Introduction
If you are using Azure AD, you can join Azure AD as part of the Windows 10 OOBE (from version 1703 and later), it’s easy to do, just provide your AzureAD credentials…
and once it has completed OOBE your computer will be AzureAD joined.
Alternatively you can join AzureAD using All Settings, Accounts, Access work or school, click on Connect and enter your AzureAD username, then click on Join this device to Azure Active Directory and continue through the wizard.
Note: if this option is missing verify you are on Windows 10 version 1703 or later and that your DNS is working correctly.
You can verify that your device has successfully joined AzureAD via a PowerShell command:
dsregcmd /status
and the output is shown below, notice it’s AzureAdJoined=YES.
If you want to RDP to this computer on a local LAN network, you’ll need a few things in place on the computer you are RDP’ing from and the computer you are RDP to.
Note: This post is aimed at a lab environment, in a production environment you shouldn’t enabled RDP directly as this will expose you the risk of being compromised. If you really need to expose Remote Desktop Services, use a RD Gateway Server with the new Remote Desktop WebClient.
Step 1. Change Remote desktop settings
On the computer you intend to RDP to, set the Remote Desktop settings to Allow Remote Connections to this computer and remove the checkbox from Allow connections only from computers running Remote Desktop with Network Level Authentication enabled as shown here.
Step 2. Create new rdp config file
On the computer you intend to RDP from, open mstsc.exe and click on Show Options.
Click on Save As… and give it a new name such as AzureAD_RDP, save it somewhere easy to find.
Open the saved file using Notepad. Verify that the following two lines are present, if not, add them.
enablecredsspsupport:i:0
authentication level:i:2
Save the file.
Step 3. RDP to the target computer
On the computer that you just edited the config file, open MSTSC.exe and click on show options, then click on Open. Point it to the previously created AzureAD_RDP config file. Enter the IP address or FQDN of the computer you want to RDP to, do not enter any username.
you may see the usual RDP prompt…it’s ok, click on Connect
and depending on what device you are connecting from (and to) you’ll see different results, for example from an AzureAD joined device that you’ve logged into with the same UPN as you are using to connect to the target PC you’ll be prompted to enter your AzureAD password like so:-
and you are in
If however you are connecting from say, a Workgroup joined (non azure AD joined) device then the login experience will be different, and you’ll see a login page like this, enter your username as:
AzureAD\<username@domain.com>
where <username@domain.com> is your the full User Principal Name of your AzureAD user
job done 🙂
cheers
niall
Recommended reading
- https://docs.microsoft.com/en-us/windows/client-management/connect-to-remote-aadj-pc
- https://morgansimonsen.com/2015/11/06/connecting-to-an-azure-ad-joined-machine-with-remote-desktop/
Pingback: RDP to Azure VM and logon with Azure AD account - Tas Gray
Pingback: Remote Desktop Connection to an Azure AD Joined Machine from non-Azure AD Joined PC/Laptop - WebmakersWebmakers
Pingback: How can I RDP to an Azure AD joined Windows 10 device ? – Admin CFSME
To anyone reading this, I am trying to raise awereness of this issue with Microsoft.
Please vote and reply on the following idea proposal:
https://feedback.azure.com/d365community/idea/51bb50d0-3683-ed11-a81b-000d3ae5ae95