How can I RDP to an Azure AD joined Windows 10 device ?

Posted on August 23, 2017 by ncbrady

Introduction

If you are using Azure AD, you can join Azure AD as part of the Windows 10 OOBE (from version 1703 and later), it’s easy to do, just provide your AzureAD credentials…

and once it has completed OOBE your computer will be AzureAD joined.

Alternatively you can join AzureAD using All Settings, Accounts, Access work or school, click on Connect and enter your AzureAD username, then click on Join this device to Azure Active Directory and continue through the wizard.

Note: if this option is missing verify you are on Windows 10 version 1703 or later and that your DNS is working correctly.

You can verify that your device has successfully joined AzureAD via a PowerShell command:

dsregcmd /status

and the output is shown below, notice it’s AzureAdJoined=YES.

If you want to RDP to this computer on a local LAN network, you’ll need a few things in place on the computer you are RDP’ing from and the computer you are RDP to.

Note: This post is aimed at a lab environment, in a production environment you shouldn’t enabled RDP directly as this will expose you the risk of being compromised. If you really need to expose Remote Desktop Services, use a RD Gateway Server with the new Remote Desktop WebClient.

Step 1. Change Remote desktop settings

On the computer you intend to RDP to, set the Remote Desktop settings to Allow Remote Connections to this computer and remove the checkbox from Allow connections only from computers running Remote Desktop with Network Level Authentication enabled as shown here.

Step 2. Create new rdp config file

On the computer you intend to RDP from, open mstsc.exe and click on Show Options.

Click on Save As… and give it a new name such as AzureAD_RDP, save it somewhere easy to find.

Open the saved file using Notepad. Verify that the following two lines are present, if not, add them.

enablecredsspsupport:i:0
authentication level:i:2

Save the file.

Step 3. RDP to the target computer

On the computer that you just edited the config file, open MSTSC.exe and click on show options, then click on Open. Point it to the previously created AzureAD_RDP config file. Enter the IP address or FQDN of the computer you want to RDP to, do not enter any username.

you may see the usual RDP prompt…it’s ok, click on Connect

and depending on what device you are connecting from (and to) you’ll see different results, for example from an AzureAD joined device that you’ve logged into with the same UPN as you are using to connect to the target PC you’ll be prompted to enter your AzureAD password like so:-

and you are in

If however you are connecting from say, a Workgroup joined (non azure AD joined) device then the login experience will be different, and you’ll see a login page like this, enter your username as:

AzureAD\<username@domain.com>

where <username@domain.com> is your the full User Principal Name of your AzureAD user

job done 🙂

cheers

niall

 

Recommended reading

 

 

This entry was posted in AzureAD, RDP. Bookmark the permalink.

4 Responses to How can I RDP to an Azure AD joined Windows 10 device ?

  1. Pingback: RDP to Azure VM and logon with Azure AD account - Tas Gray

  2. Pingback: Remote Desktop Connection to an Azure AD Joined Machine from non-Azure AD Joined PC/Laptop - WebmakersWebmakers

  3. Pingback: How can I RDP to an Azure AD joined Windows 10 device ? – Admin CFSME

  4. Zephyr2084 says:
    December 24, 2022 at 3:11 am

    To anyone reading this, I am trying to raise awereness of this issue with Microsoft.
    Please vote and reply on the following idea proposal:

    https://feedback.azure.com/d365community/idea/51bb50d0-3683-ed11-a81b-000d3ae5ae95

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.