How can I use an Azure AD account to remotely authenticate to Azure AD-joined Windows?
I have:
The user name or password is incorrect
and Audit Failure event with ID 4625
, status 0xC000006D
, and sub status 0xC0000064
which means that the user doesn't exist.
%UPN%
.username.admin@domain.com
. AzureAD\%UPN%
.AzureAD\username.admin@domain.com
. AzureAD\%username%
.AzureAD\username.admin
. AzureAD\%securityID%
.AzureAD\UsernameAdmin
. This seems to be the display name with spaces removed. %NetBIOSDomainName%\%securityID%
.EXAMPLE\UsernameAdmin
. This is how Windows displays it in Computer Management → Local Users and Groups → Groups → Administrators. %UPN%
(only if the user account has signed in previously).AzureAD\%UPN%
(regardless of whether the user account has signed in previously). AzureAD\%securityID%
. Tried authenticating locally using Azure AD accounts and the aforementioned sign-in formats and found that local Run As can handle the following:
%UPN%
.AzureAD\%UPN%
. AzureAD\%securityID%
.Tried authenticating remotely using local admin accounts and found that they work fine.
So, it seems that Windows can handle the Azure AD accounts but only locally and not remotely, unlike with AD DS accounts.
Everything I've found online is either not for this particular scenario or is just other people who are experiencing the same problem.
Is this even possible?
From my extensive testing, I have concluded that Windows 10 v1909 (latest as of writing) simply doesn't support the usage of Azure AD accounts / credentials with Network-Level Authentication (NLA).
Remote access via RDP can be worked around by disabling NLA and manually editing the .RDP file adding enablecredsspsupport:i:0
.
Remote access via SMB cannot be worked around it seems.
User contributions licensed under CC BY-SA 3.0