The Computer Oracle

Windows 10 Remote Desktop connection using Azure AD Credentials

--------------------------------------------------
Hire the world's top talent on demand or became one of them at Toptal: https://topt.al/25cXVn
--------------------------------------------------

Music by Eric Matyas
https://www.soundimage.org
Track title: Ocean Floor

--

Chapters
00:00 Windows 10 Remote Desktop Connection Using Azure Ad Credentials
00:44 Accepted Answer Score 30
01:37 Answer 2 Score 0
02:54 Thank you

--

Full question
https://superuser.com/questions/951330/w...

--

Content licensed under CC BY-SA
https://meta.stackexchange.com/help/lice...

--

Tags
#windows10 #azure

#avk47


ACCEPTED ANSWER

Score 30


It is possible. Basically you have to ensure no authentication information is sent when connecting, forcing the login screen to appear.

To do this, you must create and edit an .rdp file.

  1. Open the Remote Desktop Connection window, enter the computer name or IP
  2. Save connection settings (Show options, Save as)
  3. Open the saved .rdp file in a text editor, and make sure these rows exist like this:
enablecredsspsupport:i:0
authentication level:i:2
  1. Load this into RDC (Open button)
  2. Connect, provide Azure AD credentials, enjoy!

Note: when setting up the computer accepting the connection make sure not to force Network Level Authentication (checkbox on the menu where you allow the remote connections).

Credits where it's due: morgansimonsenblog.azurewebsites.net



ANSWER 2

Score 0


Starting in October 2022, there is a new method that uses Conditional Access, allows passwordless authentication methods, and enables SSO or at least storing the login token. You basically just go to the Advanced Tab of the RDP client and check "Use a web account to sign in to the remote computer". There are some caveats, however.

You cannot connect to the remote computer using an IP address, but must use the hostname matching exactly the Entra device name. In my case, I used an Azure VM and the name of the Azure VM had more than the 15 characters allowed for Entra devices (?) and therefore the hostname was truncated to 15 characters. So I had to define a DNS entry with the truncated name pointing to the VM's Public IP.

However, that still showed the error with error code CAA20002 with the server message "AADSTS293004: The target-device identifier in the request {targetDeviceId} was not found in the tenant {tenantId}" in the RDP client and the Entra sign-in logs.

Luckily, Tyler Sherman found out what is missing: You have to add the domain to the Domain registry key (for me on a W11 remote machine, it was not NV Domain, contrary to what Tyler says) in the registry key HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.