Azure VM Hybrid AD Joined and RDP with FIDO2

Jorge Freitas 0 Reputation points
2024-04-06T00:26:57.5833333+00:00

Hey guys,

I installed a new VM on Azure, enabling the AAD Login Extension functionality.

It then assigns RBAC permissions, according to Microsoft documentation, to the machine local user.

It happens that when I try to add user that I want RDP to as a member of the Remote Desktop Group, it generates the following error:

"Principal XXX was not found"

when i try it with net localgroup "Remote Desktop Users" /add "XXX" i get: There is no such global user or group.

Is it possible to actually use an AzureAD user to authenticate through RDP Azure VM OnPrem domain, but with the AAD Login extension activated? Thanks for your help! Regards.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Client for IT Pros | User experience | Remote desktop services and terminal services
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

1 answer

Sort by: Most helpful
  1. Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator
    2024-04-08T15:32:02.67+00:00

    Hi @Jorge Freitas

    Thank you for reaching out to the community forum!

    The error message "Principal XXX was not found" indicates that the user or group being added to the Remote Desktop Users group does not exist in the Azure AD tenant or a syntax error in the command could you please check if the user is exists in the tenant.

    net localgroup "Remote Desktop Users" /add "AzureAD\******@contoso.com"
    

    Replace ******@contoso.com with the users UPN or the object ID. may I know the VM is being AAD joined?

    Also, if possible, try adding a different user to the Remote Desktop Users group to see if the issue is specific to the user account or for every user.
    If the error persists, check the Event Viewer for any relevant error messages that might provide additional information about the problem.

    The other side to answer your question. Yes, it is possible to use an Azure Active Directory (AAD) user to authenticate through Remote Desktop Protocol (RDP) to an Azure Virtual Machine (VM) that has the AAD Login extension activated. This setup allows you to leverage Azure’s cloud-based identity service for authentication, even if the VM is not part of an on-premises domain.

    Reference: https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows

    https://learn.microsoft.com/en-us/windows/client-management/client-tools/connect-to-remote-aadj-pc

    https://techcommunity.microsoft.com/t5/microsoft-entra-blog/azure-ad-authentication-to-windows-vms-in-azure-now-in-public/ba-p/827840

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Akhilesh.


    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.