As described in this article, you are able to remote to the computers that are joined to Azure Active Directory using the credentials of Azure AD user. Read mentioned article to get the setup prerequisites. Also some troubleshooting tips in this Azure VM and Azure AD article.
Important thing to highlight is that you are able to RDP to Azure AD joined (AADJ) machine (RDP Server) from another Azure AD joined or Workplace Joined machine (RDP client) if both are joined to the same Azure AD tenant. Support for Workplace Join as an RDP client was added in Windows 10 build 20H1. RDP from Hybrid Azure AD joined machine to Azure AD joined is supported as well but is using different authentication flow.
How RDP to AADJ RDP server works.
In order for the RDP Server to trust user signing in RDP client the set of MS-Organization-P2P-Access certificates are used. You can find out more about the certificates, their location and validity in this official FAQ and this blog.
When the user is opening the RDP client and types the computer name and the username (e.g. AzureAD\email@example.com)
the RDP client CloudAPPlugin makes a call to Azure AD using user credentials to obtain the User MS-Organization-P2P-Access certificate.
After successfully obtaining the client certificate, CloudAPPlugin from RDP client presents the User MS-Organization-P2P-Access certificate to RDP Server. RDP server validates it (this is possible since the User MS-Organization-P2P-Access certificate is issued by the same tenant Certificate Authority – AAD Token Issuer) and presents its Computer MS-Organization-P2P-Access certificate to RDP client for the validation.
If the Computer MS-Organization-P2P-Access certificate validation is successful, the user credentials are passed to the RDP server which sends those along with the RDP Server device Azure AD join certificate (MS-Organization-Access) to obtain Azure AD PRT for the signing in user.
Based on the explained above flow you need to make sure:
- Both computers (RDP client and the server) are Azure AD Joined to the same tenant. You can troubleshoot registration issues using this post.
- If both computers are successfully Azure AD joined, check the AAD Admin (and Analytic if needed) logs on both RDP client and the server for any events that are recorded at the time of remote connection attempt. Some tips how to read AAD logs are here.
- Make sure the “Network security: Allow PKU2U authentication requests to this computer to use online identities” is enabled on the server. More details here.
- Keep in mind that the certificate sign in to the RDP client and server currently is supported only in federated environments.
I plan to keep updating this post as I get more examples of the errors obtaining/exchanging MS-Organization-P2P-Access and their potential solution.
In federated environment, the user who signed in RDP client with certificate, can’t RDP to server machine and in the RDP client AAD logs we can see similar to these errors: “WSTrust response error: FailedAuthentication.ExpiredPassword.” and “WSTrust response error: InvalidSecurity”
Solution: First thing I would recommend to check is the time setting on RDP client.
And the bonus link related to the RDP to Azure AD joined machine, the certificates and services needed for it – What is the Azure AD service principal “P2P Server” for?