I've got an Azure Virtual Machine that I've joined to my Azure Active Directory (AAD) domain. But when I try to Remote Desktop to it and log in using my AAD username/password, it says invalid credentials.
After much debugging, I found that it came down to two things.
(TL;DR: turn off network level authentication and prefix the username with "AzureAD\")
How Do You Join a Windows Machine to an AAD Domain?
If you want to log in to a VM using your AAD domain credentials, you first need to join that machine to the AAD domain. Doing this is easy but the settings are a little bit buried on Windows 11 and Windows 10.
First, open up Settings. Then navigate to Accounts and then scroll down and click on Access Work or School. You should see a page that looks like the image below. There should be a line that says "Add a work or school account" and a button that says Connect. Click the Connect button.
This will pop up a dialog with the title "Set up a work or school account". This is the dialog that's a little bit tricky. It's tricky because you're not going to go through this dialog in the default way. Instead, you're going to locate the link that says Join this device to Azure Active Directory and click that instead.
Next you'll get a dialog that asks you to log in to your AAD domain. From here, the process of joining to the domain is straightforward. Just follow the prompts.
Fixing the Login Problem, Part 1: Disable NLA
Ever notice that when you're working with Remote Desktop, you never see a Windows login dialog? Remote Desktop by default does user authentication behind the scenes for you. Put another way, Remote Desktop skips the Windows login dialogs and authorizes you in a different way. If you run on a Mac like I do, this can cause problems. It was definitely causing me problems with this VM.
In short, in order to make this work I needed a way to actually get a login prompt on the VM. To do this, I needed to disable network level authentication (NLA) for the VM.
To disable NLA, you need to log in to the Azure Portal (portal.azure.com) and go to the admin page for your VM. Once you're on the VM admin page, type "run command" in the search bar. You should then see the Run command option listed under Operations.
Click on Run command. That will bring up a list of handy commands that you can run against your VM including DisableNLA. Click on DisableNLA and run it. (BTW, the VM needs to be running.)
After the command runs, you'll need to reboot the VM.
Fixing the Login Problem, Part 2: Wrong Username / Invalid Credentials
Now that you've disabled NLA, when you try to connect to the VM, you'll eventually get a Windows login screen. Let's say that your username for AAD is "ben@something.com". When you type in your username and password and click login and you're immediately going to get a login failure.
The reason is that you're typing the wrong username. Instead of typing "ben@something.com", you're going to type "AzureAD\ben@something.com". When you log in using that format username, you should be able to get into the machine.
Just to make that clear, in order to log in, you need to put "AzureAD\" in front of your username.
Summary
So if you want to log in to your AAD domain joined VM, you need to do two things:
- Turn off Network Level Authentication
- Prefix your username with "AzureAD\"
This too me forever to figure out. I hope this helps and I hope this saves you a ton of time.
-Ben