Share via

How to login Azure Ad User in Azure VM with bastion

MIKA TANAKA 120 Reputation points
2025-09-18T09:31:40.4+00:00

Because I want to access an Azure VM via Bastion, I build Bastion.

Now, I can login as a local administrator. But, I can't login as a Azure Ad User.

OS is Windows 11 Enterprise and Azure AD Join.

Role is Virtual Machine Administrator Login. Actually, I want to log in with Virtual Machine User Login.

I want to test of Intune (Applocker etc.). So, I want to log in with Virtual Machine User Login.

Azure Bastion
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
Answer accepted by question author
  1. Nikhil Duserla 9,280 Reputation points Microsoft External Staff Moderator
    2025-09-19T16:50:37.58+00:00

    Hello MIKA TANAKA, you can Sign in to Windows virtual machine in Azure using Microsoft Entra ID.

    You need to assign one of the following Azure roles to determine who can sign in to the VM

    Virtual Machine Administrator Login: Users who have this role assigned can sign in to an Azure virtual machine with administrator privileges.

    Virtual Machine User Login: Users who have this role assigned can sign in to an Azure virtual machine with regular user privileges.

    If you are creating a Windows VM through Azure portal, please make sure to enable the Microsoft Entra login option for the VM by following the below mentioned steps.

    On the Management tab, select the Login with Microsoft Entra ID checkbox in the Microsoft Entra ID section.

    Please refer to the below Screenshot for your reference.

    azure-portal-login-with-azure-ad

    Make sure that System assigned managed identity in the Identity section is selected. This action should happen automatically after you enable login with Microsoft Entra ID.

    Note

    If the legacy Per-user MFA is Enabled/Enforced for your user account, please make sure to disable the Per-User MFA by following the below mentioned steps.

    To change the per-user Microsoft Entra multifactor authentication state for a user, complete the following steps:

    Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.

    1. Browse to Identity > Users > All users.
    2. Select a user account, and then select Per-user MFA.
    3. Search for the affected user and check the Per-user MFA status. If it is enabled, please select Disable MFA.

    Finally, install the Microsoft Entra login VM extension to enable Microsoft Entra login for Windows VMs.

    You can install the AADLoginForWindows extension on an existing Windows Server 2019 or Windows 10 1809 and later VM to enable it for Microsoft Entra authentication.

    The following example uses the Azure CLI to install the extension:

    az vm extension set --publisher Microsoft.Azure.ActiveDirectory --name AADLoginForWindows --resource-group myResourceGroup --vm-name myVM

    Please refer this link for more detailed understanding- https://dori-uw-1.kuma-moon.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows?pivots=identity-extension-vm#sign-in-by-using-microsoft-entra-credentials-to-a-windows-vm

    If you have any further queries, do let us know.

Answer accepted by question author
  1. Durgesh Singh 80 Reputation points
    2025-09-18T15:51:01.0866667+00:00

    Steps for Windows VM

    Enable Azure AD login extension

    Go to your VM in Azure Portal → Extensions + applications → Add → AADLoginForWindows.

    Assign RBAC role to Azure AD user

      VM → **Access Control (IAM)** → Add role assignment.
  
     Select **Virtual Machine User Login** (or Admin Login if elevated permissions required).
     
        Assign to the Azure AD user/group.
        
        **Use Bastion to log in**
        
           Navigate to VM → **Connect** → **Bastion**.
           
              Select **Azure AD authentication** option.
              
                 Enter your **Azure AD credentials**.
                 
                    Bastion will open the remote session (RDP in browser).

    Steps for Linux VM

    1. Enable AAD login extension
      • Go to your VM → Extensions → Add → AADLoginForLinux.
    2. Assign RBAC role
      • VM → Access Control (IAM) → Assign Virtual Machine User Login or Virtual Machine Administrator Login.
    3. Use Bastion to log in
      • Navigate to VM → ConnectBastion.
      • Choose SSH with Azure AD authentication.
      • Authenticate with your Azure AD account.
      • A session will open in the browser terminal.

    Important Notes

    • The Azure AD user must have MFA enabled if your tenant enforces it.
    • Only supported OS versions allow Azure AD login via Bastion (Windows Server 2019+, certain Linux distros).
    • If you don’t see the Azure AD authentication option in Bastion, ensure the login extension is properly installed and the VM is AAD-joined. Steps for Windows VM
      1. Enable Azure AD login extension
        • Go to your VM in Azure Portal → Extensions + applications → Add → AADLoginForWindows.
      2. Assign RBAC role to Azure AD user
        • VM → Access Control (IAM) → Add role assignment.
        • Select Virtual Machine User Login (or Admin Login if elevated permissions required).
        • Assign to the Azure AD user/group.
      3. Use Bastion to log in
        • Navigate to VM → ConnectBastion.
        • Select Azure AD authentication option.
        • Enter your Azure AD credentials.
        • Bastion will open the remote session (RDP in browser).
      Steps for Linux VM
      1. Enable AAD login extension
        • Go to your VM → Extensions → Add → AADLoginForLinux.
      2. Assign RBAC role
        • VM → Access Control (IAM) → Assign Virtual Machine User Login or Virtual Machine Administrator Login.
      3. Use Bastion to log in
        • Navigate to VM → ConnectBastion.
        • Choose SSH with Azure AD authentication.
        • Authenticate with your Azure AD account.
        • A session will open in the browser terminal.
      Important Notes
      • The Azure AD user must have MFA enabled if your tenant enforces it.
      • Only supported OS versions allow Azure AD login via Bastion (Windows Server 2019+, certain Linux distros).
      • If you don’t see the Azure AD authentication option in Bastion, ensure the login extension is properly installed and the VM is AAD-joined.
    0 comments
Answer accepted by question author
  1. Deepanshu katara 17,960 Reputation points MVP Moderator
    2025-09-18T10:05:59.7933333+00:00

    Hello Mika , welcome to MS Q&A

    Why can’t I log in with an Azure AD user via Bastion?

    Azure Bastion only supports local account authentication for RDP.

    Even if the VM is Azure AD joined and the user has the Virtual Machine User Login role, Bastion will not accept Azure AD credentials.

    Local admin works, Azure AD user login is not supported (as of now).

    How to test Intune policies (e.g., AppLocker)

    • Use direct RDP from a client machine that is:
      • Azure AD joined or hybrid joined to the same tenant.
      • Running Windows 10/11 (20H1+).
    • Ensure the VM has the AADLoginForWindows extension installed.
    • Assign Virtual Machine User Login role to the test user.
    • Connect with: AzureAD\******@domain.com via RDP client. Why can’t I log in with an Azure AD user via Bastion?
      • Azure Bastion only supports local account authentication for RDP.
      • Even if the VM is Azure AD joined and the user has the Virtual Machine User Login role, Bastion will not accept Azure AD credentials.
      • Local admin works, Azure AD user login is not supported (as of now).

    Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.

    Similar query -->https://dori-uw-1.kuma-moon.com/en-us/answers/questions/409639/enable-azure-ad-login-with-bastion-on-exisitng-vm

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.