5 min. Read
To improve the security of Linux and Windows virtual machines in Azure, Microsoft integrates Azure Active Directory (AAD) authentication so that you can centrally manage and control policies that allow or prevent the use of virtual machines. With tools such as Azure Role-Based Access Control (RBAC) and Azure AD Conditional Access, you can control who can access the virtual machine remotely.
In this article, I will show you how to log on using Remote Desktop (RDP) to a Windows virtual machine that is deployed in Azure using Azure Active Directory.
Deploying Windows virtual machines in Azure is common, and the challenge for everyone is to manage the accounts and logon information that is used to log on to these virtual machines. Typically, when you create Windows virtual machines (Azure), you add local administrator accounts to log on to those virtual machines, and it is difficult to manage these accounts when people join or leave groups.
Making simple people often follows the risky practice of sharing administrator account passwords among large groups of people. This makes it very difficult to secure Windows production virtual machines and collaborate with your team when you use shared Windows virtual machines.
By the end of 2019, Microsoft announced that you can now use Azure AD authentication to connect to Windows virtual machines in Azure. In this article, I will share with me my experience of configuring and logging in remotely (RDP) to a Windows virtual machine deployed in Azure using Azure Active Directory.
To follow this article, you must do the following:
- Azure subscription – If you do not have an Azure subscription, you can create free here.
- Azure VM is running Windows Server 2019 Datacenter Edition or Windows 10 version 1809 and later.
- When you create a Windows virtual machine in Azure, you need to make sure you have selected Log in with your AADs that Management blade. When you select Sign in with AADs, a managed identity assigned to the system is automatically selected as shown below.
- To make sure that your Windows virtual machine supports Azure AD Login, you can verify that the AAD Login plug-in has been successfully organized from the virtual machine’s steel. settings | Extensions.
- If you have an Azure AD Premium 2 license with MFA, be sure to create a new conditional access policy to exclude MFA requirements Azure Windows VM logon as shown in the figure below.
- Finally, to connect to Azure’s Windows VM using Azure AD authentication, you must have a Windows 10 computer that is either Azure AD registered (starts Windows 10 20H1), Azure AD joined, or Hybrid Azure AD mounted in the same directory as virtual machine in Azure.
Note that if MFA is enabled, you must create a conditional access policy for Azure AD! However, conditional use of Azure AD requires an Azure Active Directory Premium P2 license (included with E5). Otherwise, you will not be able to log in externally if MFA is enabled.
When you create a virtual machine in Azure, you need to add some permissions to it. Complete the following steps:
- In the Azure portal, select Windows VM from the virtual machine steel, and then click Access Control (IAM).
- choose Role tasksand then click + Add and then select Add a role definition.
- in Add a role definition blade, you must choose one of two different roles (Login to the virtual machine administrator or Virtual machine user login). Of course, the username does not have administrator rights, while the administrator login has. But in this example I want to be the virtual machine administrator login.
- Next, ldisappear ‘Assign access to the domain“by default because we want to select the userchicken select the username you want to grant permission to, and then click Save as shown in the figure below. You can also add an Azure AD security group where you have multiple users in the group.
- Now that the user has been given the option to log on to a Windows Azure computer, there is even more to it.
- Return to the Windows 10 or Windows Server 2019 computer in the Azure portal, aThen click Connect button to download the RDP file. This allows you to connect to the public IP address of your Windows machine.
- Download the RDP file and save it to your computer (we will need to edit the file later). Next, you need to test that you can connect to your computer using your public IP address and local account which you specified when you created the virtual machine.
- When you log in to your computer with RDP, you need to open it Command prompt window as an administrator and type the following command: dsregcmd / status. Microsoft says theirs documentation here that you can view the device and single sign-on status by running this command.
- Now when we look at the output of this command as shown below, we can see that SSO mode for AzureADPrt Is NO, and Device status for AzureAdJoined is set YEAH. However SSO mode for AzureADPrt should be set YEAH and no NO!
- Microsoft says you just must upgrade or upgrade to the latest version of Windows and AzureAdPrt the switch is set to YEAH. Bit didn’t work for me. So how do we make this work?
- After researching, I found another way to make it work by editing the RDP file we downloaded in the previous step.
- Open the RDP file in WordPad or Notepad, and you’ll need to add two lines it as below. The first command disables CredSSP support and the next is to set the authentication level 2, which means if the server authentication fails, show a warning and let me connect or reject the connection (warn).
enablecredsspsupport:i:0 authentication level:i:2
- Next you have to go System in Control panel Remote settingsand deselect ‘Allow connections only from computers with Remote Desktop and network-level authentication (recommended)” as shown in the figure below.
- Next, you need to add the Azure AD user to the Remote Desktop Users group. However, this step cannot be performed through the graphical user interface. The Azure Active Directory option does not exist even if the virtual machine is an Azure domain mapped as shown Step 9 (Device status for AzureAdJoined is set YEAH).
- We need to add the user at the command prompt. Open Command prompt window as an administrator and type the following command. This is basically just allow me to add this user to the remote desktop user group that is required and then dash forward /add followed by AzureAD. Now it doesn’t matter what the name of Azure Active Directory is. Then you just put the reverse line and then the whole email address (you must add the correct domain name).
# Add Azure AD user to Remote Desktop Users Group net localgroup "remote desktop users" /add "[email protected]"
- To confirm, you can open Remote Desktop Users from the interface and verify that the Azure AD user has been successfully added.
- Connect to the virtual machine, and then create a modified RDP file to connect and make sure you can use the Windows virtual machine with your Azure AD user that has been added Access Control (IAM) blade.
- Finally, confirm that you are logged in to the virtual machine with Azure AD authentication. You can open Command prompt window as an administrator and enter: who am I.
Note that remote access to virtual machines connected to Azure AD is only allowed from Windows 10 computers that are either Azure AD registered (minimum required structure is 20H1) or with Azure AD or a connected Azure AD hybrid same directory as a virtual machine.
For more information about Windows Azure VMs and Azure AD, check out Microsoft official documentation here.
In this article, I showed you how to log on to a Windows virtual machine with RDP in Azure using Azure Active Directory (AAD) authentication, which is still in public preview. At the time of this writing, there are many requirements that you must meet in order to successfully connect to the Windows VM.
Thanks for locking my blog.
If you have any questions or feedback, please leave a comment.