az network bastion rdp presents complications with Entra ID authentication when the Windows VM hostname does not match the Azure resource name

[RobertoPrevato]

Scenario

1. We create a Windows Virtual Machine, with hostname that does not match the Azure resource name. For example, the Azure resource name might be: someprojectname-test-vm and the Windows hostname spn-test-vm to satisfy the limitation of 15 characters long hostnames.

resource vm 'Microsoft.Compute/virtualMachines@2020-06-01' = {
  name: vmName  // <-- Azure Resource Name
  location: location
  properties: {
    osProfile: {
      computerName: computerName // <--- Windows Hostname (max 15 characters long)

2. We enable Entra ID authentication installing the AADLoginForWindows extension.

Expectation

Using the az network bastion rdp --enable-mfa command to RDP into the VM using the native client in Windows should work. Instead, it fails with an error message "The target-device identifier in the request someprojectname-test-vm was not found in the tenant" like in the following picture:

Diagnosis and workaround

The problem occurs because the Windows VM is registered in Entra ID using the hostname (spn-test-vm), while the az network bastion rdp command assumes that the hostname matches the Azure resource name.

As a workaround, we can use the --configure flag, save the RDP file on disk, use a text editor to replace the name of the Azure resource with the hostname, and RDP successfully in the VM.

az network bastion rdp --name $bastionName --resource-group $resourceGroupName --target-resource-id $vmResourceId --enable-mfa --configure

Possible solution (maybe)?

Enrich the az network bastion rdp command to support specifying the hostname of the target VM, or obtain automatically the right hostname by Azure resource name?

It is not feasible to assume that the Azure resource name must match the Windows hostname in all cases because of the limitation of having 15 characters long hostnames. Azure resources can easily have longer names.

[yonzhan]

Thank you for opening this issue, we will look into it.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• az network bastion rdp ignores windows system name when using azure ad mfa #27245
• az network bastion rdp - Command ignores current tenant  #26451

[RobertoPrevato]

I see this problem was already reported in #27245 - I looked for similar issues and couldn't find it.

Closing this because it is a duplicate of #27245.

Reopened in the hope of drawing some attention as it seems the previous issue is not being taken into consideration.

[cveld]

@RobertoPrevato are you a proficient python developer? maybe we can create a PR together to get this desired feature into the cli. Just adding an optional parameter --netbios-name would suffice.

[xXWarMachineRoXx]

Scenario

1. We create a Windows Virtual Machine, with hostname that does not match the Azure resource name. For example, the Azure resource name might be: someprojectname-test-vm and the Windows hostname spn-test-vm to satisfy the limitation of 15 characters long hostnames.

resource vm 'Microsoft.Compute/virtualMachines@2020-06-01' = {
name: vmName // <-- Azure Resource Name
location: location
properties: {
osProfile: {
computerName: computerName // <--- Windows Hostname (max 15 characters long)
2. We enable Entra ID authentication installing the AADLoginForWindows extension.

Expectation

Using the az network bastion rdp --enable-mfa command to RDP into the VM using the native client in Windows should work. Instead, it fails with an error message "The target-device identifier in the request someprojectname-test-vm was not found in the tenant" like in the following picture:

Diagnosis and workaround

The problem occurs because the Windows VM is registered in Entra ID using the hostname (spn-test-vm), while the az network bastion rdp command assumes that the hostname matches the Azure resource name.

As a workaround, we can use the --configure flag, save the RDP file on disk, use a text editor to replace the name of the Azure resource with the hostname, and RDP successfully in the VM.

az network bastion rdp --name $bastionName --resource-group $resourceGroupName --target-resource-id $vmResourceId --enable-mfa --configure
Possible solution (maybe)?

Enrich the az network bastion rdp command to support specifying the hostname of the target VM, or obtain automatically the right hostname by Azure resource name?

It is not feasible to assume that the Azure resource name must match the Windows hostname in all cases because of the limitation of having 15 characters long hostnames. Azure resources can easily have longer names.

First of all, Many thanks @RobertoPrevato for this issue.

I was able to eliminate the "The target-device identifier in the request someprojectname-test-vm was not found in the tenant"
issue. But I still couldn't connect to my VM. Terminated the command ( Cntrl + C ) and retried.

It's now stuck in a continuous loop. 🤕