To improve the security of your Linux and Windows virtual machines (VMs) in Azure, Microsoft integrated Azure Active Directory (AAD) authentication, so you can centrally control and enforce policies that allow or deny access to the VMs. Tools like Azure role-based access control (RBAC) and Azure AD Conditional Access allow you to control who can access a VM remotely.
In this article, we will show you how to log in with Remote Desktop (RDP) to a Windows virtual machine deployed in Azure using Microsoft Entra ID (formerly Azure Active Directory).
Table of Contents
Introduction
Deployment of Windows VMs in Azure is common, and a challenge everyone faces is securely managing the accounts and credentials used to log in to these VMs. Typically, when you create Windows virtual machines (VMs) in Azure, you add local administrator accounts to log in to these VMs and it becomes difficult to manage these accounts as people join or leave teams.
To make things simple people often follow the risky practice of sharing admin account passwords among big groups of people. This makes it very hard to protect your production Windows VMs and collaborate with your team when using shared Windows VMs.
By the end of 2019, Microsoft announced that you can use now Azure AD authentication to connect to Windows VMs in Azure. In this article, we will share with you the experience of how to set up and log in with a Remote Desktop (RDP) to a Windows virtual machine deployed in Azure using Azure Active Directory (AAD).
Prerequisites
To follow this article, you need to have the following:
1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.
2) Azure VM running Windows Server 2019/2022 Datacenter edition or Windows 10 version 1809 and later.
3) When you create a Windows virtual machine in Azure, you need to make sure you have selected Login with AAD credentials in the Management blade. Once you select Login with AAD credentials, the system-assigned managed identity will be automatically selected as shown in the figure below.
> If you already have a VM and you want to enable/install Azure AD Login for Windows afterward, then you could use the following PowerShell command to install the AAD login extension for an existing VM. Please note that you must first enable system-assigned managed identity on the VM before you set the extension. Also, make sure that the VM can reach the required public endpoints of Microsoft as documented here.
$vmName = "VM-name-Here"
$vmRgName = "Resource-Group-Name-Here"
$extensionName = "AADLoginForWindows"
$publisher = "Microsoft.Azure.ActiveDirectory"
$vm = Get-AzVm -ResourceGroupName $vmRgName -Name $vmName
Set-AzVMExtension -ResourceGroupName $vmRgName `
-VMName $vm.Name `
-Name $extensionName `
-Location $vm.Location `
-Publisher $publisher `
-Type "AADLoginForWindows" `
-TypeHandlerVersion "0.4"4) To verify that your Windows virtual machine does support Azure AD Login, you can check if the AAD Login extension is provisioned successfully from the virtual machine blade under Settings | Extensions.
5) If you have an Azure AD Premium 2 license with MFA, then make sure to create a new Conditional Access Policy to exclude MFA requirements on Azure Windows VM Sign-in as shown in the figure below.
6) Finally, to connect to Windows VM in Azure using Azure AD authentication, you need to have a Windows 10/11 PC that is either Azure AD registered (starting with Windows 10 20H1 and later), Azure AD joined or Hybrid Azure AD joined to the same directory as the VM in Azure.
Please note that if you have MFA enabled, you will need to create an Azure AD conditional access policy! However, Azure AD conditional access requires Azure Active Directory Premium P2 license (included in M365 E5). Otherwise you won’t be able to login from external (if MFA is enabled). Additionally, at the time of this writing, Azure Bastion can’t be used to log in by using Azure Active Directory authentication with the AADLoginForWindows extension; only direct RDP is supported.
Enable Azure AD login for Windows VM
Once you create the virtual machine in Azure, then you need to add some permissions to it. Take now the following steps:
1) In the Azure Portal, from the Virtual machine’s blade, select your Windows VM and then click on Access Control (IAM).
2) Select Role assignments, then click + Add and then choose to Add role assignment.
3) In the Add role assignment blade, you need to choose one of two different roles (Virtual Machine Administrator Login or Virtual Machine User Login). The user login obviously doesn’t have administrator rights, whereas the administrator login does. But for the purpose of this example, we want to be the administrator login for the virtual machine.
4) Next, leave the ‘Assign access to‘ as default because we want to choose a user. Then choose the username that you’d like to give permission to and then click Save as shown in the figure below. You can also add an Azure AD security group where you have multiple users members of that group.
5) Now that the user has been given the ability to log in to your Windows Azure virtual machine, there’s still more to it.
6) Go back into your Windows 10 or Windows Server 2019 virtual machine in the Azure Portal, and then click on the Connect button that will allow you to download the RDP file. This will allow you to connect to the Public IP address of your Windows machine.
