Log in with RDP to a Windows Azure VM using Azure AD

6 Min. Read

To improve the security of your Linux and Windows virtual machines (VMs) in Azure, Microsoft integrated Azure Active Directory (AAD) authentication, so you can centrally control and enforce policies that allow or deny access to the VMs. Tools like Azure role-based access control (RBAC) and Azure AD Conditional Access allow you to control who can access a VM remotely.

In this article, we will show you how to log in with Remote Desktop (RDP) to a Windows virtual machine deployed in Azure using Azure Active Directory.

Introduction

Deployment of Windows VMs in Azure is common, and a challenge everyone faces is securely managing the accounts and credentials used to log in to these VMs. Typically, when you create Windows virtual machines (VMs) in Azure, you add local administrator accounts to log in to these VMs and it becomes difficult to manage these accounts as people join or leave teams.

To make things simple people often follow the risky practice of sharing admin account passwords among big groups of people. This makes it very hard to protect your production Windows VMs and collaborate with your team when using shared Windows VMs.

By the end of 2019, Microsoft announced that you can use now Azure AD authentication to connect to Windows VMs in Azure. In this article, we will share with you the experience on how to set up and log in with Remote Desktop (RDP) to a Windows virtual machine deployed in Azure using Azure Active Directory (AAD).

Prerequisites

To follow this article, you need to have the following:

1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.

2) Azure VM running Windows Server 2019/2022 Datacenter edition or Windows 10 version 1809 and later.

3) When you create a Windows virtual machine in Azure, you need to make sure you have selected Login with AAD credentials in the Management blade. Once you select Login with AAD credentials, the system-assigned managed identity will be automatically selected as shown in the figure below.

Create Windows VM with Azure AD Login

> If you already have a VM and you want to enable/install Azure AD Login for Windows afterward, then you could use the following PowerShell command to install the AAD login extension for an existing VM. Please note that you must first enable system-assigned managed identity on the VM before you set the extension. Also, make sure that the VM can reach the required public endpoints of Microsoft as documented here.

$vmName = "VM-name-Here"
$vmRgName = "Resource-Group-Name-Here"
$extensionName = "AADLoginForWindows"
$publisher = "Microsoft.Azure.ActiveDirectory"
 
$vm = Get-AzVm -ResourceGroupName $vmRgName -Name $vmName

Set-AzVMExtension -ResourceGroupName $vmRgName `
                  -VMName $vm.Name `
                  -Name $extensionName `
                  -Location $vm.Location `
                  -Publisher $publisher `
                  -Type "AADLoginForWindows" `
                  -TypeHandlerVersion "0.4"

4) To verify that your Windows virtual machine does support Azure AD Login, you can check if the AAD Login extension is provisioned successfully from the virtual machine blade under Settings | Extensions.

Azure AD Login Extension for Windows

5) If you have an Azure AD Premium 2 license with MFA, then make sure to create a new Conditional Access Policy to exclude MFA requirements on Azure Windows VM Sign-in as shown in the figure below.

Azure Windows VM Sign-in

6) Finally, to connect to Windows VM in Azure using Azure AD authentication, you need to have a Windows 10 PC that is either Azure AD registered (starting Windows 10 20H1), Azure AD joined or Hybrid Azure AD joined to the same directory as the VM in Azure.

Please note that if you have MFA enabled, you will need to create an Azure AD conditional access policy! However, Azure AD conditional access requires Azure Active Directory Premium P2 license (included in M365 E5). Otherwise you won’t be able to login from external, if MFA is enabled. Additionally, at the time of this writing, Azure Bastion can’t be used to log in by using Azure Active Directory authentication with the AADLoginForWindows extension; only direct RDP is supported.

Enable Azure AD login for Windows VM

Once you create the virtual machine in Azure, then you need to add some permissions to it. Take now the following steps:

1) In the Azure Portal, from the Virtual machine’s blade, select your Windows VM and then click on Access Control (IAM).

2) Select Role assignments, then click + Add and then choose to Add role assignment.

3) In the Add role assignment blade, you need to choose one of two different roles (Virtual Machine Administrator Login or Virtual Machine User Login). The user login obviously doesn’t have administrator rights, whereas the administrator login does. But for the purpose of this example, we want to be the administrator login for the virtual machine.

4) Next, leave the ‘Assign access to‘ as default because we want to choose a user. Then choose the username that you’d like to give permission to and then click Save as shown in the figure below. You can also add an Azure AD security group where you have multiple users members of that group.

Add role assignment to Windows VM in Azure

5) Now that the user has been given the ability to log in to your Windows Azure virtual machine, there’s still more to it.

6) Go back into your Windows 10 or Windows Server 2019 virtual machine in the Azure Portal, and then click on the Connect button that will allow you to download the RDP file. This will allow you to connect to the Public IP address of your Windows machine.

Connect with RDP Azure VM

7) Download the RDP file and save it on your machine (we need to edit the file in a later step). Next, you need to test that you are able to connect to your machine using your public IP address and the local account that you specified when you created the virtual machine.

