Connecting via Remote Desktop to an Entra ID-joined Windows machine, by using the Entra ID credentials, should be easy, right? It usually is… if you have covered all the prerequisites.
Multiple such guides are around, but none has listed all the steps needed (or I just haven’t found the right one) – I chose to follow this one, from my MVP colleague Tom Wechsler, available here.
Some points before we start:
- I don’t have a P1 or P2 license, so there are no Conditional Access policies (if they were, I would create one skipping the MFA for these connections as per this article)
- Security defaults are enabled on my tenant, so all users need to register for MFA in 14 days (which allowed me to skip MFA… for 14 days)
- this is not to be used for production, as not all security best practices are being followed(!)
In my case, all the required steps that allowed me to finally access my Entra ID-joined Windows (Server) machine in Azure via (publicly accessible) Remote Desktop (FOR DEMO PURPOSES), are the following:
Create an Entra ID-joined Windows virtual machine in Azure:
- first, you will need to select a supported operating system (Windows 10/11, Windows Server Datacenter 2019/2022):
- worked for me with both Windows Server 2019 Datacenter and Windows Server 2022 Datacenter
- another thing needed during the creation of the machine itself is to select Login with Microsoft Entra ID under Management settings so that your machine would be automatically joined to the Entra ID and have the extension installed (note that this option automatically creates the system-assigned managed identity as well, and if not selected at the time of creation, it can also be added later, under virtual machine’s Extensions):
Create a user that will connect to the virtual machine:
- the easiest thing would be to create a fresh, new Entra ID user, that will be used for connecting to this virtual machine (you can also use an existing user, but make sure it is not using MFA, which will prevent you from connecting) – my user will be called vmuser
- try to sign in with this new user into the Azure portal if you need to change its password, or just to skip the MFA setup:
- as the machine is Entra ID-joined, under the Access Control (IAM) settings of the virtual machine (in my case, temp-1), assign this user (vmuser) either the Virtual Machine User Login or the Virtual Machine Administrator Login role:
Connect to the virtual machine with a local admin account (created with the machine):
- if you run dsregcmd /status command, the following should be configured already:
- AzureAdJoined: YES
- AzureAdPrt: NO
- IsDeviceJoined: YES
- next, go to the System Properties – Remote Desktop settings and disable the Network Level Authentication option (enabled by default):
- next, open the Local Security Policy console (secpol.msc) and check if the option Security Settings – Local Policies – Security Options – Network security: Allow PKU2U authentication requests to this computer to use online identities. is set to Enabled (if not, enable it – reboot will be required):
On the computer you will be connecting from (not Entra ID-joined):
- do the same – open the Local Security Policy console (secpol.msc) and check if the option Security Settings – Local Policies – Security Options – Network security: Allow PKU2U authentication requests to this computer to use online identities. is set to Enabled (if not, enable it – reboot will be required):
- next, download the RDP connection file from the portal:
- and then edit the downloaded RDP file (with Notepad) – it should look like the below (more on the available options):
- remove the line with the username (as it will be provided on connection)
- add the following two lines:
- enablecredsspsupport:i:0
- authentication level:i:2
- try connecting to the virtual machine now, by using the edited RDP file, username, and password of your Entra ID account:
- for the username, make sure you are using the AzureAD\upn-or-email-address format (in my case, AzureAD\[email protected])
- your connection should be working, and you will have either the user or admin permissions on the system (depending on the assigned Entra ID role):
Hope this helps.
Cheers!