MFA for Azure VMS

Question

MFA for Azure VMS

Nitish kumar 0

We have a requirement to enable MFA for azure VMs. We have enabled the managed identity and installed the AAD ext. and tried with 1 user and It allows the user to login with entra credentials. However after setting up conditional access policy its not prompting for MFA.

Please advise what we need to do, We need, if any user try to access VM it should prompt for MFA.

Regards,

Nitish

kagiyama yutaka 3,685 Reputation points

2026-06-06T06:54:16.9233333+00:00

I think Azure does not provide a normal MFA prompt during direct RDP sign‑in to an Azure VM, so when a Conditional Access policy requires MFA on MS Azure Windows VM Sign‑in the RDP sign‑in fails instead of prompting, and MFA needs to be enforced on Azure Bastion or a jump host rather than on the VM login itself.
Nitish kumar 0 Reputation points

2026-06-06T06:57:30.41+00:00

so there is no way we can implement MFA when user try to signin to azure Vm?
kagiyama yutaka 3,685 Reputation points

2026-06-06T07:12:47.97+00:00

MFA runs only at the Azure Windows VM Sign‑in step, not on the Windows logon screen. The MFA check happens before RDP, so direct VM sign‑in cannot show an MFA prompt.
Nitish kumar 0 Reputation points

2026-06-06T07:18:22.4766667+00:00

@kagiyama yutaka would be able to help me to setup MFA check before rdp so that user will get MFA prompt and after that they can rdp to azure VM
kagiyama yutaka 3,685 Reputation points

2026-06-06T07:38:58.07+00:00

There is no method to show an MFA prompt on the Windows logon screen. MFA is evaluated at the Azure Windows VM Sign‑in layer before the RDP session. If MFA is needed before RDP, Azure Bastion is the path that can require it.
Nitish kumar 0 Reputation points

2026-06-06T07:53:23.1066667+00:00

so how we can configure so that MFA is evaluated at the Azure Windows VM Sign‑in layer before the RDP session. Client don't want to use Bastion
kagiyama yutaka 3,685 Reputation points

2026-06-06T08:30:11.4033333+00:00

Azure checks MFA at the VM Sign‑in layer, and direct RDP has no way to run that check. Without Bastion or a jump host, there’s no configuration that puts MFA before the session.
Shubham Sharma 17,675 Reputation points Microsoft External Staff Moderator

2026-06-08T04:31:16.04+00:00
Hey Nitish, it sounds like your Conditional Access (CA) policy isn’t targeting the right service principal for VM sign-ins. Even though you’ve got the AADLoginForWindows extension working, by default RDP logons use the “Microsoft Azure Windows Virtual Machine Sign-in” enterprise app – not the Windows Azure Service Management API or the VM’s managed identity.

Here’s what to do:

Verify the AADLoginForWindows extension and VM Agent

In the Azure portal on your VM’s Extensions + applications blade, confirm the Azure AD login extension shows Provisioning succeeded.

Check your VM’s guest agent health with VM Assist or via the Azure portal diagnostics.

Create or update your Conditional Access policy

In Entra ID → Security → Conditional Access → New policy.

Under Assignments > Cloud apps or actions, click Select apps, search for and pick Microsoft Azure Windows Virtual Machine Sign-in.

Under Grant, choose Grant access + Require multifactor authentication.

Enable the policy (start in report-only first if you like, then switch to On).

Remove legacy per-user MFA (if enabled)

In Entra ID → Users → Multi-factor authentication settings, make sure no users are stuck on the old per-user “Enabled/Enforced” model, which can conflict with CA.

Test your sign-in

Download the RDP file again from the portal’s Connect blade and initiate the RDP session. You should now get prompted to satisfy MFA (phone call, authenticator push, etc.) before the desktop appears.

Troubleshoot with sign-in logs and “What-If” tool

In Entra ID → Monitoring → Sign-ins, filter by the “Azure Windows VM Sign-in” application to see if your new CA policy applied or was skipped.

Use the Conditional Access What-If tool to simulate the policy against your test user.

That setup ensures every VM RDP login goes through your CA policy and gets the MFA challenge. Hope this helps you lock down your VMs!

