Azure Virtual Desktop – Deployment Error 0x80072efd Azure AD Join

Azure Virtual Desktop supports virtual machines in a host pool to be Azure AD Joined and Intune Enrolled for management, and recently I came across an error message that I couldn’t find much about.

Deployment failure

During deployment I received this message, saying the extension used to Azure AD Join the VM failed.

{
    "status": "Failed",
    "error": {
        "code": "VMExtensionProvisioningError",
        "message": "VM has reported a failure when processing extension 'AADLoginForWindows'. Error message: \"AAD Join failed.\"\r\n\r\nMore information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot "
    }
}

Event log error

But it really doesn’t say why it failed, and as always one checks the Event logs, because the VM itself is created and available using local admin credentials. Under the Application events we found an error from AADLoginForWindowsHandler:

AAD Join failed with status code -2145648607.

Extension logs

That didn’t yield much results either, so through Microsoft Docs I found the virtual machine stores logs in the C-drive: C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.ActiveDirectory.AADLoginForWindows\1.0.0.\AADLoginForWindowsExtension_000000000.txt

It is more detailed and step by step logging the events, and here I found additional information on the error.

TenantInfo::Discover: DsrBeginDiscover failed. 0x80072efd
AAD Join failed with status code -2145648607.

The error code 0x80072efd is known on Microsoft Docs, but for a different scenario where you create Azure AD Hybrid Joined devices. But it did point me in the right direction, because this error is known when the device isn’t able to communicate with the necessary endpoints. Hence it will tell you to check your connectivity with the list of URLs necessary for hybrid joining devices.

Azure Firewall warning

So I just attempted surfing the world wide web from the Azure Virtual Desktop VM, and behold it did not work. Edge giving me this message:

Action: Deny. Reason: No rule matched. Proceeding with default action.

Solution

We know this message, it is thrown by an Azure Firewall and its because it doesn’t allow the VM onto the Internet. Which is where Azure AD and Intune is. We then had to open necessary IP addresses and ports used by Intune and Azure AD in order to authenticate and be managed by these cloud services.

This can sometimes be a problem, if the services are to be offline, where local admin join (ADDS/AADDS/GPO/SCCM) is the option. AVD also supports Hybrid Join, but without Internet connectivity there is no reason to be hybrid.

Or maybe Windows 365 is a better fit for your organiation? Feel free to read my blogpost spending a day only working from Windows 365.


Leave a Reply

Ehlo!

I am Roy Apalnes, a Microsoft Cloud Evangelist working av Sopra Steria. Main focus in Microsoft Security and Endpoint Management, with a bigger picture in mind.

Featured Posts