8) Once you log in to your machine with RDP, you need to open the Command Prompt window as administrator and type the following command: dsregcmd /status. Microsoft says in their documentation here that you can view the device and SSO state by running this command.

dsregcmd /status

9) Now if we look at the output of this command as shown in the figure below, we can see that the SSO State for AzureADPrt is NO, and the Device State for AzureAdJoined is set to YES. However, the SSO State for AzureADPrt should be set to YES and not NO!

Device and SSO State

10) Microsoft says that you just have to update or upgrade to the latest version of Windows and the AzureAdPrt switch will be set to YES. But it didn’t work for me. So how do we get this to work?

11) After investigation, I found another way to make it work by modifying the RDP file that we downloaded in the previous step.

12) Open the RDP file with WordPad or Notepad, and what you want to do is to add two lines to it as shown below. The first command will disable CredSSP support and the next one is to set the authentication level to 2, which means if server authentication fails, show a warning and allow me to connect or refuse the connection (Warn me).

enablecredsspsupport:i:0
authentication level:i:2

Enable CredSSP support and authentication

Another option is, instead of editing the RDP properties as shown in the figure above, you could add it directly on the Host Pool/RDP properties/advanced and it worked (with the remote desktop client and web too). This option applies to Azure Virtual Desktop with Azure Resource Manager Azure Virtual Desktop objects.

13) Next, you need to go to System in Control Panel | Remote settings and uncheck ‘Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)‘ as shown in the figure below. Please note that Network Level Authentication (NLA) can be left enabled if you’re connecting from an Azure AD registered/hybrid/joined device and must be disabled if connecting from an unregistered device.

Allow connections only from computers running remote desktop with NLA

14) Next, you need to add your Azure AD user to the Remote Desktop Users group. However, this step cannot be accomplished through the GUI. The option for Azure Active Directory doesn’t exist, even though the virtual machine is Azure Domain joined as shown in Step 9 (Device State for AzureAdJoined is set to YES).

Add Azure Active Directory Remote User

15) We need to use the command prompt to add the user. Open the Command Prompt window as administrator and type the following command. This is basically just allowing me to add this user into the Remote Desktop Users Group, which is going to be required, and then forward slash /add followed by AzureAD. Now it doesn’t matter what the name of your Azure Active Directory is. Then you just put in a backslash and then the full email address (you need to add the appropriate domain name).

# Add Azure AD user to Remote Desktop Users Group
net localgroup "remote desktop users" /add "AzureAd\username@domain.com"

16) To verify, you can open the Remote Desktop Users from the GUI and check that the Azure AD user was added successfully.

Verify Azure AD user added to Remote Desktop Users

17) Sign out from the VM and then use the edited RDP file to connect and verify that you can access the Windows VM using your Azure AD user that was added to Access Control (IAM) blade.

Log in using Azure AD credentials to a Windows VM

18) Finally, confirm that you are logged in to the VM with Azure AD authentication. You can open the Command Prompt window as administrator and type: whoami.

Log in with RDP to a Windows Azure VM using Azure AD 1

Please note that to Remote connection to VMs joined to Azure AD, this will only be allowed from Windows 10 PCs that are either Azure AD registered (minimum required build is 20H1) or Azure AD joined or hybrid Azure AD joined to the same directory as the VM.

To learn more about Windows Azure VMs and Azure AD, please check the official documentation by Microsoft here.

Summary

In this article, I showed you how to sign in to Windows virtual machine with RDP in Azure using Azure Active Directory (AAD) authentication which is still in public preview. At the time of this writing, there are a lot of prerequisites that you should adhere to so you can connect to the Windows VM successfully.

Learn more:

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

Previous

AZ-140 Exam Study Guide: Configuring and Operating Microsoft Azure Virtual Desktop

AZ-204 Study Guide: Developing Solutions for Microsoft Azure

Next

21 thoughts on “Log in with RDP to a Windows Azure VM using Azure AD”

Leave a comment...

  1. Great post. Would it be a way to do this:
    net localgroup “remote desktop users” /add “AzureAdusername@domain.com”

    embedded in the VM ARM template?

  2. Thanks for this great post, it really helped me. I was looking for the solution from long time, even MS couldn’t help me.

  3. Thanks for the great post. Is it possible for a different azure directory user to log in to azure VM in a different directory?

  4. Hello Raj, thanks for the comment. This scenario is not supported yet. We cannot log in to a VM with a user from a different Azure Active Directory tenant.
    The VM is deployed in (Tenant A) and the users are in (Tenant B).

  5. So I’ve read through this article and the Microsoft article and the only issue I can’t figure out is the “Azure Windows VM Sign-In” app. I don’t see it anywhere when digging through Enterprise Applications to add it so that I can create a Conditional Access Policy. I’ve looked at two different tenants and can’t seem to see how to add it. Any ideas?

  6. Hello Inso, thanks for your comment.
    If you follow all the steps as described in the Prerequisites section, by selecting System assigned managed identity and log in with AAD credentials, the “Azure Windows VM Sign-In” App should be created in Azure AD automatically.
    Here is a screenshot from my Azure AD environment.
    Azure Windows VM Sign-In
    Hope this helps!

