Log in with RDP to a Windows Azure VM using Azure AD

5 Min. Read

To improve the security of your Linux and Windows virtual machines (VMs) in Azure, Microsoft integrated Azure Active Directory (AAD) authentication, so you can centrally control and enforce policies that allow or deny access to the VMs. Tools like Azure role-based access control (RBAC) and Azure AD Conditional Access allow you to control who can access a VM remotely.

In this article, I will show you how to log in with Remote Desktop (RDP) to a Windows virtual machine deployed in Azure using Azure Active Directory.

Introduction

Deployment of Windows VMs in Azure is common, and a challenge everyone faces is securely managing the accounts and credentials used to login to these VMs. Typically, when you create Windows virtual machines (VMs) in Azure, you add local administrator accounts to login to these VMs and it becomes difficult to manage these accounts as people join or leave teams.

To make things simple people often follow the risky practice of sharing admin account passwords among big groups of people. This makes it very hard to protect your production Windows VMs and collaborate with your team when using shared Windows VMs.

By the end of 2019, Microsoft announced that you can use now Azure AD authentication to connect to Windows VMs in Azure. In this article, I will share with you my experience on how to set up and log in with Remote Desktop (RDP) to a Windows virtual machine deployed in Azure using Azure Active Directory.

Prerequisites

To follow this article, you need to have the following:

  1. Azure subscription – If you don’t have an Azure subscription, you can create a free one here.
  2. Azure VM running Windows Server 2019 Datacenter edition or Windows 10 version 1809 and later.
  3. When you create a Windows virtual machine in Azure, you need to make sure you have selected Login with AAD credentials in the Management blade. Once you select Login with AAD credentials, the system assigned managed identity will be automatically selected as shown in the figure below.Create Windows VM with Azure AD Login
  4. To verify that your Windows virtual machine does support Azure AD Login, you can check if the AAD Login extension is provisioned successfully from the virtual machine blade under Settings | Extensions.Azure AD Login Extension for Windows
  5. If you have an Azure AD Premium 2 license with MFA, then make sure to create a new Conditional Access Policy to exclude MFA requirements on Azure Windows VM Sign-in as shown in the figure below.Azure Windows VM Sign-in
  6. Finally, to connect to Windows VM in Azure using Azure AD authentication, you need to have a Windows 10 PC that is either Azure AD registered (starting Windows 10 20H1), Azure AD joined or Hybrid Azure AD joined to the same directory as the VM in Azure.

Please note that if you have MFA enabled, you will need to create an Azure AD conditional access policy! However, Azure AD conditional access requires Azure Active Directory Premium P2 license (included in E5). Otherwise you won’t be able to login from external, if MFA is enabled.

Enable Azure AD login for Windows VM

Once you create the virtual machine in Azure, then you need to add some permissions to it. Take now the following steps:

  1. In the Azure Portal, from the Virtual machine’s blade, select your Windows VM and then click on Access Control (IAM).
  2. Select Role assignments, then click + Add and then choose to Add role assignment.
  3. In the Add role assignment blade, you need to choose one of two different roles (Virtual Machine Administrator Login or Virtual Machine User Login). The user login obviously doesn’t have administrator rights, whereas the administrator login does. But for the purpose of this example, I want to be the administrator login for the virtual machine.
  4. Next, leave the ‘Assign access to‘ as default because we want to choose a user. Then choose the username that you’d like to give permission to and then click Save as shown in the figure below. You can also add an Azure AD security group where you have multiple users members of that group. Add role assignment to Windows VM in Azure
  5. Now that the user has been given the ability to login to your Windows Azure virtual machine, but there’s still more to it.
  6. Go back into your Windows 10 or Windows Server 2019 virtual machine in the Azure Portal, and then click on the Connect button that will allow you to download the RDP file. This will allow you to connect to the Public IP address of your Windows machine.Connect with RDP Azure VM
  7. Download the RDP file and save it on your machine (we need to edit the file in a later step). Next, you need to test that you are able to connect to your machine using your public IP address and the local account that you specified when you created the virtual machine.
  8. Once you login to your machine with RDP, you need to open the Command Prompt window as administrator and type the following command: dsregcmd /status. Microsoft says in their documentation here that you can view the device and SSO state by running this command.
  9. Now if we look at the output of this command as shown in the figure below, we can see that the SSO State for AzureADPrt is NO, and the Device State for AzureAdJoined is set to YES. However, the SSO State for AzureADPrt should be set to YES and not NO!Device and SSO State
  10. Microsoft says that you just have to update or upgrade to the latest version of Windows and the AzureAdPrt switch will be set to YES. But it didn’t work for me. So how do we get this to work?
  11. After investigation, I found another way to make it work by modifying the RDP file that we downloaded in the previous step.
  12. Open the RDP file with WordPad or Notepad, and what you want to do is to add two lines to it as shown below. The first command will disable CredSSP support and the next one is to set the authentication level to 2, which means if server authentication fails, show a warning and allow me to connect or refuse the connection (Warn me).
    enablecredsspsupport:i:0
    authentication level:i:2
    

