System Administration & Network Administration

Unable to use Azure AD accounts to remotely authenticate to Windows

How can I use an Azure AD account to remotely authenticate to Azure AD-joined Windows?

I have:

  1. Tried authenticating remotely using Azure AD accounts and every sign-in format that I'm aware of (listed below) but all result in error message The user name or password is incorrect and Audit Failure event with ID 4625, status 0xC000006D, and sub status 0xC0000064 which means that the user doesn't exist.
    • %UPN%.
      For example,
    • AzureAD\%UPN%.
      For example, AzureAD\
    • AzureAD\%username%.
      For example, AzureAD\username.admin.
    • AzureAD\%securityID%.
      For example, AzureAD\UsernameAdmin. This seems to be the display name with spaces removed.
    • %NetBIOSDomainName%\%securityID%.
      For example, EXAMPLE\UsernameAdmin. This is how Windows displays it in Computer Management Local Users and Groups Groups Administrators.
  2. Tried using PsGetSid locally and found that it can resolve the following Azure AD sign-in formats:
    • %UPN% (only if the user account has signed in previously).
    • AzureAD\%UPN% (regardless of whether the user account has signed in previously).
    • AzureAD\%securityID%.
  3. Tried authenticating locally using Azure AD accounts and the aforementioned sign-in formats and found that local Run As can handle the following:

    • %UPN%.
    • AzureAD\%UPN%.
    • AzureAD\%securityID%.
  4. Tried authenticating remotely using local admin accounts and found that they work fine.

So, it seems that Windows can handle the Azure AD accounts but only locally and not remotely, unlike with AD DS accounts.

Everything I've found online is either not for this particular scenario or is just other people who are experiencing the same problem.

Is this even possible?


From my extensive testing, I have concluded that Windows 10 v1909 (latest as of writing) simply doesn't support the usage of Azure AD accounts / credentials with Network-Level Authentication (NLA).

Remote access via RDP can be worked around by disabling NLA and manually editing the .RDP file adding enablecredsspsupport:i:0.

Remote access via SMB cannot be worked around it seems.

Comments (2)

  • +0 – Normally I am able to Remote Desktop to machines that are AAD-joined, using username like AzureAD\ Today my saved RDP credentials that have been working for months stopped working and I got the same audit event errors as per your question (ID 4625, status 0xC000006D, sub status 0xC0000064). Adding a line to my rdp file as per your answer fixed it. I'm connecting to a Windows 10 machine running version 19042.1466 and as far as I can see no windows updates have been applied to make it change behaviour. Odd. — Jan 31, 2022 at 11:55  
  • +0 – Reading between the lines of this doc:… It should now be possible without hackery, as of Windows 10 2004... If I'm reading it correctly - though I cannot get it to work myself — May 06, 2022 at 21:36