Windows server 2025 (and earlier) comes with the feature of being Entra ID joined.
In Azure, this is very easy and can be done then deploying, or later by installation the AADLoginForWindows extension.
The best way to manage a VM (then you need RDP access), is by using Azure Bastion.
However if that is not an option (maybe because of pricing, even though that should not be the main factor for not choosing Azure Bastion), you can still RDP to an Entra ID Joined VM with Entra ID credentials.
This guide is primary for then signin in from source computers NOT joined to the same Entra ID tenant as the target servers.
You just need to setup a few things before it would work.
- You need to grant your Entra ID user, the “Virtual Machine Administrator Login” RBAC role on the virtual machine in Azure.
Azure built-in roles for Compute – Azure RBAC | Microsoft Learn - You need to download the RDP file (make sure the VM have a public IP, or that you have VPN access to the VM and can access its private LAN IP).
- Modify the .RDP file, go to Advanced tab and enable web account for signin.
- Open the hosts file.
- Insert the IP and hostname of the server you want to RDP to, and save the changes to the host file (or make sure you have a DNS server that can respond to you without the need for typing the servers FQDN).
- Now you can sigin to the server by using your Entra ID account.
You can even add other user accounts to local groups on the server. If you want to create a local group on the target VM, and want to add Entra ID users, you can do that by following this method:
Open a command prompt as Administrator, add the user to the target group. As an example, if you had a user called Anders Andersen, the command would be net localgroup NameOfLocalGroup AzureAD\AndersAndersen@company.com /add.
Comments