Share via

Rdp to my azure vm

HASSAN BIN NASIR DAR 371 Reputation points
2025-05-07T01:56:33.5433333+00:00

Hi,

I have created an Azure VM with “Windows Server 2022 Standard Azure Edition 64-bit.”

Now, I want my Entra ID users to be able to RDP into that server.

I found some steps from chatgpt. But not helpful. Maybe those steps are outdated.

please send me clear steps. Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,601 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sakshi Devkante 3,985 Reputation points Microsoft External Staff Moderator
    2025-05-07T10:18:56.9733333+00:00

    Hello HASSAN BIN NASIR DAR

    Check this document it gives you detailed steps to setup:
    Howto-vm-sign-in-azure-ad-windows
    Login to Windows virtual machine in Azure using Entra ID authentication
    How-can-i-login-to-my-azure-vm-with-my-aad-credentials

    and the requirements that you need to remember to setup:

    "Login with Entra ID" option was enabled during VM creation

    A system assigned managed identity must be enabled on the Azure VM.

    Once a system assigned managed identity is enabled the AADLoginForWindows Extension can be installed.

    Assigning the VM extension to an existing Windows VM requires Azure CLI version 2.0.31 or later.

    RDP to Azure VMs using the AADLoginForWindows Extension is only available from Windows 10 devices that are Microsoft entra joined or Microsoft entra hybrid joined machine in the same tenant as the target VM. Both the client and the server must be in the same tenant.

    VMs must have access to these Microsoft service endpoints: https://enterpriseregistration.windows.net 
    https://login.microsoftonline.com 
    https://device.login.microsoftonline.com 
    https://pas.windows.net

    RDP connections initiated from Windows 10 Build 20H1 devices that are Microsoft Entra registered (not Microsoft Entra joined, or Microsoft Entra hybrid joined) require credentials in the format AzureAD\UPN, such as AzureAD******@contoso.com.

    The security policy of "Network security: Allow PKU2U authentication requests to this computer to use online identities" must be enabled on both the server and the client. A setting of Not defined is the same as Enabled.

    To allow a user to log in to the VM over RDP, you must assign the Virtual Machine Administrator Login or Virtual Machine User Login role to the resource group that contains the VM and its associated virtual network, network interface, public IP address, or load balancer resources.
    Make sure that the VM is running and is accessible from the Entra ID user's network. You can check the VM status and network settings in the Azure portal.

    Limitations:
    -    Users of type Guest in the home tenant of the Azure VM running the AADLoginForWindows VM extension cannot sign-in.

    -Users with Per-user MFA Enabled/Enforced Multi-Factor Authentication are not supported for VM Sign-In.

    -If the user signing in into VM is a part of any conditional access policy that requires MFA and Windows Hello for Business cert trust model has not been deployed, the sign-in will be blocked so in this case you need to exclude "Azure Windows VM Sign-In" application from list of cloud apps that require MFA.

    -Windows Hello for Business PIN authentication with RDP has been supported, however support for Biometric authentication with RDP was added in Windows 10 version 1809.

    -Windows Hello for Business authentication during RDP is not available for key trust model.

    Configure role assignments for the VM:

    Virtual Machine Administrator Login: Users who have this role assigned can sign in to an Azure virtual machine with administrator privileges.

    Virtual Machine User Login: Users who have this role assigned can sign in to an Azure virtual machine with regular user privileges.
    Make sure that the Entra ID user has been added to the "Remote Desktop Users" group on the VM. You can do this by logging in to the VM using an administrator account, opening the "Computer Management" console, and adding the Entra ID user to the "Remote Desktop Users" group.

    Kindly make sure that you use the below format while logging in,

    AzureAD\UPN format

    i.e.,

    AzureAD\username@your_tenant.onmicrosoft.com (or)

    AzureAD\username@your_verified_domain.com

    This will help you:
    How can i set logging into an azure vm by Entra Id ?
    Connect-with-user-entra-id-on-vm-azure
    Login to Windows virtual machine in Azure using Entra ID authentication

    I hope this clarifies things.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.