RDP to Azure hosted VM using Office 365 Account

Duncan Long 0 Reputation points
2024-07-23T22:41:43.9233333+00:00

Goal: Manage authentication (preferably MFA) on Azure with Microsoft Entra ID using office 365 accounts, and use this to authenticate logins (RDP's) to our Azure hosted Virtual Machines that are running Windows Server 2022. 

Short history:

  • VM's were setup with Windows Server 2022 and with local accounts, and RDP ports open (before my time)
  • Office 365 accounts created for the team (before my time)
  • We were able to login to remote machines with local accounts, but not with Office 365 accounts which would not RDP at all (login failed on RDP login page)
  • I added role assignments to the VMs for the appropriate office 365 accounts (tried both 'Virtual Machine Administrator Login' and the user one)
  • We could then use the office 365 to pass the RDP authentication, but the VM would reject the login and we saw an error message on the screen of the VM. Error read: "The sign-in method you're trying to use isn't allowed. Try a different sign-in method or contact your system administrator."
  • In researching this there were a number of different solutions all of which I've tried and failed:
    • Apply MFA to users (this then made RDP fail)
    • Tried the 'Use a web account to sign in to the remote computer' setting in RDP Advanced tab
    • Tried Azure joining the VM's
    • Tried Entra Domain Services
    • Tried setting up a Domain Forest and Domain Controller on VM's within the same subnet (note removed AzureJoin and Domain joined the VM's)
    • Tried Microsoft Entra Connect (was able to get local accounts to sync up to Azure, but not the office 365 accounts to sync locally to the VM's)

If anyone knows how to do this, I've spent too much of my life on this, haha. Seems like it should be so easy... and I'm way deeper down the rabbit hole than I'd like. Help!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,260 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sandeep G-MSFT 18,191 Reputation points Microsoft Employee
    2024-07-25T12:52:00.73+00:00

    @Duncan Long

    Thank you for posting this in Microsoft Q&A.

    As I understand you want to use Azure AD authentication to login to your Windows server 2022 via RDP using office 365 accounts.

    You can now use Microsoft Entra ID as a core authentication platform to Remote Desktop Protocol (RDP) into Windows Server 2019 Datacenter edition and later, or Windows 10 1809 and later. You can then centrally control and enforce Azure role-based access control (RBAC) and Conditional Access policies that allow or deny access to the VMs.

    Below are the network requirements to perform this task,

    Azure Global:

    • https://enterpriseregistration.windows.net: For device registration.
    • http://169.254.169.254: Azure Instance Metadata Service endpoint.
    • https://login.microsoftonline.com: For authentication flows.
    • https://pas.windows.net: For Azure RBAC flows.

    To use Microsoft Entra login for a Windows VM in Azure, you must:

    1. Enable the Microsoft Entra login option for the VM.
    2. Configure Azure role assignments for users who are authorized to sign in to the VM.

    There are two ways to enable Microsoft Entra login for your Windows VM:

    • The Azure portal, when you're creating a Windows VM.
    • Azure Cloud Shell, when you're creating a Windows VM or using an existing Windows VM.

    Below is the article that you can refer where all steps are mentioned to perform this task,

    https://video2.skills-academy.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows#requirements

    Note: The Windows client machine is required to be either Microsoft Entra registered, or Microsoft Entra joined or Microsoft Entra hybrid joined to the same directory as the VM. Additionally, to RDP by using Microsoft Entra credentials, users must belong to one of the two Azure roles, Virtual Machine Administrator Login or Virtual Machine User Login.

    Once you follow the above article you can also set up MFA using Conditional access policy.

    https://video2.skills-academy.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows#enforce-conditional-access-policies

    Let me know if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

  2. Philippe Levesque 5,796 Reputation points
    2024-07-25T13:36:17.59+00:00

    Hi

    Does your have a hybrid configuration with adconnect ? As such if yes, please see that guide; https://video2.skills-academy.com/en-us/azure/virtual-desktop/configure-single-sign-on (article for Windows client VM, but it look the same scenario as you want)

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.