RDP to Azure VM That's Entra ID enabled From a Device That's NOT Entra ID Enabled

Allan Au 45 Reputation points
2024-05-16T01:02:42.12+00:00

Hi,

I followed the guideline in the MS doc: Sign in to a Windows virtual machine in Azure by using Microsoft Entra ID including passwordless and created an Azure Windows VM that is Entra ID enabled.

What I have discovered is that you're able to login with Entra ID with RDP from your device IF

  1. The device is Entra ID enabled
  2. On the same virtual network or peered virtual network

Using the format myId@mydomain.com

User's image

This is the error:

User's image

On the host (of where I want to RDP to), there's no event log in the Event Viewer under the Applications and Services Logs\Microsoft\Windows\AAD\Operational

Were you able to RDP from a device that's not Entra ID enabled and to a host that's not domain joined?

Thank you for sharing!

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,968 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,591 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Prrudram-MSFT 24,916 Reputation points
    2024-05-24T09:50:49.68+00:00

    Hello @Allan Au

    Thank you for reaching out to the Microsoft Q&A platform.

    If the device you're attempting to RDP from is not Entra ID enabled and the host you're connecting to is not domain joined, you may encounter difficulties with the RDP connection. Entra ID relies on certain configurations and prerequisites to enable secure authentication, and deviating from those configurations may result in authentication failures or other issues.

    In the scenario you described, where neither the device nor the host meets the requirements for Entra ID authentication, it's possible that the RDP connection will not succeed. However, without specific details about your Azure setup and configurations, it's challenging to provide a definitive answer.

    To troubleshoot the issue further, you could review the Azure AD and VM configurations to ensure that the necessary settings are in place for both the device and the host. Additionally, checking for any error messages or logs related to the RDP connection attempt could provide valuable insights into the underlying issue.

    Regarding the issue you are facing with the event log not showing up in the Event Viewer under the Applications and Services Logs\Microsoft\Windows\AAD\Operational, it is possible that the event logging is not enabled on the VM. To enable event logging, you can follow these steps:

    1. Open the Local Group Policy Editor on the VM by running gpedit.msc.
    2. Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business.
    3. Double-click on the policy "Use Windows Hello for Business operational logs" and set it to "Enabled".
    4. Click "Apply" and "OK" to save the changes.

    After enabling event logging, you should be able to see the logs in the Event Viewer under the Applications and Services Logs\Microsoft\Windows\AAD\Operational.

    0 comments No comments

  2. Marcin Policht 25,285 Reputation points MVP
    2024-06-04T21:02:00.4+00:00

    Use an Entra ID registered device (rather than joined) to sign from. When signing in, use the credentials in the format AzureAD\UPN format (for example, AzureAD\myId@mydomain.com).


    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.