    Enable CredSSP support and authentication

  13. Next, you need to go to System in Control Panel | Remote settings, and uncheck ‘Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)‘ as shown in the figure below.Allow connections only from computers running remote desktop with NLA
  14. Next, you need to add your Azure AD user to the Remote Desktop Users group. However, this step cannot be accomplished through the GUI. The option for Azure Active Directory doesn’t exist, even though the virtual machine is Azure Domain joined as shown in Step 9 (Device State for AzureAdJoined is set to YES).Add Azure Active Directory Remote User
  15. We need to use the command prompt to add the user. Open the Command Prompt window as administrator and type the following command. This is basically just allowing me to add this user into the Remote Desktop Users Group, which is going to be required, and then forward slash /add followed by AzureAD. Now it doesn’t matter what the name of your Azure Active Directory is. Then you just put in a backslash and then the full email address (you need to add the appropriate domain name).
    # Add Azure AD user to Remote Desktop Users Group
    net localgroup "remote desktop users" /add "AzureAdusername@domain.com"
    
  16. To verify, you can open the Remote Desktop Users from the GUI and check that the Azure AD user was added successfully.Verify Azure AD user added to Remote Desktop Users
  17. Sing out from the VM and then use the edited RDP file to connect and verify that you can access the Windows VM using your Azure AD user that was added to Access Control (IAM) blade.Log in using Azure AD credentials to a Windows VM
  18. Finally, to confirm that you are logged in to the VM with Azure AD authentication. You can open the Command Prompt window as administrator and type: whoami.Log in with RDP to a Windows Azure VM using Azure AD 1

Please note that to Remote connection to VMs joined to Azure AD, this will only be allowed from Windows 10 PCs that are either Azure AD registered (minimum required build is 20H1) or Azure AD joined or hybrid Azure AD joined to the same directory as the VM.

To learn more about Windows Azure VMs and Azure AD, please check the official documentation by Microsoft here.

Summary

In this article, I showed you how to sign in to Windows virtual machine with RDP in Azure using Azure Active Directory (AAD) authentication which is still in public preview. At the time of this writing, there are a lot of prerequisites that you should adhere to so you can connect to the Windows VM successfully.

Learn more:

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

Previous

AZ-140 Exam Study Guide: Configuring and Operating Microsoft Azure Virtual Desktop

AZ-204 Study Guide: Developing Solutions for Microsoft Azure

Next

4 thoughts on “Log in with RDP to a Windows Azure VM using Azure AD”

Leave a comment...

  1. Great post. Would it be a way to do this:
    net localgroup “remote desktop users” /add “AzureAdusername@domain.com”

    embedded in the VM ARM template?

  2. Hello Frankie, thanks for your comment. Yes, you could embed this in VM ARM Template. For this, you need to use deployment scripts in ARM. Please check this guide.

  3. Thanks for this great post, it really helped me. I was looking for the solution from long time, even MS couldn’t help me.

  4. Thank you, Arun for your comment and feedback, much appreciated!

Let me know what you think, or ask a question...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Stay in Touch

Never miss out on your favorite posts and our latest announcements!

The content of this website is copyrighted from being plagiarized!

You can copy from the 'Code Blocks' in 'Black' by selecting the Code.

Please send your feedback to the author using this form for any 'Code' you like.

Thank you for visiting!