Applies to
- Windows 10
From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). Starting in Windows 10, version 1809, you can use biometrics to authenticate to a remote desktop session.
- Change Remote desktop settings On the computer you intend to RDP to, set the Remote Desktop settings to Allow Remote Connections to this computer and remove the checkbox from Allow connections only from computers running Remote Desktop with Network Level Authentication enabled as shown here. Create new rdp config file.
- My organization is running Windows 10 joined to Azure AD organization (completely cloud hosted, i.e. No on-prem Active Directory). I login to my PC with a username in the form of 'username@organiz.
Set up
- Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 are not supported.
- Your local PC (where you are connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or Azure AD registered if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device are not supported.
- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests are not supported for Remote desktop.
Ensure Remote Credential Guard, a new feature in Windows 10, version 1607, is turned off on the client PC you are using to connect to the remote PC.
On the PC you want to connect to:
Open system properties for the remote PC.
Enable Allow remote connections to this computer and select Allow connections only from computers running Remote Desktop with Network Level Authentication.
If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies:
Adding users manually
You can specify individual Azure AD accounts for remote connections by running the following PowerShell cmdlet:
where the-UPN-attribute-of-your-user is the name of the user profile in C:Users, which is created based on the DisplayName attribute in Azure AD.
This command only works for AADJ device users already added to any of the local groups (administrators).Otherwise this command throws the below error. For example:
- for cloud only user: 'There is no such global user or group : name'
- for synced user: 'There is no such global user or group : name'
Note
For devices running Windows 10, version 1703 or earlier, the user must sign in to the remote device first before attempting remote connections.
Starting in Windows 10, version 1709, you can add other Azure AD users to the Administrators group on a device in Settings and restrict remote credentials to Administrators. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices.
Adding users using policy
Starting in Windows 10, version 2004, you can add users or Azure AD groups to the Remote Desktop Users using MDM policies as described in How to manage the local administrators group on Azure AD joined devices.
Tip
When you connect to the remote PC, enter your account name in this format: AzureADyourloginid@domain.com.
Note
If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in this support article.
Supported configurations
Microsoft Azure Remote Desktop disconnected or can’t connect to remote computer for these reasons Troubleshooting HINDI. The Windows client automatically defaults to Windows Virtual Desktop (classic). However, if the client detects additional Azure Resource Manager resources, it adds them automatically or notifies the user that they're available. Use a specific URL Select Subscribe with URL from the main page.
The table below lists the supported configurations for remotely connecting to an Azure AD-joined PC:
| Criteria | RDP from Azure AD registered device | RDP from Azure AD joined device | RDP from hybrid Azure AD joined device |
|---|---|---|---|
| Client operating systems | Windows 10, version 2004 and above | Windows 10, version 1607 and above | Windows 10, version 1607 and above |
| Supported credentials | Password, smartcard | Password, smartcard, Windows Hello for Business certificate trust | Password, smartcard, Windows Hello for Business certificate trust |
Note
If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure Active Directory-joined PCs, it must allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities.
Related topics
I’m frequently on the move and switch between devices. I could be working at home one day, at a hotel working, on site at a customer office with no internet, on a plane. I just never know. Part of my workflow is running some of my daily activities on an Azure VM. I can get to it from pretty much anywhere and it doesn’t matter what device I do or don’t have access to, I can always get to what I need and access the Microsoft network.
In order to access everything from our corporate network I have joined the computer using Azure Active Directory (Azure AD). Before I show you how to remote desktop to an Azure AD joined VM or computer, let me show the steps to join a computer to Azure AD. This requires the machine to be running Windows 10 version 1709 or later to connect to Azure AD but 1809 or later to remote desktop with Azure AD credentials. This can be a physical computer or a virtual machine.
Join a Computer to Azure Active Directory
First, launch the Windows Settings app and navigate to the Accounts section.
Using the left side navigation go to the Access work or school section and click Connect.
On the resulting screen click the link at the bottom of the page labeled Join this device to Azure Active Directory.
Proceed through the wizard by entering your email address, authenticate with your company’s preferred method, and verify the domain information.
Upon completion the work or school access screen will now show that you are connected to your organizations Azure AD along with the account used to connect.
Remote Desktop to Azure AD Joined Computer
Unfortunately, at this time it isn’t quite as easy as “open up a new RDP connection, type in the computer, type my email, and connect”. If it were, this post wouldn’t be here. So let’s look at the steps we need to go through to get connected.
First, open remote desktop as if you were going to connect to any other computer. Type in the computer name or IP address and expand the the Show Options section. Next, click the Save As button to save the RDP file locally. I’m going to place mine on my desktop. At this point you can close the Remote Desktop Connection dialog. It isn’t needed anymore.
Next, open Notepad. Click File -> Open -> location your RDP file that was saved in the previous step. You’ll need to change the document type dropdown from Text Documents (.txt) to All Files (*).
Go to the very bottom of the list of parameters and add the following two lines:
enablecredsspsupport:i:0
authentication level:i:2
Save the changes to the .rdp file. Note that your file may have more or fewer lines in it than mine.
Now you are ready to connect! Double click on the RDP file and fill in the dialog box.
For the user name field should be formatted as .AzureADemail@company.com
(Technically it only needs to be AzureADemail@company.com but there are some strange caching things that happen when the VM autolocks and you go to sign back in. Adding the dot slash (.) at the beginning will save you some headache of having to add AzureAD to the beginning of your user name each time you try to log in.)
There you have it! It’s a bit of a pain, but now you can RDP into a computer with your Azure AD credentials (aka, email address) to an Azure AD joined computer.
Azure Windows Remote Desktop For Mac
I use a free piece of software called Remote Desktop Manager for all my connections. You can’t make the necessary changes to a connection in there (that I can tell anyway), but you can create the RDP file using the instructions here then import that connection into the tool and it will work perfectly.