I'm experimenting with using Microsoft Entra for Azure VMs and I'm encountering a problem while trying to access VMs via Azure Bastion after enabling multi-factor authentication (MFA). I'm testing this with both a Windows 11 VM and a Windows Server 2022 VM. Here's what I did step by step:
1. Created separate test VMs without affecting production.
2. Placed these test VMs in the same virtual network and subnet as the production VMs to match the network paths closely.
3. Enabled a system-assigned managed identity.
4. Assigned the Virtual Machine Administrator Login to my work account.
5. Installed the AADLoginForWindows/Azure AD based Windows Login extension.
6. Attempted to connect through Bastion, selecting Microsoft Entra ID (Preview).
7. Logged in with my work account and completed MFA.
However, I hit a snag: after completing MFA, I get an error saying, "Connection Error - An internal error has occurred within the Bastion Host, and the connection has been terminated." Interestingly, when I later log in with a local account and check the status using `dsregcmd /status`, it shows that the device is indeed Azure AD joined.
I'm trying to figure out if this behavior is expected when using Bastion with Microsoft Entra ID in the browser, if there's something I'm missing in my process, or if this is a known limitation where the device joins successfully but the sign-in fails. Any insights or experiences with this would be greatly appreciated!
4 Answers
If you check the Applications and Services Logs in the Event Viewer under MicrosoftWindowsAADOperational, you might spot errors about API consent missing between app registrations. That's been a red flag for me, and I have a ticket open addressing similar issues.
I'm facing the same problem; I've been trying to troubleshoot it for the last couple of days. I'm new to Azure and my setup is a private subnet with no public IP, I even tried adding a NAT gateway with no luck. It feels like I must be overlooking something fundamental in my first project.
It sounds like you're dealing with an issue related to non-interactive sign-ins. Check the logs for the Azure Windows VM Sign In resource; it might indicate where the failure is happening. The initial MFA for the Bastion login might not be satisfying the requirements for the non-interactive log in, so you might need to tweak your Conditional Access policies to exclude that resource from needing MFA. Just make sure to look over the documentation as the specific error might vary, but it generally points to the same issue. Here's a link that might help: [Azure Windows VM Sign-In MFA](https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows#mfa-sign-in-method-required).
Just to clarify, is your client properly registered in the Entra ID? Sometimes that can be the missing link.
I've definitely missed those non-interactive sign-in logs before! After struggling with the same issue in Azure Virtual Desktop (AVD), I can confirm that a Conditional Access exclusion should do the trick.