In this post, we will read how to sign in to an Azure VM using an Azure AD account. This way allow us to use our corporate account credentials instead of a local windows account.
Prerequisites
Before you start to follow the guide steps you must make sure that applies the following:
- Azure VM should have Windows 10 version 1809 and later or Windows Server 2019.
- Download and install the Azure CLI from this link
Step 1. Install the extension AADLoginForWindows
This can be achieved through the Azure CLI command below:
az login
az vm extension set –name AADLoginForWindows –publisher Microsoft.Azure.ActiveDirectory –resource-group WinRDPAAD-RG –vm-name Win10VM |
A couple of minutes later, we can see that the extension has been successfully provisioned.
Step 2. Join the Azure VM to the Azure AD tenant
On the second step, we have to join the Azure VM to the desired Azure AD tenant. To do so, from the Settings – Accounts – Access work or school, click on the + Connect button, select “Join this device to Azure Active Directory” and type the user account credentials.
In the informative message, confirm the organization details and click Join.
And we are set to go!
Step 3. Edit the RDP file and add two extra lines
At the third step, we download the RDP file, right-click on it and select to edit with any text editor (Notepad, Notepad ++, etc.) like the example below.
full address:s:XXX.XXX.XXX.XXX:3389 prompt for credentials:i:1 administrative session:i:1 enablecredsspsupport:i:0 authentication level:i:2 |
Step 4. Disable Network Level Authentication
In the 4th step, we need to disable NLA (Network Level Authentication). From the Settings – System – Remote Desktop, select Advanced settings,
and uncheck the “Require computers to use Network Level Authentication to connect (recommended)“, select Proceed anyway as the image shows below
Step 5. Sign In using Azure AD user
In the final step, we have to try to sign in with an Azure AD user
The user is signing in to Windows with the Azure Ad account
To verify it open CMD, and run the “whoami” command.