Entra ID login not appear in Bastion for Windows Server 2025

Question

Entra ID login not appear in Bastion for Windows Server 2025

Talaiti AIHAIMAITI 20

Hi,
I applied Entra ID VM login to Windows Server 2025, but it is not shown in Bastion, Even if:

VM is Entra ID joined ✅
RBAC roles are correct ✅
Bastion networking works ✅ This seems platform support gap, not a configuration issue. For migrating from local account VM login to Entra ID, what would you suggest? and how to fix current issue mentioned above.
Thanks for your attention.

Talaiti AIHAIMAITI 20 Reputation points

2026-04-27T06:38:52.6333333+00:00

Is Windows (Windows Server 2025 Datacenter Azure Edition) NOT currently supported for Entra ID VM login using the AADLoginForWindows extension? What is recommended then?
Venkatesan S 8,315 Reputation points Microsoft External Staff Moderator

2026-04-27T07:18:09.16+00:00

Hi Talaiti AIHAIMAITI,

Thank you for contacting us about the Entra ID login not appear in Bastion for Windows Server 2025 issue. We have begun looking into it and will share our suggestions with you as soon as possible. If you have any additional details or concerns in the meantime, please let us know. We appreciate your patience while we work on this.
Rukmini 40,135 Reputation points Microsoft External Staff Moderator

2026-04-27T08:31:21.51+00:00

Hello Talaiti AIHAIMAITI,

Windows Server 2025 Datacenter Azure Edition is not yet officially listed as supported for Microsoft Entra ID VM sign-in using the AADLoginForWindows extension, so behavior may be inconsistent or unsupported.

But since Azure Bastion does not provide Entra ID authentication for Windows virtual machines (VMs) regardless of OS version, this is unrelated to your Bastion issue. If you want fully supported Entra ID login with the extension, it is advised to use a supported OS like Windows Server 2022 and connect using a native RDP client (AzureAD[******@domain.com](******@domain.com)). Until Entra ID support is provided, use local or domain credentials if you must utilize Bastion.

Let me know if any further queries - feel free to reach out!
Rukmini 40,135 Reputation points Microsoft External Staff Moderator

2026-04-28T02:08:55.75+00:00

Hello Talaiti AIHAIMAITI,

Following up to see if the above provided information was helpful. If you have any further queries do let us know.
Rukmini 40,135 Reputation points Microsoft External Staff Moderator

2026-04-28T02:32:24.2666667+00:00

Hello Talaiti AIHAIMAITI

Yes you are right!

We will check internally and get back to you!
Rukmini 40,135 Reputation points Microsoft External Staff Moderator

2026-04-28T05:15:22.2933333+00:00

Hello Talaiti AIHAIMAITI

Please check this https://learn.microsoft.com/en-us/answers/questions/2279230/azure-bastion-not-showing-azure-active-directory-l
Rukmini 40,135 Reputation points Microsoft External Staff Moderator

2026-04-30T02:59:37.1833333+00:00

Hello Talaiti AIHAIMAITI

Following up to see if the above provided information was helpful. If you have any further queries do let us know.

Otherwise, please check private messages so that we can connect offline!
Talaiti AIHAIMAITI 20 Reputation points

2026-05-05T08:54:18.4266667+00:00

Hello
it seems like that I do not necessarily need to deploy Bastion into Vnet-Hub.Azure Bastion can be deployed in one VNet and used to connect to VMs in peered VNets. Microsoft explicitly supports hub-and-spoke and centralized Bastion designs, where one Bastion deployment can reach VMs in peered virtual networks.
https://learn.microsoft.com/en-us/azure/bastion/vnet-peering?utm_source=chatgpt.com

IF it is true, I have another issue, there are 2 bastions that are in different RG and Vnets.
i deleted the bastion (Creating new Bastion Developer SKU: vnet-soc-sentinel-test-bastion), as below, when click the connect, it auto-created the deleted bastion/restored and then VM login. So how to apply standard bastion to another VM in another Vnet/RG ? (It seems like impossible to delete the Bastion.) 2nd attached is also from same page and the Vnet has only one subnet (no bastionsubnet)

Answer accepted by question author

1 additional answer

Your answer

Talaiti AIHAIMAITI 20 Reputation points

2026-04-27T06:38:52.6333333+00:00

Is Windows (Windows Server 2025 Datacenter Azure Edition) NOT currently supported for Entra ID VM login using the AADLoginForWindows extension? What is recommended then?
Venkatesan S 8,315 Reputation points Microsoft External Staff Moderator