  7. One extra comment, I think you’re missing a ‘\’ in your command to add a user to the ‘remote desktop users’ group after ‘azuread’.
    i.e – net localgroup “remote desktop users” /add “AzureAd\username@domain.com”

  8. Thank you Luke for the feedback, much appreciated!
    Yes, I have missed the ‘\’ in my command when adding the user to the Remote Desktop Users Group.
    I have updated the article.

  9. Hello John, thanks for the feedback!
    Please use the following updated command to add the user to the Remote Desktop Users Group.
    net localgroup "remote desktop users" /add "AzureAd\username@domain.com"
    Hope this helps!

  10. Great article.

    Two questions:

    – Access to RDP to the VM is granted by assigning the “Virtual Machine Administrator Login”
    or “Virtual Machine User Login” to a user, an AAD security group, …
    Assigning the administrator login provides administrator access, assigning the user login
    grant non-admin, standard user access. This is very coarse-grained: admin or non-admin.
    What if the user needs more granular and/or more elevated permissions than the standard user?
    E.g. the user must be a member of certain built-in and/or custom Windows groups. In a traditional
    setup this would be achieved by making the user a member of certain domain groups, which
    in their turn would be made a member of certain local groups on the server.
    How is that achieved in your example, for an AAD-joined Azure Windows Server?

    – In your example, you are assigning the user with which you’ll be logging in to the VM the
    “Virtual Machine Administrator Login”. Why do you have to add this user manually to the
    VM’s remote desktop users group as well? In a “traditional” Windows Server, if the user is a
    member of the local Administrators group, the user is automatically allowed to RDP into the
    server, no need to add that user also to the remote desktop users group.

    Can you clarify the above a bit?

    Kr

  11. Hello Edwin, thanks for the comment and the good question!

    Here is my feedback for each question:

    1) Administrator privileges are evaluated only for the following well-known groups on a Windows Server 2019 and Windows 10 device: Administrators, Users, Guests, Power Users, Remote Desktop Users, and Remote Management Users. So you can use the Azure AD security group, add the user as a member of that group, and finally add it to the desired local group on an AAD-joined Azure Windows Server 2019.

    2) I believe that this step is not needed anymore. However, you still need to configure role assignments for the VM (Virtual Machine Administrator Login and Virtual Machine User Login roles). To allow a user to log in to the VM over RDP, you must assign either the Virtual Machine Administrator Login or Virtual Machine User Login role. An Azure user with the Owner or Contributor roles assigned for a VM does not automatically have privileges to log in to the VM over RDP. This is to provide audited separation between the set of people who control virtual machines versus the set of people who can access virtual machines.
    Microsoft has improved this process as follow: When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principals to the local administrators’ group on the device: The Azure AD global administrator role, the Azure AD joined device local administrator role, and the user performing the Azure AD join.
    By adding Azure AD roles to the local administrators’ group, you can update the users that can manage a device anytime in Azure AD without modifying anything on the device.

    Hope this helps!

  12. Great article and glad to get this really nice feature working with this walk-through. I tested this functionality out on Linux previously and found it was actually easier to get working because of all these extra hoops you identified so well here that you have to jump through on Windows.

    I was curious you have heard of any plans to have this work outside Azure. This could be a game-changer if on-premises boxes could do this and would really enhance the value of Azure Arc with another nice remote management feature if that was what was needed to complete the setup.

    Fingers crossed!

  13. Thank you Matt for the feedback!
    Yes indeed, the configuration on Linux it’s easier than Windows.
    No plans to have this to work outside of Azure yet. Hopefully, it will come later on.

  14. Great post ! thanks !
    about this part :
    enablecredsspsupport:i:0
    authentication level:i:2

    Instead of editing RDP properties, I added it on the Hostpool/RDP properties/advanced and it worked (with the remote desktop client and web too)!

  15. After performing this, I could see that the server is still in Workgroup. Will it change once we enable Azure AD login or can we change?

    The server should show the domain in which it was joined I hope. Share your thoughts.

  16. Hello Sathya, thanks for the comment!
    No, the server will not show as domain-joined after you enable Azure AD Login. It will still show as Workgroup.
    Once you enable this capability as described in this article, your Windows VMs in Azure will be Azure AD joined. You cannot join it to other domains like on-premises AD or Azure AD DS. If you need to do so, you will need to disconnect the VM from your Azure AD tenant by uninstalling the “AADLoginForWindows” extension.
    You can also join the server to Azure AD Domain Services (AAD DS) or to your on-premises domain.
    Login to Windows virtual machine in Azure using Azure Active Directory authentication has nothing to do with domain join like in the traditional way.
    Hope it helps.

Let me know what you think, or ask a question...

The content of this website is copyrighted from being plagiarized!

You can copy from the 'Code Blocks' in 'Black' by selecting the Code.

Please send your feedback to the author using this form for any 'Code' you like.

Thank you for visiting!