References:

https://learn.microsoft.com/entra/identity/devices/howto-vm-sign-in-azure-ad-windows

If the answer is helpful, kindly upvote it. If you have extra questions about this answer, please click "Comment".
Nitish kumar 0 Reputation points

2026-06-08T08:26:56.59+00:00

@Shubham Sharma but in the article that is attached as reference it clearly says

Conditional Access isn't supported with Windows Server with Microsoft Entra join extension in Azure Windows virtual machines. so how MFA will prompted
Shubham Sharma 17,675 Reputation points Microsoft External Staff Moderator

2026-06-11T06:06:03.1666667+00:00

Nitish Kumar

Thank you for your reply.

Below is the recommendation: -

If MFA is strictly required:

Use a pre-authentication layer, such as:

Azure Bastion (MFA enforced before access)

RDS Gateway + NPS MFA extension

For your reference:

https://docs.azure.cn/en-us/entra/identity/domain-services/secure-remote-vm-access
Shubham Sharma 17,675 Reputation points Microsoft External Staff Moderator

2026-06-12T02:35:37.3833333+00:00

Nitish kumar

Following up to check if the resolution provided was helpful. Let us know if you need any further assistance.
Nitish kumar 0 Reputation points

2026-06-12T04:49:47.68+00:00

@Shubham Sharma Client don't want to use bastion/RDS Gateway +NPS MFA Extension
Shubham Sharma 17,675 Reputation points Microsoft External Staff Moderator

2026-06-16T05:53:06.6833333+00:00

Nitish Kumar

Thank you for your reply.

MFA cannot be enforced for direct RDP login to Azure VMs as expected because the Windows logon screen does not support MFA prompts. Conditional Access is evaluated at the“Azure Windows VM Sign‑in” application layer (before session), so no MFA popup is shown during RDP.

Limitation:

Even after correct configuration, interactive MFA prompt during RDP is not supported by design, so behavior will not match typical MFA flows.

Direct RDP + Entra login cannot guarantee MFA prompt. This is a platform limitation; only pre-authentication enforcement (not interactive MFA) is possible.
Shubham Sharma 17,675 Reputation points Microsoft External Staff Moderator

2026-06-17T05:22:13.5466667+00:00

Nitish Kumar

Let us know if you need any further assistance.

1 answer

Your answer

kagiyama yutaka 3,685 Reputation points

2026-06-06T06:54:16.9233333+00:00

I think Azure does not provide a normal MFA prompt during direct RDP sign‑in to an Azure VM, so when a Conditional Access policy requires MFA on MS Azure Windows VM Sign‑in the RDP sign‑in fails instead of prompting, and MFA needs to be enforced on Azure Bastion or a jump host rather than on the VM login itself.
Nitish kumar 0 Reputation points

2026-06-06T06:57:30.41+00:00

so there is no way we can implement MFA when user try to signin to azure Vm?
kagiyama yutaka 3,685 Reputation points

2026-06-06T07:12:47.97+00:00

MFA runs only at the Azure Windows VM Sign‑in step, not on the Windows logon screen. The MFA check happens before RDP, so direct VM sign‑in cannot show an MFA prompt.
Nitish kumar 0 Reputation points

2026-06-06T07:18:22.4766667+00:00

@kagiyama yutaka would be able to help me to setup MFA check before rdp so that user will get MFA prompt and after that they can rdp to azure VM
kagiyama yutaka 3,685 Reputation points

2026-06-06T07:38:58.07+00:00

There is no method to show an MFA prompt on the Windows logon screen. MFA is evaluated at the Azure Windows VM Sign‑in layer before the RDP session. If MFA is needed before RDP, Azure Bastion is the path that can require it.
Nitish kumar 0 Reputation points

2026-06-06T07:53:23.1066667+00:00

so how we can configure so that MFA is evaluated at the Azure Windows VM Sign‑in layer before the RDP session. Client don't want to use Bastion
kagiyama yutaka 3,685 Reputation points

2026-06-06T08:30:11.4033333+00:00

Azure checks MFA at the VM Sign‑in layer, and direct RDP has no way to run that check. Without Bastion or a jump host, there’s no configuration that puts MFA before the session.
Nitish kumar 0 Reputation points

2026-06-08T08:26:56.59+00:00

@Shubham Sharma but in the article that is attached as reference it clearly says

Conditional Access isn't supported with Windows Server with Microsoft Entra join extension in Azure Windows virtual machines. so how MFA will prompted
Shubham Sharma 17,675 Reputation points Microsoft External Staff Moderator

2026-06-11T06:06:03.1666667+00:00

Nitish Kumar

Thank you for your reply.