2026-04-27T07:18:09.16+00:00

Hi Talaiti AIHAIMAITI,

Thank you for contacting us about the Entra ID login not appear in Bastion for Windows Server 2025 issue. We have begun looking into it and will share our suggestions with you as soon as possible. If you have any additional details or concerns in the meantime, please let us know. We appreciate your patience while we work on this.
Rukmini 40,135 Reputation points Microsoft External Staff Moderator

2026-04-27T08:31:21.51+00:00

Hello Talaiti AIHAIMAITI,

Windows Server 2025 Datacenter Azure Edition is not yet officially listed as supported for Microsoft Entra ID VM sign-in using the AADLoginForWindows extension, so behavior may be inconsistent or unsupported.

But since Azure Bastion does not provide Entra ID authentication for Windows virtual machines (VMs) regardless of OS version, this is unrelated to your Bastion issue. If you want fully supported Entra ID login with the extension, it is advised to use a supported OS like Windows Server 2022 and connect using a native RDP client (AzureAD[******@domain.com](******@domain.com)). Until Entra ID support is provided, use local or domain credentials if you must utilize Bastion.

Let me know if any further queries - feel free to reach out!
Rukmini 40,135 Reputation points Microsoft External Staff Moderator

2026-04-28T02:08:55.75+00:00

Hello Talaiti AIHAIMAITI,

Following up to see if the above provided information was helpful. If you have any further queries do let us know.
Rukmini 40,135 Reputation points Microsoft External Staff Moderator

2026-04-28T02:32:24.2666667+00:00

Hello Talaiti AIHAIMAITI

Yes you are right!

We will check internally and get back to you!
Rukmini 40,135 Reputation points Microsoft External Staff Moderator

2026-04-28T05:15:22.2933333+00:00

Hello Talaiti AIHAIMAITI

Please check this https://learn.microsoft.com/en-us/answers/questions/2279230/azure-bastion-not-showing-azure-active-directory-l
Rukmini 40,135 Reputation points Microsoft External Staff Moderator

2026-04-30T02:59:37.1833333+00:00

Hello Talaiti AIHAIMAITI

Following up to see if the above provided information was helpful. If you have any further queries do let us know.

Otherwise, please check private messages so that we can connect offline!
Talaiti AIHAIMAITI 20 Reputation points

2026-05-05T08:54:18.4266667+00:00

Hello
it seems like that I do not necessarily need to deploy Bastion into Vnet-Hub.Azure Bastion can be deployed in one VNet and used to connect to VMs in peered VNets. Microsoft explicitly supports hub-and-spoke and centralized Bastion designs, where one Bastion deployment can reach VMs in peered virtual networks.
https://learn.microsoft.com/en-us/azure/bastion/vnet-peering?utm_source=chatgpt.com

IF it is true, I have another issue, there are 2 bastions that are in different RG and Vnets.
i deleted the bastion (Creating new Bastion Developer SKU: vnet-soc-sentinel-test-bastion), as below, when click the connect, it auto-created the deleted bastion/restored and then VM login. So how to apply standard bastion to another VM in another Vnet/RG ? (It seems like impossible to delete the Bastion.) 2nd attached is also from same page and the Vnet has only one subnet (no bastionsubnet)

Answer 1

Talaiti AIHAIMAITI hi

just a simple and quick answer. VM config can be fine, Bastion UI/support just hasnt caught up yet & yeah this is likely platform support gap, not ur config. Bastion Entra ID login support is not always available for every new Windows Server image right away, and Windows Server 2025 may not be fully lit up in Bastion UI yet even if the VM itself is Entra joined and RBAC is correct. For now, use local admin or domain account through Bastion, or use normal RDP with Entra login where supported. For migration, dont remove local break-glass admin yet. Keep local admin disabled/rotated but available for recovery, assign Virtual Machine Administrator Login / Virtual Machine User Login, verify Entra login works outside Bastion first, then move users gradually. If Bastion still does not show Entra option only on Server 2025, open support and ask for Windows Server 2025 + Bastion Entra login support confirmation.

rgds, Alex

&

if my answer helps pls accept it.

