I'm facing an issue on my Azure VM where I have Just-in-Time (JIT) access enabled. While I can connect perfectly using a local admin account via Remote Desktop Protocol (RDP), logging in with Microsoft Entra ID fails every time, displaying messages like 'Your credentials did not work' and 'The logon attempt failed.' I've confirmed several configurations:
- The AADLoginForWindows extension is installed and shows that provisioning succeeded.
- I've enabled the system-assigned managed identity.
- The user has the Virtual Machine Administrator Login RBAC role on the VM.
- JIT is configured using Microsoft Defender for Servers Plan 2, allowing ports 3389 and 6516 during active requests.
- Verified NSG rules using Network Watcher and confirmed that inbound Allow rules are in place.
- I've tried accessing the VM via both direct RDP and Azure Bastion.
- I used the correct username formats: AzureAD\admin@... and admin@...
Despite all this, the local account works instantly. I've already cleared RDP credentials, reinstalled the AADLogin extension, confirmed AzureAdJoined status, reviewed the Entra ID sign-in logs, disabled Network Level Authentication temporarily through the registry, and re-requested JIT multiple times. Even when I set up a new server from scratch, I just can't seem to get remote login working with Entra ID using JIT. When using the Remote Desktop client, the local account works, but attempts to log in with Entra ID fail. Has anyone experienced this specific issue with a JIT-enabled VM?
1 Answer
Make sure you've assigned the user either the Virtual Machine Administrator Login or the Virtual Machine User Login role. Just having the Owner or Contributor roles doesn't grant you access. That's a common pitfall!
What if those roles are already assigned? Am I missing something about the RDP client? Should I download the client in a specific way or is there a simpler step I'm overlooking?