Below is the recommendation: -

If MFA is strictly required:

Use a pre-authentication layer, such as:

Azure Bastion (MFA enforced before access)

RDS Gateway + NPS MFA extension

For your reference:

https://docs.azure.cn/en-us/entra/identity/domain-services/secure-remote-vm-access
Shubham Sharma 17,675 Reputation points Microsoft External Staff Moderator

2026-06-12T02:35:37.3833333+00:00

Nitish kumar

Following up to check if the resolution provided was helpful. Let us know if you need any further assistance.
Nitish kumar 0 Reputation points

2026-06-12T04:49:47.68+00:00

@Shubham Sharma Client don't want to use bastion/RDS Gateway +NPS MFA Extension
Shubham Sharma 17,675 Reputation points Microsoft External Staff Moderator

2026-06-16T05:53:06.6833333+00:00

Nitish Kumar

Thank you for your reply.

MFA cannot be enforced for direct RDP login to Azure VMs as expected because the Windows logon screen does not support MFA prompts. Conditional Access is evaluated at the“Azure Windows VM Sign‑in” application layer (before session), so no MFA popup is shown during RDP.

Limitation:

Even after correct configuration, interactive MFA prompt during RDP is not supported by design, so behavior will not match typical MFA flows.

Direct RDP + Entra login cannot guarantee MFA prompt. This is a platform limitation; only pre-authentication enforcement (not interactive MFA) is possible.
Shubham Sharma 17,675 Reputation points Microsoft External Staff Moderator

2026-06-17T05:22:13.5466667+00:00

Nitish Kumar

Let us know if you need any further assistance.

Answer 1

To require MFA when users sign in to Azure VMs, configure and scope Conditional Access correctly and avoid legacy per‑user MFA.

Use Conditional Access, not per‑user MFA

Ensure legacy per-user Enabled/Enforced Microsoft Entra multifactor authentication is turned off. Per-user MFA can cause sign-in issues for Azure VM sign-in and is not the recommended method.
If per-user MFA is enabled and you see errors like “Your credentials didn’t work” or “The sign-in method you’re trying to use isn’t allowed,” remove the per-user MFA setting and rely on Conditional Access instead.

Target the correct cloud app in Conditional Access For Azure VM sign-in, the relevant app is Microsoft Azure Windows Virtual Machine Sign-in (Azure Windows VM Sign-In app):

If a Conditional Access policy requires MFA, the device initiating the RDP connection must use a strong authentication method such as Windows Hello for Business.
If Windows Hello for Business or other strong methods are not available, configure a Conditional Access policy that excludes the Azure Windows VM Sign-In app from MFA so users can still sign in. However, in your case, the requirement is to enforce MFA, so ensure:
- The policy includes the Azure Windows VM Sign-In app (and does not exclude it).
- Users are configured with supported strong authentication methods (for example, Windows Hello for Business) so they can satisfy the MFA requirement when connecting.

Ensure the policy applies to the right users and conditions

Under Assignments → Users or workload identities, include the users/groups that must use MFA for VM access.
Under Cloud apps or actions / Target resources, include the Azure VM sign-in app (Microsoft Azure Windows Virtual Machine Sign-in).
Under Access controls → Grant, select Grant access and Require multifactor authentication (or Require authentication strength → Multifactor authentication if using authentication strengths).
Make sure the policy is On (not just Report-only).

Strong authentication requirement for VM sign-in

When a Conditional Access policy requires MFA for Azure VM sign-in, the client must use a strong method such as Windows Hello for Business. If that is not configured, users may not see a traditional MFA prompt but instead get sign-in failures.
If Windows Hello for Business is not an option in your environment, review whether you can deploy it, or adjust the Conditional Access policy design (for example, enforce MFA at other control points such as management portals or bastion hosts instead of direct VM sign-in).

General MFA configuration guidance

If Conditional Access is used broadly to enforce MFA, ensure:
- Security defaults are disabled if Conditional Access is in use.
- Users are properly set up for MFA and can satisfy MFA for apps that require it.

In summary, to have MFA enforced when users access Azure VMs:

Use Conditional Access targeting Microsoft Azure Windows Virtual Machine Sign-in.
Require MFA (or an MFA authentication strength) in the Grant controls.
Ensure users have supported strong authentication methods (for example, Windows Hello for Business) so the VM sign-in can satisfy the MFA requirement.
Avoid legacy per-user MFA, which can interfere with Azure VM sign-in.

References:

Share via

MFA for Azure VMS

1 answer

Your answer