, pub-7590763259720133, DIRECT, f08c47fec0942fa0
top of page

Managed Identities - AAD Login for Windows Server Extension & Access Control

Updated: Oct 2, 2021


This will be a three-part series covering the following topics:

  1. Microsoft Server 2022 In-Place Upgrade

  2. Managed Identities - AAD Login for Windows Server Extension & Access Control

  3. Azure Active Directory (AAD) Joined Server Remote Access Guide


Part 2: Managed Identities - AAD Login for Windows Server Extension & Access Control

Limitations of Managed Identities

  1. The Managed Identities server can only be RDP accessed from devices that are either Azure AD registered (minimum required build is 20H1) or Azure AD joined, or hybrid Azure AD joined to the same directory as the VM. If using an Azure AD registered Windows 10 PC, you must enter credentials in the AzureAD\UPN format (for example, AzureAD\[email protected]). Additionally, to RDP using Azure AD credentials, the user must belong to one of the two Azure roles, Virtual Machine Administrator Login or Virtual Machine User Login. At this time, Azure Bastion can't be used to log in by using Azure Active Directory authentication with the AADLoginForWindows extension; only direct RDP is supported.

  2. Your device attempting RDP to the Managed Identities server must have Windows Hello enabled using facial recognition, fingerprint biometrics, or PIN code. Password authentication will NOT work as it's not considered a strong authentication method.

  3. If this is an existing server, we will disconnect from your domain, and you will need to use the internal or public IP address for RDP as the Managed Identities server will no longer have contact with DNS.


You can now login to Azure Windows Servers using Azure Active Directory (AAD) for authentication
Managed Identities - AAD Login for Azure Server

Managed Identities for New Virtual Machine

If you are setting up Managed Identities on a new virtual machine, the process is straightforward. During the compute setup wizard, select On for Azure Active Directory - Login with AAD credentials (Preview). Now you can jump ahead to Granting Access to the Managed Identities server.


Managed Identities for Existing Virtual Machine

If you forgot to select Login with AAD credentials during setup, or you're converting an existing machine, follow these instructions:

  1. Open Azure Portal and navigate to your VM

  2. Open Azure Cloud Shell CLI

Navigate to your VM and select Azure CLI from the top banner
Azure Cloud Shell CLI

3. You will need to attach a storage account to utilize Azure CLI. Use an appropriate storage account for your subscription.

You must mount a storage account to use Azure CLI
Azure Cloud Shell CLI - Mount Storage

4. Once the storage account is attached, enter the following command in the CLI but replacing --resource-group and --vm-name with your settings (It should all be contained on a single line):

az vm extension set --publisher Microsoft.Azure.ActiveDirectory --name AADLoginForWindows --resource-group YourRGName --vm-name YourVMName

5. When the installation finishes, you will see:

  "autoUpgradeMinorVersion": true,
  "enableAutomaticUpgrade": null,
  "forceUpdateTag": null,
  "id": "/subscriptions/YourSubscriptionGUID/resourceGroups/YourRGName/providers/Microsoft.Compute/virtualMachines/YourVMName/extensions/AADLoginForWindows",
  "instanceView": null,
  "location": "westus2",
  "name": "AADLoginForWindows",
  "protectedSettings": null,
  "provisioningState": "Succeeded",
  "publisher": "Microsoft.Azure.ActiveDirectory",
  "resourceGroup": "YourRGName",
  "settings": null,
  "tags": null,
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "typeHandlerVersion": "1.0",
  "typePropertiesType": "AADLoginForWindows"

6. You may now close Azure CLI

7. To verify the installation was successful, open Extension from the side panel and check if AADLoginForWindows is marked as Provisioning succeeded:

Verifying the AAD Login for Windows extension provisioned successfully
AADLoginForWindows Extension


Granting Access to the Managed Identities server

Now, we need to grant access to the VM. Perform the following steps:

  1. Select Access control (IAM) from the side panel - +Add - Add role assignment (Preview)

Granting access new your new installed extension
Access Control (IAM) for AADLoginForWindows

2. You will see two roles towards the bottom:

Granting the access roles for AADLoginForWindows
Virtual Machine Administrator/User Login

3. Decide whether your new user will be a regular login user or administrator and select that option.

4. Click, +Select members and search for the user or group you are granting access:

Add the correct VM access members
Add Role Assignment - AADLoginForWindows

5. Click Next - Review + assign


Decoupling from your domain

If this were an existing virtual machine, the final step would be to decouple from your domain and join a workgroup. If you are concerned about losing access to the server, first verify a local admin account is enabled, and you can log in with the password.

  1. Open System Properties - Change...

  2. Switch the radial button from Domain to Workgroup and type in your workgroup name:

Decouple your Azure VM from local domain and join a workgroup
Join Azure VM to a Workgroup

3. Select OK and OK again:

After decoupling from the local domain you will need to restart the Azure VM server
Restart to apply changes

4. Select Restart Now:

Restart now to finalize decoupling from local domain to workgroup for AADLoginForWindows.
Restart Now

You have successfully activated Login with AAD credentials and granted access permissions. You can move on to Part 3: AAD Joined Server Remote Access Guide.

Feel free to comment below with any questions or comments.

If you found this article informative, please support my efforts by donating to my Ethereum ENS address: geekbyte.eth

473 views0 comments
bottom of page