Virtual Machine login using Entra ID from the portal not working when using a custom role.

Question

Virtual Machine login using Entra ID from the portal not working when using a custom role.

Sean O'Brien 26

Link to Microsoft Entra ID Authentication article.

When following these instructions, I can successfully see the option to connect to my VM using Entra ID Authentication.

However, if I remove the Virtual Machine Administrator Login (built-in role) assignment from myself, and create a custom role with the same permissions, then assign that to myself, the option disappears.

My understanding was that RBAC was based on permissions as defined in the JSON, including built-in roles. But in this case, the portal UI seems to have a baked-in logic that specifically requires the built-in role to be assigned to you on the resource.

This seems to me that it is NOT evaluating your permissions on the resource, instead it is looking for a specific role, which seems to circumvent the purpose of RBAC entirely.

To reproduce: create a custom role using the Virtual Machine Administrator Login as a template. Assign yourself to the custom role on the VM. Remove Virtual Machine Administrator Login RBAC permissions from yourself.

Result: The option to connect via Entra ID in the portal disappears.

Sridevi Machavarapu 10,845 Reputation points Microsoft External Staff Moderator

2025-12-05T12:12:58.16+00:00
Hello Sean O'Brien,

Thanks for your patience. We tested this scenario from our end as well, and custom roles do work for Entra ID VM login when everything is configured correctly.In cases where the Entra ID login option disappears, it’s usually due to one of the following:

Missing permissions in the custom role Even if the role is copied from Virtual Machine Administrator Login, it must explicitly include:

Microsoft.Compute/virtualMachines/login/action

Microsoft.Compute/virtualMachines/loginAsAdmin/action If either of these is missing, the portal will not show the Entra ID login option.

Role assignment scope The custom role must be assigned at the VM, resource group, or subscription level that contains the VM. If assigned at a different scope, the portal may not detect it for login.

RBAC propagation / token refresh delay After role changes, there can be a short delay before the portal reflects them. Signing out and back into the Azure portal usually helps.

VM extension and Entra join state The Microsoft Entra ID login extension must be installed, and the VM must be properly Entra joined. If either is missing, the option may not appear.

If you’re still seeing inconsistent behavior, feel free to share the custom role JSON and the assignment scope, and we can review it further.

Thank you for your patience and understanding.
Sridevi Machavarapu 10,845 Reputation points Microsoft External Staff Moderator

2025-12-08T09:33:22.73+00:00

Hello Sean O'Brien,

Could you please confirm if you still have further queries on this or not? Feel free to reach out!

Sean O'Brien 26

Thank you for investigating.

Clarification missing from my original post - we are using Bastion to RDP to the VM.

I have confirmed all 4 steps above are correct in our environment and I am still missing the Entra ID login option when using a custom role.

Custom role provided below.
The scope is assigned to the resource group to which the VM belongs.
Have waited long enough (4 days)
The VM extension is enabled, the VM is Entra Joined, and have confirmed Entra ID login works by using the native RDP method. (Azure CLI: az network bastion rdp ... command)

Custom role:

{
    "id": "/subscriptions/???/providers/Microsoft.Authorization/roleDefinitions/6640a0e0-f71b-4573-ac79-9271e147e093",
    "properties": {
        "roleName": "???",
        "description": "This role gives access to resources required for the migration team role. This includes starting, stopping, and remotely connecting as administrator to Virtual Machines, and viewing any storage account keys.",
        "assignableScopes": [
            "/subscriptions/???"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Compute/*/read",
                    "Microsoft.Compute/virtualMachines/start/action",
                    "Microsoft.Compute/virtualMachines/restart/action",
                    "Microsoft.Compute/virtualMachines/deallocate/action",
                    "Microsoft.ResourceHealth/availabilityStatuses/read",
                    "Microsoft.Storage/*/read",
                    "Microsoft.Storage/storageAccounts/listKeys/action",
                    "Microsoft.Storage/storageAccounts/read",
                    "Microsoft.Support/*",
                    "Microsoft.Resources/deployments/validate/action",
                    "Microsoft.Resources/deployments/write",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Resources/tags/read",
                    "Microsoft.Resources/tags/write",
                    "Microsoft.Resources/tags/delete",
                    "Microsoft.Network/*/read",
                    "Microsoft.Network/publicIPAddresses/write",
                    "Microsoft.Network/networkSecurityGroups/securityRules/write",
                    "Microsoft.Network/networkInterfaces/write",
                    "Microsoft.Network/virtualNetworks/subnets/join/action",
                    "Microsoft.Network/networkSecurityGroups/join/action",
                    "Microsoft.Network/publicIPAddresses/join/action",
                    "Microsoft.Network/publicIPAddresses/delete",
                    "Microsoft.Network/publicIPAddresses/read",
                    "Microsoft.Network/virtualNetworks/read",
                    "Microsoft.Network/loadBalancers/read",
                    "Microsoft.Network/networkInterfaces/read",
                    "Microsoft.Compute/virtualMachines/*/read",
                    "Microsoft.HybridCompute/machines/*/read",
                    "Microsoft.HybridConnectivity/endpoints/listCredentials/action"
                ],
                "notActions": [],
                "dataActions": [
                    "Microsoft.Compute/virtualMachines/login/action",
                    "Microsoft.Compute/virtualMachines/loginAsAdmin/action",
                    "Microsoft.HybridCompute/machines/login/action",
                    "Microsoft.HybridCompute/machines/loginAsAdmin/action"
                ],
                "notDataActions": []
            }
        ]
    }
}

RBAC assignment and scope on the VM:

RBAC scope

Extension installed:

User's image

Sridevi Machavarapu 10,845 Reputation points Microsoft External Staff Moderator

2025-12-09T02:51:08.4433333+00:00

Hello Sean O'Brien,

Please share error screenshot too that makes us better understand the issue and troubleshoot further.
Sean O'Brien 26 Reputation points

2025-12-09T02:54:12.5066667+00:00

Certainly. Please see screenshot where I am attempting to connect to the Virtual Machine, but am not seeing the Entra ID login option:
Sean O'Brien 26 Reputation points

2025-12-09T02:56:23.6133333+00:00

If the only change I make is to add myself with Virtual Machine Administrator Login built-in role as follows:

I am immediately able to see the Entra ID login option:
Sridevi Machavarapu 10,845 Reputation points Microsoft External Staff Moderator

2025-12-09T03:04:13.88+00:00

Got it Sean O'Brien, I'll try to reproduce the same in my environment and get back to you with an update!
Sridevi Machavarapu 10,845 Reputation points Microsoft External Staff Moderator

2025-12-13T06:24:10.3766667+00:00

Hello Sean O'Brien,

Could you please confirm if you have any further queries or good to close this? Feel free to reach out!

Answer accepted by question author

0 additional answers

Your answer

Sridevi Machavarapu 10,845 Reputation points Microsoft External Staff Moderator

2025-12-05T12:12:58.16+00:00

Hello Sean O'Brien,

Thanks for your patience. We tested this scenario from our end as well, and custom roles do work for Entra ID VM login when everything is configured correctly.In cases where the Entra ID login option disappears, it’s usually due to one of the following:

Missing permissions in the custom role Even if the role is copied from Virtual Machine Administrator Login, it must explicitly include:

Microsoft.Compute/virtualMachines/login/action

Microsoft.Compute/virtualMachines/loginAsAdmin/action If either of these is missing, the portal will not show the Entra ID login option.

Role assignment scope The custom role must be assigned at the VM, resource group, or subscription level that contains the VM. If assigned at a different scope, the portal may not detect it for login.

RBAC propagation / token refresh delay After role changes, there can be a short delay before the portal reflects them. Signing out and back into the Azure portal usually helps.

VM extension and Entra join state The Microsoft Entra ID login extension must be installed, and the VM must be properly Entra joined. If either is missing, the option may not appear.

If you’re still seeing inconsistent behavior, feel free to share the custom role JSON and the assignment scope, and we can review it further.

Thank you for your patience and understanding.
Sridevi Machavarapu 10,845 Reputation points Microsoft External Staff Moderator

2025-12-08T09:33:22.73+00:00

Hello Sean O'Brien,

Could you please confirm if you still have further queries on this or not? Feel free to reach out!
Sridevi Machavarapu 10,845 Reputation points Microsoft External Staff Moderator

2025-12-09T02:51:08.4433333+00:00

Hello Sean O'Brien,

Please share error screenshot too that makes us better understand the issue and troubleshoot further.
Sean O'Brien 26 Reputation points

2025-12-09T02:54:12.5066667+00:00

Certainly. Please see screenshot where I am attempting to connect to the Virtual Machine, but am not seeing the Entra ID login option:
Sean O'Brien 26 Reputation points

2025-12-09T02:56:23.6133333+00:00

If the only change I make is to add myself with Virtual Machine Administrator Login built-in role as follows:

I am immediately able to see the Entra ID login option:
Sridevi Machavarapu 10,845 Reputation points Microsoft External Staff Moderator

2025-12-09T03:04:13.88+00:00

Got it Sean O'Brien, I'll try to reproduce the same in my environment and get back to you with an update!
Sridevi Machavarapu 10,845 Reputation points Microsoft External Staff Moderator

2025-12-13T06:24:10.3766667+00:00

Hello Sean O'Brien,

Could you please confirm if you have any further queries or good to close this? Feel free to reach out!

Answer 1

Hello Sean O'Brien,

Thanks for your patience while we checked this. We were able to reproduce the same behavior, and what you’re seeing is expected.

When connecting to a VM from the Azure portal using Azure Bastion, the Microsoft Entra ID login option is shown only if the signed-in user has one of the following built-in roles:

Virtual Machine Administrator Login

Virtual Machine User Login

If those roles are removed and only a custom role is assigned, even with the same login permissions, the Entra ID option no longer appears. The Bastion experience in the portal checks for these specific built-in roles, not just the underlying permissions.

This applies only to the Azure portal + Bastion UI and matches the current Entra ID authentication for Bastion (Preview) behavior. The requirement for these built-in roles is clearly listed in the Prerequisites section of the documentation.

User's image

Entra ID login with custom roles still works when using native RDP or Bastion via CLI.

Workaround:

To use Entra ID authentication from the Azure portal with Bastion, assign Virtual Machine Administrator Login or Virtual Machine User Login. Custom roles aren’t supported for this portal flow at the moment.

References

Sridevi Machavarapu 10,845 Reputation points Microsoft External Staff Moderator

2025-12-15T10:29:50.02+00:00

Hello Sean O'Brien,

Could you please confirm if you have any further queries or good to close this? Feel free to reach out!
Sean O'Brien 26 Reputation points

2025-12-15T23:09:13.6366667+00:00

Thank you for confirmation. No further queries, this can be closed.
Sridevi Machavarapu 10,845 Reputation points Microsoft External Staff Moderator

2025-12-16T01:22:06.0733333+00:00

Hello Sean O'Brien,

Please click on Accept answer under my answer to close this question. Thanks!

Share via

Virtual Machine login using Entra ID from the portal not working when using a custom role.

0 additional answers

Your answer