How do I configure RDS on an Azure Windows VM with AADLogonforWindows extension installed

Nick Moult 21 Reputation points
2021-12-11T16:04:39.563+00:00

Hi,

I have enabled the AADLogonForWindows extension on a Windows server 2021 Datacentre edition Azure VM I have created. I have been able to logon without any errors using my Tenant Active Directory credentials. I works perfectly.

All well and good. Of course this is fine for administrator sessions (up to two RDP session to this server are permitted for ongoing administration purposes).

I of course am looking to use this facility to allow standard users to access the server configured in this way to have standard user workload session. In order to allow licenses users to initiate standard user sessions on the server I would have to Enable the RDS required roles on the server (to provide the necessary Licensing, Broker, etc RDS function required). This is where the brick wall is hit. I am unable to deploy the RDS roles required as the server is of the opinion that the server is not Active Directory joined (although it is through the AADLogonforWindows extension configuration and is shown as joined in the Active Directory list of devices).

Must I join the server to the Active Directory in another way? Must I join the VM to an Azure Active Directory Directory services service that I implement in a subnet addressable to the VM/s in question?

So this facility is very nice - but seems to be purely for those who require administration sessions (up to two concurrent) on the server.

Or am I missing the point!

Does RDS work differently with the AADLogonForWindows extension installed? I would appreciate some refrence to the appropriate way of configuring RDS to work with the intended benefits of AADLogonforWindows extension installed features.

Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,844 questions
Windows for business | Windows Server | User experience | Other
0 comments No comments
{count} votes

Accepted answer
  1. Limitless Technology 39,926 Reputation points
    2021-12-17T19:55:58.97+00:00

    Hello

    Yes, servers hosting RDS roles need to be domain joined (either local AD or AAD) and never in the same machine as a Domain Controller. This is due to the modern infraestructure deployment for RDS is purely based in Domain Hierarchy and Security.

    AADLogonForWindows will allow you authentication, but still wont support the Domain functionalities for this services.

    Hope this helps with your query,


    --If the reply is helpful, please Upvote and Accept as answer--

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.