Answer 2

TP 156.6K Volunteer Moderator

Hi,

I did quick test and was able to connect to [smalldisk] Windows Server 2025 Datacenter Azure Edition VM using Bastion and Entra ID.

1. If you haven't already, please enable system-assigned managed identity for your vm. You may do this by navigating to the vm in the Azure portal, on left click on Security -- Identity, set Status to On, Save.

2. Next click on Setting -- Extensions + applications. Click Add, next click on Azure AD based Windows Login, click Next, click Review + create, Create

User's image

3. Once the extension has completed installing, wait a few minutes and then click on Connect -- Bastion. You should see Microsoft Entra ID (Preview) option, similar to below screenshot:

User's image

For reference, documentation shows Windows Server 2022 or later is supported. Screenshot excerpt below:

User's image

Please reply back with your results, whether positive or negative.

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP

Talaiti AIHAIMAITI 20 Reputation points

2026-04-27T23:06:49.2966667+00:00

Hello
Thanks for your attention. I confirm that Security -- Identity, set Status to On, Saved, AADlogin is also installed.
Talaiti AIHAIMAITI 20 Reputation points

2026-04-27T23:33:57+00:00

By the way, it is peered virtual network, where bastion is located in another RG and VNet from this Windows (Windows Server 2025 Datacenter Azure Edition), For linux there is no problem--be it within same RG/Vnet or not. Only windows is not shown.
TP 156.6K Reputation points Volunteer Moderator

2026-04-27T23:45:16.8833333+00:00

I checked mine and AADLogin extension is same version as yours.

I know you mentioned it in your question, but have you added Virtual Machine Administrator Login role to your user account on the VM?

And which SKU is your Bastion? In my test I used Basic, but higher SKUs should work fine as well. Developer SKU will not work (for Entra ID).
Talaiti AIHAIMAITI 20 Reputation points

2026-04-27T23:48:26.0766667+00:00

Yes, I have added Virtual Machine Administrator Login role. and SKU is standard.
TP 156.6K Reputation points Volunteer Moderator

2026-04-28T00:01:27.28+00:00

Okay, in my test Bastion is in same VNet and same RG. I will test later with Bastion in peered VNet and let you know.
Talaiti AIHAIMAITI 20 Reputation points

2026-04-28T02:25:02.08+00:00

Peered VNet seems OK.
TP 156.6K Reputation points Volunteer Moderator

2026-04-28T09:28:19.7166667+00:00

@Talaiti AIHAIMAITI I tested from peered VNet with Bastion in different RG and it worked fine using Entra ID. I wanted to test to see if something about it being in peered VNet is causing Entra ID option not to show in portal.

To help with troubleshooting: when you navigate to the Bastion blade of the vm, your browser makes several REST API calls. Depending on the results returned from these calls it shows Entra ID option or not. For example, one to query for the Windows/Linux AAD Login extensions are installed, another to check if current user has RBAC role, etc.

Perhaps one of these calls is not returning correct results for some reason. One thing you could do to help narrow down the cause is to check what these calls are returning using Dev tools of your browser. To do this you would can navigate to Overview blade, open Developer tools -- Network tab, then click on Bastion blade.

Examine the calls made right after you click on Bastion blade. They begin with batch?api-version=2020-06-01--click on each call to examine details. On Payload tab, expand down into the parsed JSON requests: and determine which call it is (e.g. BastionHost.getVmExtensionsForVmId) and then check Response tab to see if expected data was returned. For the extension check you should see "Count": 1 to indicate the AAD Login extension is installed whereas if it has "Count": 0 that would be incorrect and cause Entra ID option not to show.

If you can narrow it down to one of the calls isn't returning expected information you may be able to "fix" the underlying cause.

Below are screenshot snippets of Chrome Developer Tools to give you a sense of what I'm referring to:
TP 156.6K Reputation points Volunteer Moderator

2026-05-01T07:22:44.99+00:00

@Talaiti AIHAIMAITI Any update?
Talaiti AIHAIMAITI 20 Reputation points

2026-05-04T06:40:17.66+00:00

Sorry for being late (it's been holiday here), I have followed, it is like as attached, Btw, I also tried on another Windows (Windows Server 2022 Datacenter) in the same Vnet which includes bastion subnet. but same result, no Entra ID is shown up.

Share via

Entra ID login not appear in Bastion for Windows Server 2025

1 additional answer

Your answer