Blog

How can I RDP to an Azure AD joined Windows 10 device?

Introduction

If you are using Azure AD, you can join Azure AD as part of the Windows 10 OOBE (from version 1703 and later), it’s easy to do, just provide your AzureAD credentials…


and once it has completed OOBE your computer will be AzureAD joined.

Alternatively you can join AzureAD using All Settings, Accounts, Access work or school, click on Connect and enter your AzureAD username, then click on Join this device to Azure Active Directory and continue through the wizard.

Note: if this option is missing verify you are on Windows 10 version 1703 or later and that your DNS is working correctly.

You can verify that your device has successfully joined AzureAD via a PowerShell command:

dsregcmd /status

and the output is shown below, notice it’s AzureAdJoined=YES.

If you want to RDP to this computer on a local LAN network, you’ll need a few things in place on the computer you are RDP’ing from and the computer you are RDP to.

Note: This post is aimed at a lab environment, in a production environment you shouldn’t enabled RDP directly as this will expose you the risk of being compromised. If you really need to expose Remote Desktop Services, use a RD Gateway Server with the new Remote Desktop WebClient.

Step 1. Change Remote desktop settings

On the computer you intend to RDP to, set the Remote Desktop settings to Allow Remote Connections to this computer and remove the checkbox from Allow connections only from computers running Remote Desktop with Network Level Authentication enabled as shown here.

Step 2. Create new rdp config file

On the computer you intend to RDP from, open mstsc.exe and click on Show Options.

Click on Save As… and give it a new name such as AzureAD_RDP, save it somewhere easy to find.

Open the saved file using Notepad. Verify that the following two lines are present, if not, add them.

enablecredsspsupport:i:0
authentication level:i:2

Save the file.

Step 3. RDP to the target computer

On the computer that you just edited the config file, open MSTSC.exe and click on show options, then click on Open. Point it to the previously created AzureAD_RDP config file. Enter the IP address or FQDN of the computer you want to RDP to, do not enter any username.

you may see the usual RDP prompt…it’s ok, click on Connect

and depending on what device you are connecting from (and to) you’ll see different results, for example from an AzureAD joined device that you’ve logged into with the same UPN as you are using to connect to the target PC you’ll be prompted to enter your AzureAD password like so:-

and you are in

If however you are connecting from say, a Workgroup joined (non azure AD joined) device then the login experience will be different, and you’ll see a login page like this, enter your username as:

AzureAD\<[email protected]>

where <[email protected]> is your the full User Principal Name of your AzureAD user

job done 🙂

Tags: ,
Close Menu