure AD registered (minimum required build is 20H1) or Azure AD joined or hybrid Azure AD joined to the same directory as the VM. Additionally, to RDP using Azure AD credentials, the user must belong to one of the two Azure roles, Virtual Machine Administrator Login or Virtual Machine User Login. If using an Azure AD registered Windows 10 PC, you must enter credentials in the AzureAD\UPN format (for example, AzureAD\john@contoso.com). At this time, Azure Bastion can't be used to log in by using Azure Active Directory authentication with the AADLoginForWindows extension; only direct RDP is supported as mentioned in same article so can you please check on it and let me know if it still not working on you.

Hope it helps!!!

Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

please read the title. this is about Bastion connectivity to AD joined VMs so we do not need to open RDP over internet.

0 Votes 0 ·

Microsoft could SIGNIFICATLY improve the login Via Azure AD functionality if they did two things:

  1. Allowed Azure Bastion to leverage AAD credentials

  2. Made the limitation that "only machines allowed to create a remote connection MUST be on the same domain as the Azure machines" a OPTION for the setup configuration .

The second request is so intuitive I don't understand what Microsoft was thinking in forcing the client to be on the same domain. This is an data center type solution and most times the servers and the workstations will be on different domains. That and we are moving to having domain joining a thing of past (I thought?). By forcing domain join Managed Service Providers and consultants get kicked out as they aren't going to want to use a company device or connect their device to that company. I get that enforcing that same domain is more secure but I'd rather have the choice.




0 Votes 0 ·
d9e4faab-850f-4de6-9a39-c05b200e8d32 avatar image
1 Vote"
d9e4faab-850f-4de6-9a39-c05b200e8d32 answered

@prmanhas-MSFT Are there any plans to implement AAD login via Bastion?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FarshadAbasi-6663 avatar image
1 Vote"
FarshadAbasi-6663 answered

Same issue here, interested in a resolution. Seems natural to allow AAD based user login via Bastion...

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

harouny avatar image
0 Votes"
harouny answered harouny edited

If someone still needs an answer:
The limitation for Azure AD login exists in sessions started from UI (Azure Portal). If you start RDP or SSH sessions from a "native client" (i.e
your window client) you can use Azure AD login. Documentation to turn on native client connections in Bastion and how to connect here:

https://docs.microsoft.com/en-us/azure/bastion/connect-native-client-windows

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.