Secure access to WEB APP and XRDP for a VM in Azure already up and running with a basic NSG

Question

Secure access to WEB APP and XRDP for a VM in Azure already up and running with a basic NSG

Chris Kirkwood 0

Add an application gateway for a WEB APP and XRDP to an azure host already configured. Also need to add SSL and 2FA to gain access to the VM through Entra-Id credentials for defined external users.

Venkatesan S 925 Reputation points Microsoft External Staff Moderator

2025-11-18T23:10:20.6866667+00:00

Hi Chris Kirkwood,

Thanks for reaching out to Microsoft Q&A.

Could you please share us the requested details in the private message?
Jeevan Shanigarapu 3,280 Reputation points Microsoft External Staff Moderator

2025-11-19T00:39:49.64+00:00
Hello @Chris Kirkwood,
Welcome to Microsoft Q&A Platform.

Thank you for contacting us. Based on your requirements for secure access to the web application and Azure Virtual Machine using XRDP/RDP with SSL/TLS and two-factor authentication (2FA) through Microsoft Entra ID, you can follow the below steps.

Web Application Access:

Deploy an Azure Application Gateway in a dedicated subnet.

Configure HTTPS listeners and upload your SSL certificate, or integrate with Azure Key Vault for certificate management. Enforce TLS version 1.2 or higher to maintain secure connections. Use path-based routing to direct traffic appropriately if hosting multiple web applications.

Secure Virtual Machine Access:

Enable Microsoft Entra ID login by installing the AADLoginForWindows extension on the VM. Assign the appropriate Azure RBAC roles, such as Virtual Machine User Login or Virtual Machine Administrator Login. Use Azure Bastion to establish RDP connectivity, avoiding direct exposure of port 3389. Implement Conditional Access policies to enforce multi-factor authentication (MFA) for external users.

Two-Factor Authentication (2FA):

Configure Microsoft Entra ID Multi-Factor Authentication through Conditional Access. Please note: MFA is not compatible with classic XRDP. For enhanced security, Azure Bastion is the recommended solution.

Validation:

Confirm HTTPS access to the web application through Application Gateway. Test RDP connectivity to the VM via Bastion using Entra ID credentials and MFA. Verify that Conditional Access policies function as expected for external users.

References:

Protect web apps on Azure VMware Solution with Azure Application Gateway - Azure VMware Solution | …

Remote Desktop Services roles | Microsoft Learn

Kindly let us know if the above helps or you need further assistance on this issue.
Ganesh Patapati 10,385 Reputation points Microsoft External Staff Moderator

2025-11-21T12:32:07.1866667+00:00

Hello @Chris Kirkwood

I see Jeevan Shanigarapu has addressed your queries.

Can you please update us if the action plan provided was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

1 answer

Your answer

Venkatesan S 925 Reputation points Microsoft External Staff Moderator

2025-11-18T23:10:20.6866667+00:00

Hi Chris Kirkwood,

Thanks for reaching out to Microsoft Q&A.

Could you please share us the requested details in the private message?
Jeevan Shanigarapu 3,280 Reputation points Microsoft External Staff Moderator

2025-11-19T00:39:49.64+00:00

Hello @Chris Kirkwood,
Welcome to Microsoft Q&A Platform.

Thank you for contacting us. Based on your requirements for secure access to the web application and Azure Virtual Machine using XRDP/RDP with SSL/TLS and two-factor authentication (2FA) through Microsoft Entra ID, you can follow the below steps.

Web Application Access:

Deploy an Azure Application Gateway in a dedicated subnet.

Configure HTTPS listeners and upload your SSL certificate, or integrate with Azure Key Vault for certificate management. Enforce TLS version 1.2 or higher to maintain secure connections. Use path-based routing to direct traffic appropriately if hosting multiple web applications.

Secure Virtual Machine Access:

Enable Microsoft Entra ID login by installing the AADLoginForWindows extension on the VM. Assign the appropriate Azure RBAC roles, such as Virtual Machine User Login or Virtual Machine Administrator Login. Use Azure Bastion to establish RDP connectivity, avoiding direct exposure of port 3389. Implement Conditional Access policies to enforce multi-factor authentication (MFA) for external users.

Two-Factor Authentication (2FA):

Configure Microsoft Entra ID Multi-Factor Authentication through Conditional Access. Please note: MFA is not compatible with classic XRDP. For enhanced security, Azure Bastion is the recommended solution.

Validation:

Confirm HTTPS access to the web application through Application Gateway. Test RDP connectivity to the VM via Bastion using Entra ID credentials and MFA. Verify that Conditional Access policies function as expected for external users.

References:

Protect web apps on Azure VMware Solution with Azure Application Gateway - Azure VMware Solution | …

Remote Desktop Services roles | Microsoft Learn

Kindly let us know if the above helps or you need further assistance on this issue.
Ganesh Patapati 10,385 Reputation points Microsoft External Staff Moderator

2025-11-21T12:32:07.1866667+00:00

Hello @Chris Kirkwood

I see Jeevan Shanigarapu has addressed your queries.

Can you please update us if the action plan provided was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

Answer 1

To secure access to your web app and XRDP for a VM in Azure using an Application Gateway, you can follow these steps:

Create an Application Gateway: In the Azure portal, search for Application Gateway and select Create application gateway. Provide the necessary details, including the frontend IP address type (public or private) and backend pool configuration for your VM.
Configure SSL: On the Listener tab during the Application Gateway setup, if you select HTTPS, you will need to provide a certificate. This can be done using a PFX file or an existing Azure Key Vault certificate.
Set Up Routing Rules: Add routing rules to direct traffic to your web app and XRDP service. You can also configure path-based rules if needed.
Enable Microsoft Entra ID for Authentication: To implement two-factor authentication (2FA) and secure access through Entra ID credentials, ensure that your application is integrated with Microsoft Entra ID. This will allow you to enforce conditional access policies and enable 2FA for defined external users.
Test the Configuration: After setting up the Application Gateway and configuring SSL and Entra ID, test the access to ensure that users can authenticate and access the web app and XRDP as intended.

By following these steps, you can effectively secure access to your Azure VM and applications using Application Gateway, SSL, and Microsoft Entra ID for authentication.

References:

Share via

Secure access to WEB APP and XRDP for a VM in Azure already up and running with a basic NSG

1 answer

Your answer