Azure VMs do not use the built in administrator account. This means that the account you use can expire and be locked out. For a standard VM there is a tool in Azure to reset an expired account, but it will not work for an AD joined machine.
If you set up an Azure VM as a domain controller, it also doesn’t use the built in account, and your domain admin can be locked out and expire. If the password expires, you’re pretty much stuck. You don’t have console access, so you can’t change the password, and the Azure tools can’t change the password either.
If you find yourself in this situation and need to recover, there is a way, but it’s a bit crazy. It requires the deletion of VMs, so read through the entire thing and validate on your own. This process did work for me.
First, create a new VM in the same resource group as the VM you need to recover. The VM needs to support nested Hyper-V, so check what supports that. I used a D2SV3 server. Once the server is created, log in and add Hyper-V to it.
Now for the scary part. Delete the VM you need to recover. There are no prompts or questions, but this just deletes the VM and leaves the OS disk behind. The important part is that it unbinds the OS disk so after the delete finishes, you can add it as a data disk to your new Hyper-V Host VM.
After you add the disk, you need to go into disk manager and mark the disk as offline. Now you can create a nested VM and attach what it sees as a physical disk.
Then you can boot that VM, and since you have a console now, you can go through the password change process. After that, shut down the nested VM, and remove the data disk.
After that completes, you can use the OS disk to create a new VM. For some reason you have to start this process from the disk and not from the create VM screen.