Connecting to Azure AD joined virtual machine

Points to be noted

Limitations:
- As of February 2021, Azure AD joined VM can only be accessed from another Azure AD joined VM using RDP
- Bastion is not supported
For RDP connection to Azure AD joined VM:
- Azure AD joined VM must have a public IP (assigned to NIC)
- Inbound rule in NSG: RDP 3389 must be allowed
“Virtual Machine Administrator Login” or “Virtual Machine User Login” role must be assigned to the user from “Access control (IAM)” of target VM (how to do it -> see “Role assignment” section below)
Jumpbox VM
- Both “Windows Server VM” & “Windows 10 VM” can be used as jumpbox VM
- Jumpbox VM is just for connecting to target Azure AD joined VM using Azure credential via RDP
- Jumpbox VM is also Azure AD joined
Some settings are needed in Jumpbox VM (see below). In future, these setting might not be needed (so might not be applicable for your case)
Notes:
- Allowing RDP while creating VM is the fastest way to connect
- Attaching public IP , NIC & NSG after creating VM caused a problem in my case -> Public IP was not showing up in NIC & VM

In order to login to VM using Azure AD credentials, either of the following roles must be assigned to the user:
- “Virtual Machine Administrator Login” role
- “Virtual Machine User Login” role
Make sure that “Access management for Azure resources” is enabled in Azure AD
See: Enabling “Access management for Azure resources”

Procedure to assign required role

Resource group > Select target Azure AD joined VM (the VM to which we will login using Azure credentials)
Access control (IAM) > Add a role assignment
Search “Virtual Machine Administrator” > Add “Virtual Machine Administrator Login”
Assign access to: add target user/group
Save

Role assignment for Azure AD joined VM Step 1

Role assignment for Azure AD joined VM Step 2

Role assignment for Azure AD joined VM Step 3

Role assignment for Azure AD joined VM Step 4

Notes:

“Virtual Machine Administrator Login” role is just for granting user to login to VM using AAD credentials
“Virtual Machine Administrator Login” role has nothing to do with “Print Administrator” role for managing printers in Universal Print Portal

“Remote Desktop Users” group
- Azure AD user must to be added to “Remote Desktop Users” group
- “Remote Desktop Users” group will only be available if VM is Azure AD joined -> our Jumpbox VM is also Azure AD joined
Open ‘cmd’ as admin
Excute comman: net localgroup "remote desktop users" /add "AzureAD\UPN"
- Example: net localgroup "remote desktop users" /add "AzureAD\foo@bar.onmicrosoft.com"
- In my case: “AzureAD\hassan@hovermind.onmicrosoft.com”
Restart Jumpbox VM (don’t forget to restart)

Checking Azure AD user is added to “Remote Desktop Users” group

Checking Azure AD user is added to 'Remote Desktop User' Group

From PC

Go to Azure portal
Resource group > Jumpbox VM > connect > RDP > download
Right click > connect > use VM ID & Password (the ID & Password that were set during VM creation, it’s NOT Azure credentials)

Inside Jumpbox VM

First check Remote Desktop “Network Level Authentication” setting is checked in Jumpbox VM
Go to Azure portal
Resource group > Target VM > connect > RDP > download
Right click > connect > use Azure credentials (NOT VM ID & Password)
Note: You might need to select “Other user” option to use Azure credentials (by default your windows user might be selected)

If you could not connect using RDP file, work around is following

enablecredsspsupport:i:0
authentication level:i:2