23

My organization is running Windows 10 joined to Azure AD organization (completely cloud hosted, i.e. no on-prem Active Directory). I login to my PC with a username in the form of "username@organization.com" with no issues and have enabled Remote Desktop connections to this PC.

If I attempt to Remote Desktop from another PC on the LAN or from home, my credentials are always deemed invalid. If I attempt to login using a local account (via RDP) it works just fine.

Can anyone suggest why Azure AD credentials do not work over RDP or how to enable this feature?

Ben V
  • 4,542
Andrew Mahon
  • 233

3 Answers3

30

It is possible. Basically you have to ensure no authentication information is sent when connecting, forcing the login screen to appear.

To do this, you must create and edit an .rdp file.

  1. Open the Remote Desktop Connection window, enter the computer name or IP
  2. Save connection settings (Show options, Save as)
  3. Open the saved .rdp file in a text editor, and make sure these rows exist like this:
enablecredsspsupport:i:0
authentication level:i:2
  1. Load this into RDC (Open button)
  2. Connect, provide Azure AD credentials, enjoy!

Note: when setting up the computer accepting the connection make sure not to force Network Level Authentication (checkbox on the menu where you allow the remote connections).

Credits where it's due: morgansimonsenblog.azurewebsites.net

vacip
  • 631
1

Starting in October 2022, there is a new method that uses Conditional Access, allows passwordless authentication methods, and enables SSO or at least storing the login token. You basically just go to the Advanced Tab of the RDP client and check "Use a web account to sign in to the remote computer". There are some caveats, however.

You cannot connect to the remote computer using an IP address, but must use the hostname matching exactly the Entra device name. In my case, I used an Azure VM and the name of the Azure VM had more than the 15 characters allowed for Entra devices (?) and therefore the hostname was truncated to 15 characters. So I had to define a DNS entry with the truncated name pointing to the VM's Public IP.

However, that still showed the error with error code CAA20002 with the server message "AADSTS293004: The target-device identifier in the request {targetDeviceId} was not found in the tenant {tenantId}" in the RDP client and the Entra sign-in logs.

Luckily, Tyler Sherman found out what is missing: You have to add the domain to the Domain registry key (for me on a W11 remote machine, it was not NV Domain, contrary to what Tyler says) in the registry key HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.

Froggy
  • 536
  • 4
  • 6
-1

From this article, the following conditions must be met:

  • Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 are not supported.
  • Your local PC (where you are connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or Azure AD registered if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device are not supported.
  • The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests are not supported for Remote desktop.

So, for me, I went to Start > Access Work or School > Connect. I then signed in with my Azure AD account (I did NOT join the computer to the domain, just connected it). After doing this, I was able to sign on with my domain email and password.

theMayer
  • 171