Unable to use Azure AD accounts to remotely authenticate to Windows

How can I use an Azure AD account to remotely authenticate to Azure AD-joined Windows?

I have:

1. Tried authenticating remotely using Azure AD accounts and every sign-in format that I'm aware of (listed below) but all result in error message The user name or password is incorrect and Audit Failure event with ID 4625, status 0xC000006D, and sub status 0xC0000064 which means that the user doesn't exist.
   • %UPN%.
     For example, username.admin@domain.com.
   • AzureAD\%UPN%.
     For example, AzureAD\username.admin@domain.com.
   • AzureAD\%username%.
     For example, AzureAD\username.admin.
   • AzureAD\%securityID%.
     For example, AzureAD\UsernameAdmin. This seems to be the display name with spaces removed.
   • %NetBIOSDomainName%\%securityID%.
     For example, EXAMPLE\UsernameAdmin. This is how Windows displays it in Computer Management Local Users and Groups Groups Administrators.
2. Tried using PsGetSid locally and found that it can resolve the following Azure AD sign-in formats:
   • %UPN% (only if the user account has signed in previously).
   • AzureAD\%UPN% (regardless of whether the user account has signed in previously).
   • AzureAD\%securityID%.

3. Tried authenticating locally using Azure AD accounts and the aforementioned sign-in formats and found that local Run As can handle the following:

   • %UPN%.
   • AzureAD\%UPN%.
   • AzureAD\%securityID%.

4. Tried authenticating remotely using local admin accounts and found that they work fine.

So, it seems that Windows can handle the Azure AD accounts but only locally and not remotely, unlike with AD DS accounts.

Everything I've found online is either not for this particular scenario or is just other people who are experiencing the same problem.

Is this even possible?

Asked by user186509 (867 )
Dec 12, 2019 at 12:42