In this post, we will read how to sign in to an Azure VM using an Azure AD account. This way allow us to use our corporate account credentials instead of a local windows account.

Prerequisites

Before you start to follow the guide steps you must make sure that applies the following:

  • Azure VM should have Windows 10 version 1809 and later or Windows Server 2019.
  • Download and install the Azure CLI from this link

 

Step 1. Install the extension AADLoginForWindows

This can be achieved through the Azure CLI command below:

az login

az vm extension set –name AADLoginForWindows –publisher Microsoft.Azure.ActiveDirectory –resource-group WinRDPAAD-RG –vm-name Win10VM

A couple of minutes later, we can see that the extension has been successfully provisioned.

Step 2. Join the Azure VM to the Azure AD tenant

On the second step, we have to join the Azure VM to the desired Azure AD tenant. To do so, from the SettingsAccountsAccess work or school, click on the + Connect button, select “Join this device to Azure Active Directory” and type the user account credentials.

In the informative message, confirm the organization details and click Join.

And we are set to go!

 

Step 3. Edit the RDP file and add two extra lines

At the third step, we download the RDP file, right-click on it and select to edit with any text editor (Notepad, Notepad ++, etc.) like the example below.

full address:s:XXX.XXX.XXX.XXX:3389
prompt for credentials:i:1
administrative session:i:1
enablecredsspsupport:i:0
authentication level:i:2

 

Step 4. Disable Network Level Authentication

In the 4th step, we need to disable NLA (Network Level Authentication). From the SettingsSystemRemote Desktop, select Advanced settings,

and uncheck the “Require computers to use Network Level Authentication to connect (recommended)“, select Proceed anyway as the image shows below

 

Step 5. Sign In using Azure AD user

In the final step, we have to try to sign in with an Azure AD user

The user is signing in to Windows with the Azure Ad account

To verify it open CMD, and run the “whoami” command.

 

See also

Share This