I have created a VM in Azure as mentioned below

resource "azurerm_windows_virtual_machine" "virtual_machine_hub" {
  name                = "vm-hub"
  resource_group_name = azurerm_resource_group.ipz12-dat-np-connection-rg.name
  location            = azurerm_resource_group.ipz12-dat-np-connection-rg.location
  size                = "Standard_B8ms"
  admin_username      = "xxxxx"
  admin_password      = "xxxxx"
  network_interface_ids = [
    azurerm_network_interface.virtual_machine_hub_nic.id
  ]

  os_disk {
    caching              = "ReadWrite"
    storage_account_type = "Standard_LRS"
  }

  source_image_reference {
    publisher = "MicrosoftWindowsDesktop"
    offer     = "Windows-10"
    sku       = "21h1-pro"
    version   = "latest"
  }

  depends_on = [
    azurerm_network_interface.virtual_machine_hub_nic
  ]    
}

and enabled the AADLoginForWindows extension

resource "azurerm_virtual_machine_extension" "virtual_machine_hub_ext" {
  name                 = "AADLoginForWindows"
  virtual_machine_id   = azurerm_windows_virtual_machine.virtual_machine_hub.id
  type                       = "AADLoginForWindows"
  type_handler_version       = "1.0"
  auto_upgrade_minor_version = true
  publisher                  = "Microsoft.Azure.ActiveDirectory"

  depends_on = [
    azurerm_windows_virtual_machine.virtual_machine_hub
  ] 
}

and it is AzureADConnected

My Azure user account is given access on the VM using RBAC

Now, the client machine (laptop) is connected to another domain in Azure AD (say, demo.com) as well as DomainJoined.

I am using the Azure VPN client to connect to the Azure Network using Point-to-Site.

While trying to RDP into the VM, it is falling with the below error message

What am I missing?

CodePudding user response：

I tried to reproduce the same in my environment I also get the same error like below

To resolve this issue:

Try to allow system properties like below:

Try to add the user to rdp group via cmd like below:

net localgroup "Remote Desktop Users" /add "AzureAD\[email protected]"
Get-LocalGroupMember -Name "Remote Desktop users"

In your local machine try to modify the rdp file in order to authenticate with different user:

Right click on downloaded Rdp file -> Open with note pad try to add bottom line like below:

enablecredsspsupport:i:0
authentication level:i:2

Now double click on rdp file try to connect like below:

use .\AzureAD\[email protected] or AzureAD\[email protected]

Orelse, In your virtual machine -> run command under operation -> disable NLA -> Run

Reference:

Remote Desktop to Azure AD Joined Computer – Bradley Schacht By Bradley Schacht