Azure VM Hybrid AD Joined and RDP with FIDO2

Jorge Freitas 0 Reputation points
2024-04-06T00:26:57.5833333+00:00

Hey guys,

I installed a new VM on Azure, enabling the AAD Login Extension functionality.

It then assigns RBAC permissions, according to Microsoft documentation, to the machine local user.

It happens that when I try to add user that I want RDP to as a member of the Remote Desktop Group, it generates the following error:

"Principal XXX was not found"

when i try it with net localgroup "Remote Desktop Users" /add "XXX" i get: There is no such global user or group.

Is it possible to actually use an AzureAD user to authenticate through RDP Azure VM OnPrem domain, but with the AAD Login extension activated? Thanks for your help! Regards.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,534 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,553 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,745 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Akhilesh 9,515 Reputation points Microsoft Vendor
    2024-04-08T15:32:02.67+00:00

    Hi @Jorge Freitas

    Thank you for reaching out to the community forum!

    The error message "Principal XXX was not found" indicates that the user or group being added to the Remote Desktop Users group does not exist in the Azure AD tenant or a syntax error in the command could you please check if the user is exists in the tenant.

    net localgroup "Remote Desktop Users" /add "AzureAD\test@contoso.com"
    

    Replace test@contoso.com with the users UPN or the object ID. may I know the VM is being AAD joined?

    Also, if possible, try adding a different user to the Remote Desktop Users group to see if the issue is specific to the user account or for every user.
    If the error persists, check the Event Viewer for any relevant error messages that might provide additional information about the problem.

    The other side to answer your question. Yes, it is possible to use an Azure Active Directory (AAD) user to authenticate through Remote Desktop Protocol (RDP) to an Azure Virtual Machine (VM) that has the AAD Login extension activated. This setup allows you to leverage Azure’s cloud-based identity service for authentication, even if the VM is not part of an on-premises domain.

    Reference: https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows

    https://learn.microsoft.com/en-us/windows/client-management/client-tools/connect-to-remote-aadj-pc

    https://techcommunity.microsoft.com/t5/microsoft-entra-blog/azure-ad-authentication-to-windows-vms-in-azure-now-in-public/ba-p/827840

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Akhilesh.


    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.