7) Download the RDP file and save it on your machine (we need to edit the file in a later step). Next, you need to test that you are able to connect to your machine using your public IP address and the local account that you specified when you created the virtual machine.
8) Once you log in to your machine with RDP, you need to open the Command Prompt window as administrator and type the following command: dsregcmd /status. Microsoft says in their documentation here that you can view the device and SSO state by running this command.
dsregcmd /status9) Now if we look at the output of this command as shown in the figure below, we can see that the SSO State for AzureADPrt is NO, and the Device State for AzureAdJoined is set to YES. However, the SSO State for AzureADPrt should be set to YES and not NO!
10) Microsoft says that you just have to update or upgrade to the latest version of Windows and the AzureAdPrt switch will be set to YES. But it didn’t work for me. So how do we get this to work?
11) After investigation, I found another way to make it work by modifying the RDP file that we downloaded in the previous step.
12) Open the RDP file with WordPad or Notepad, and what you want to do is to add two lines to it as shown below. The first command will disable CredSSP support and the next one is to set the authentication level to 2, which means if server authentication fails, show a warning and allow me to connect or refuse the connection (Warn me).
enablecredsspsupport:i:0
authentication level:i:2
Another option is, instead of editing the RDP properties as shown in the figure above, you could add it directly on the Host Pool/RDP Properties/Advanced, as shown in the figure below, and it worked (with the Remote Desktop client and web too). This option applies only to Azure Virtual Desktop (AVD) with Azure Resource Manager Azure Virtual Desktop objects.
13) Now, in the case of Azure Virtual Desktop (AVD) deployment, you need to make sure that the Azure AD authentication property and Credential Security Support Provider (CredSSP) is set as shown in the figure below under RDP Properties > Connection information.
- Azure AD authentication: RDP will attempt to use Azure AD authentication to sign in.
- Credential Security Support Provider: RDP will not use CredSSP, even if the operating system supports CredSSP.
Another option is, instead of editing the RDP properties as shown in the figure above, you could add it directly on the Host Pool/RDP Properties/Advanced, as shown in the figure below, and it worked (with the Remote Desktop client and Remote Desktop Web client too). This option applies only to Azure Virtual Desktop (AVD) with Azure Resource Manager, and Azure Virtual Desktop objects.
14) Next, you need to go to System in Control Panel | Remote settings and uncheck ‘Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)‘ as shown in the figure below. Please note that Network Level Authentication (NLA) can be left enabled if you’re connecting from an Azure AD registered/hybrid/joined device and must be disabled if connecting from an unregistered device.
15) Next, you need to add your Azure AD user to the Remote Desktop Users group. However, this step cannot be accomplished through the GUI. The option for Azure Active Directory doesn’t exist, even though the virtual machine is Azure Domain joined as shown in Step 9 (Device State for AzureAdJoined is set to YES).
16) We need to use the command prompt to add the user. Open the Command Prompt window as administrator and type the following command. This is basically just allowing me to add this user into the Remote Desktop Users Group, which is going to be required, and then forward slash /add followed by AzureAD. Now it doesn’t matter what the name of your Azure Active Directory is. Then you just put in a backslash and then the full email address (you need to add the appropriate domain name).
# Add Azure AD user to Remote Desktop Users Group
net localgroup "remote desktop users" /add "AzureAd\username@domain.com"
17) To verify, you can open the Remote Desktop Users from the GUI and check that the Azure AD user was added successfully.
18) Sign out from the VM and then use the edited RDP file to connect and verify that you can access the Windows VM using your Azure AD user that was added to Access Control (IAM) blade.
19) Finally, confirm that you are logged in to the VM with Azure AD authentication. You can open the Command Prompt window as administrator and type: whoami.
Please note that to Remote connection to VMs joined to Azure AD, this will only be allowed from Windows 10 PCs that are either Azure AD registered (minimum required build is 20H1) or Azure AD joined or hybrid Azure AD joined to the same directory as the VM.
To learn more about Windows Azure VMs and Azure AD, please check the official documentation by Microsoft here.
Summary
In this article, I showed you how to sign in to Windows virtual machine with RDP in Azure using Azure Active Directory (AAD) authentication which is still in public preview. At the time of this writing, there are a lot of prerequisites that you should adhere to so you can connect to the Windows VM successfully.
Learn more:
- How to get the list of Network Security Groups with RDP Port Open
- How to change Remote Desktop Port with PowerShell
- Export all Network Security Groups rules with PowerShell
- How to improve security by enabling just-in-time VM access
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-
Thank you, Gabriele!
This was a FANTASTIC article Charbel. You had suggestions I did not see anywhere else. Thank you!
-Chris
Thank you, Chris, for the feedback, much appreciated!