Problem with remote session using Azure AD credentials

Hi!

I’m trying to execute commands on a remote machine.
Both host and remote machine are AzureAD-joined to the same domain, and the user, e.g. AzureAD\TestUser, has admin rights on the remote machine, i.e. AzureAD\TestUser shows up when I do a net localgroup Administrators on the remote machine. There is no local domain or DC or anything, only AzureAD.

Remoting itself seems to work correctly, as I can successfully execute
Invoke-Command -ScriptBlock {Get-EventLog system -Newest 10} -ComputerName <intranet IP> -Authentication Negotiate -Credential local_admin
where local_admin is a local admin account on the remote machine (for testing purposes).

However, trying the same command with -Credential AzureAD\TestUser gives me an “Access is denied”.

I even added (with some extra effort) the AzureAD\TestUser to the PSSessionConfiguration, i.e.
Get-PSSessionConfiguration -Name Microsoft.Powershell on the remote machine gives
Permission : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote
Management Users AccessAllowed, AzureAD\TestUser AccessAllowed
,
but this should be redundant as the AzureAD user is already in the Admin group.

There also exists a user profile for AzureAD\TestUser on the remote machine (as well as the host machine), so this user has successfully physically logged into both machines prior to attempting the remoting.

There must be something I’m missing. Thanks for any pointers.

I encountered something similar some time ago, but the project took a turn so I wasn’t able to end in success. However, I did speak with Microsoft at the time, and for this scenario to work with AzureAD accounts and joined systems, Conditional Access is required (https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview).

If you have a subscription, it’s worth involving the Azure team.

Do you have the modules installed? AzureAD requires commands from the MSOnline module and the AzureAD module. If you run…

gcm "*msol*"

and

gcm "*AzureAD*"

And you don’t see a lot of commands returning, you need to install the modules.

install-module msonline

and

install-module azuread

After that, you need to use…

connect-msonline

and

connect-azuread

to connect into your instances. If your machine is a member, it will prompt you for creds if your logged in creds aren’t elevated.