Organizations can significantly enhance the security of their Windows virtual machines (short VMs) in Azure by integrating with Microsoft Entra authentication (only for cloud-only environments recommended). Leveraging Microsoft Entra ID, you can use it as a core authentication platform for Remote Desktop Protocol (short RDP) into Windows Server 2019 Datacenter edition and later, or Windows 10 1809 and later. This setup allows you to centrally control and enforce Azure role-based access control (short RBAC) and Conditional Access policies that dictate access to VMs. So you don’t need a legacy Active Directory Domain Service to secure your authentication in a cloud only environment.
In this article, we will explore how to create and configure a Windows VM in Azure and log in using Microsoft Entra ID-based authentication, including passwordless methods.
Benefits Of Using Microsoft Entra ID-Based Authentication
There are several security benefits to signing in to Windows VMs in Azure using Microsoft Entra ID-based authentication. Those are:
- Enhanced Security: Use Microsoft Entra authentication, including passwordless methods, to sign in to Windows VMs in Azure.
- Reduced Reliance on Local Admin Accounts: Minimize the security risks associated with local administrator accounts.
- Centralized Management: Password complexity and lifetime policies configured in Microsoft Entra ID also secure Windows VMs.
- Azure RBAC: Specify who can sign in as either a regular user or with admin privileges; Update access permissions dynamically as team members join or leave; Ensure that users who leave your organization no longer have access to VMs when their Microsoft Entra ID accounts are disabled or removed.
- Conditional Access Policies: Implement policies for “phishing-resistant MFA” and other signals like user sign-in risk, ensuring a secure RDP access to your VMs.
Requirements
To enable Microsoft Entra login for Windows VMs in Azure, the following requirements must be met:
The VM’s network configuration must allow outbound access to specific endpoints over TCP port 443, depending on the Azure region. Azure Global, Azure Government, and Microsoft Azure operated by 21Vianet have unique endpoints for device registration, authentication flows, and Azure RBAC flows.
The supported Windows distributions include:
- Windows Server 2019 Datacenter and later
- Windows 10 1809 and later
- Windows 11 21H2 and later
Additionally, Microsoft Entra Guest accounts cannot connect to Azure VMs or Azure Bastion-enabled VMs via Microsoft Entra authentication.
Enable Microsoft Entra Login For A Windows VM In Azure
Using Azure Portal
- Sign in to Azure Portal: Use an account with the necessary permissions to create VMs.
- Create a VM: Search for “Windows Server” in the Marketplace and select for example “Windows Server 2022 Datacenter.”
- Configure VM for Microsoft Entra ID: On the Management tab, select the “Login with Microsoft Entra ID” checkbox. Ensure “System assigned managed identity” in the Identity section is selected (default).
- Complete VM Creation: Follow the remaining steps to create the VM.
- Configure Role Assignments: Assign appropriate Azure roles (Virtual Machine Administrator Login or Virtual Machine User Login) in IAM blade to users requiring access to the VM.
Using Azure Cloud Shell
- Open Azure Cloud Shell: Use the Cloud Shell button in the Azure portal or open it in your browser.
- Run Shell Commands:
- Create a resource group:
az group create --name duo-rg-vm-prod --location switzerlandnorth
- Create a VM:
az vm create \
--resource-group duo-rg-vm-prod \
--name duovm01 \
--image Win2022Datacenter \
--assign-identity \
--admin-username duoadmin \
--admin-password duoinfernale1234
- Install the Microsoft Entra login VM extension:
az vm extension set \
--publisher Microsoft.Azure.ActiveDirectory \
--name AADLoginForWindows \
--resource-group duo-rg-vm-prod \
--vm-name duovm01
- Create a resource group:
- Configure Role Assignments: Assign Azure roles as done in the Azure Portal method.
Log In Using Microsoft Entra Credentials To A Windows VM
Logging into a Windows Virtual Machine using Microsoft Entra credentials involves a series of steps, whether you prefer passwordless or limited passwordless authentication methods.
Using Remote Desktop Connection with Passwordless Authentication
- Verify prerequisites: Verify that the VM, you want to connect to, meets the prerequisites mentioned above.
- Launch Remote Desktop Connection (short MSTSC): Search for “Remote Desktop Connection” in the Windows Search bar and open the application.
- Select Web Account Sign-In: Choose the option “Use a web account to sign in to the remote computer.”
- Connect Using Microsoft Entra Credentials: Enter your Microsoft Entra credentials to connect to the remote VM without a password.
Password Authentication with Limited Passwordless Options
For scenarios that require both password and passwordless authentication methods, follow these steps:
- Device Compliance: Ensure that the remote connection originates from a Microsoft Entra registered, joined, or hybrid joined Windows 10 or later PC.
- Role Membership: Verify that users are assigned to either the Virtual Machine Administrator Login or Virtual Machine User Login roles.
- Connect with RDP:
- Download the RDP file from the Azure portal.
- Open the Remote Desktop Connection application.
- Use the downloaded RDP file to connect, logging in with your Microsoft Entra credentials.
Troubleshooting Common Errors
To address common issues, consider the following:
- Role Assignment Issues: Make sure the appropriate Azure roles are assigned to users.
- Unauthorized Client or Password Change Required:
- Confirm that the PC is Microsoft Entra registered/joined.
- Verify that the AADLoginForWindows extension is correctly installed.
Additional Resources
For more information and support, refer to the following resource: