Tag: security

Using Microsoft Entra ID authentication on an Azure Windows VM (Without AD DS)
If your environment does not have a directory service such as Active Directory Domain Services (ADDS). But you still require Microsoft Windows-based virtual machines (VMs) in Azure. Then you can integrate those VMs with Microsoft Entra ID for authentication purposes.

This allows users to sign-in to Azure Windows Server VMs using their Entra ID credentials. Whilst removing the dependency on locally managed user accounts. From a security perspective, this provides several benefits, including centralised identity management and improved auditing.

Prerequisites

To ne able to enable Entra ID authentication on a Windows VM the AADLoginForWindows extension must be installed.

This extension can be deployed in several ways:
- Using Azure CLI or Azure PowerShell
- During VM creation in the Azure portal
- Retrospectively through the Azure portal
Installing the extension during creation of an Azure VM:

When creating a VM in the Azure portal, the extension can be installed automatically, by selecting the Login with Microsoft Entra ID checkbox during the deployment process.

Installing the extension on a pre-existing Azure VM:

If the VM already exists, the extension can be installed manually:
1. Navigate to the VM in the Azure portal
2. Select Extensions + applications
3. Add the AADLoginForWindows extension
Once installed successfully, the extension will appear in the Extensions & applications blade, with a status of Provisioning succeeded.

Please note at the time of writing, this extension does not support automatic upgrades and requires manual updates when newer versions are released by Microsoft, this is shown in the example above by comparing the version and latest version columns.

Granting Access via Azure RBAC

Now the extension is installed, all you need to do for this to work is to grant your users the required Azure roles, however the role required depends on what permission levels your user requires.

Two Azure roles exist for this purpose Virtual Machine User Login & Virtual Machine Administrator Login. As the names of the roles suggest, the first role provides users accounts with standard user permissions, and the second role provides the user with local administrator permissions.

In a standard environment the above should be all you need to do to allow Entra ID authentication on an Azure VM. However in tenants with more complexity, you may find you need to complete some further troubleshooting and make some additional changes, especially if your tenant is leveraging Microsoft’s conditional access.

Conditional Access & MFA considerations

If you have a conditional access (CA) policy which enforces MFA, your users will need to authenticate with a strong modern authentication option, such as Windows Hello for Business.

If a strong modern authentication option is not possible in your environment, you will need to ensure the conditional access policy which enforces MFA does not do so, this can be done by excluding the Microsoft Azure Windows Virtual Machine Sign-in application in the cloud apps exclusion list in the CA policy.

I’ve also found the legacy per-user multifactor authentication settings (if enabled) also interfere with this authentication flow, to resolve this you need to disable this for each user in the Entra ID portal, the settings captured below are available by selecting the Per-User MFA option in the users blade available within the Entra ID portal:

Additional caveats and common gotchas:
- To be able to use modern authentication methods such as Windows Hello for Business, the Use a web account to sign in to the remote computer option, needs to be selected within the RDP client to work successfully:
The above setting can of course be saved to an RDP file to ensure this setting does not need to be enabled each time. You can also download a pre-prepared RDP file by using the connect option from the VMs properties in the Azure portal.
- The device the user is signing in from needs to be either an Entra ID Joined, Entra ID Hybrid Joined or Entra ID registered device. Otherwise, you’ll see sign-in errors at the RDP sign-in prompt, likely to be a generic error saying The logon attempt failed.
- When authenticating from a device which is Entra ID registered, every time a user authenticates with the RDP client they will need to specify the “AzureAD\” prefix, for example “AzureAD\username”.
- This authentication method is unsupported, if you are logging in from another Windows Server, and your tenant has a conditional access policy which enforces access only from compliant devices.
- To allow Microsoft Entra authentication to work on a Virtual Machine in Azure, the following networking requirements apply:
  - The Azure network needs to allow outbound access on TCP / 443 to the following Azure Global URLs (these URLs are different for Azure Government and Azure China clouds):
    
    https://enterpriseregistration.windows.net – used for device registration
    
    http://169.254.169.254 – Azure instance metadata service endpoint.
    
    https://login.microsoftonline.com – used for authentication flows to Entra ID.
    
    https://pas.windows.net – used for Azure role based access control (RBAC) authentication flows.
Hope this helps and thanks for reading!
13 April 2026
Configuring Microsoft Entra ID tenants in a hybrid identity model with multiple AD DS forests

Overview

An interesting challenge came my way recently, for a global firm with locations in 15 different countries, who were going through an exciting period of growth and acquisition.

This article is going to talk about the challenge I faced with regards to the businesses hybrid identity requirements.

But first I’d like to provide a bit of background to the project.

The first stage of the project was to merge two separate firms and all of their offices based in the UK from an IT infrastructure perspective. This included on-premises identity, on-premise servers, cloud resources & networking.

Both firms had different specialities however once merged these two firms would become the global firms UK division.

The second stage of the project was to bring the UK division into the global businesses Microsoft Azure infrastructure & Microsoft Entra ID tenant. This included converting every user into a hybrid identity so they could authenticate to on-premise and cloud resources with one identity. Provide a zero touch build process for every end-user compute (EUC) device by leveraging Intune (MDM) & Autopilot.

Due to the nature of the global business, my remit was only in relation to the UK division, divisions located outside of the UK are managed by their own respective IT teams. Therefore, the solution implemented had to only affect the UK division, whilst allowing other divisions to replicate this behaviour and functionality during their onboarding transformation projects in the future.

The challenge

How to use a hybrid identity model for a specific on-premises Active Directory Domain Services (AD DS) forest, with a Microsoft Entra ID tenant which in future will require other independent AD DS forests to also implement a hybrid identity model, all whilst not having any trusts or connectivity between these independent AD DS forests.

Over the years the Entra ID Connect sync service, installed on a Windows Server, has generally been the go to option for hybrid identity sync between AD DS and Entra ID.

However, Entra ID has a limitation whereby it cannot connect to and use multiple Entra ID Connect servers.

Which meant this was not a suitable option in this scenario due to the lack of connectivity and trusts between AD DS forests across the globe.

The solution

Microsoft Entra ID Connect cloud sync.

The primary difference between the Entra ID Connect Cloud Sync service and an on-premises Entra ID Connect server is the sync engine is offloaded to the cloud.

This method suited this scenario perfectly as it supports multiple forests without the need for line of sight connectivity and trusts between the individual ADDS forests.

To be able to sync to Entra ID with Entra ID Connect cloud sync, a light weight Entra ID Connect Cloud sync agent is required, this needs to be installed onto a domain member server within each forest.

The Entra ID Connect Cloud sync service is more limited when compared to the traditional Entra ID Connect service.

Although in my opinion the main features expected are all there and fully functional. For example the Entra ID Connect cloud sync service still allows you to have a two-way sync (AD to Entra ID and Entra ID to AD) which provides you with password writeback functionality. Entra ID Connect cloud sync also provides OU filtering allowing you to control which objects are synced from AD DS.

For reference, if you require users to be able to change their AD DS passwords from the cloud, each user will require a Microsoft Entra ID P2 license so they are able to change their password via Microsoft’s self-service password reset solution.

You can find the Entra ID Connect cloud sync agent installer within the Entra ID portal.

Firstly, login to Entra ID portal (entra.microsoft.com).

Secondly, open the ‘Entra Connect’ blade:

Thirdly, open the ‘cloud sync’ blade:

Fourth, select ‘New configuration’ under the Configurations blade, then select the ‘AD to Microsoft Entra ID sync’ sync direction:

Finally, select ‘click here’ next to ‘For a list of active agents’, which will open a new menu where you can use the download option to get a copy of the agent installer:

Further information on how to install an Entra ID Connect Cloud Sync agent is available here: https://learn.microsoft.com/en-us/entra/identity/hybrid/install

Hope this helps and thanks for reading!

24 February 2026