Problem:

Recently, a teammate reached out to me for help with an Azure Virtual Desktop deployment error. The session hosts in his ARM template were failing to Entra join in his tenant, but not in mine nor the customer’s tenant. The full error was:

{“code”:”VMExtensionProvisioningError”,”message”:”VM has reported a failure when processing extension ‘AADLoginForWindows’ (publisher ‘Microsoft.Azure.ActiveDirectory’ and type ‘AADLogForWindows’). Error message: ‘AAD Join failed with status code: -2145648595. AzureSecureVMJoinOperation: DsrCmdAzureHelper::GetTenantId failed 0x801c002d.’. More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot.”}

Solution:

Ensure the virtual machine has a system assigned identity, like the following bicep example:

Explanation:

Now you might be asking yourself… “How was Jason getting a system assigned identity when it wasn’t in the code?”. The answer is Azure Policy. In Azure Policy, the customer and I both had a regulatory compliance initiative assigned to our subscriptions that create a system assigned identity on any virtual machine to support Guest Configuration. I discovered this change using the Activity Log on my virtual machine. The reason I’m writing a blog article about this issue is due to the fact that the error code mentioned above is not in Microsoft’s documentation. My teammate and I searched high and low for a quick fix and couldn’t find it. Eventually we stumbled upon it. Hopefully, if you make this mistake, you’ll find this article and have a quick fix.