Public Preview: Entra ID support for RDP connections in portal

aarontsang

Microsoft

Nov 24, 2025

Overview

Azure Bastion provides secure RDP and SSH access to Azure virtual machines directly via the Azure portal or via the native SSH/RDP client already installed on your local computer. Previously, Bastion supported Entra ID authentication (formerly AAD) for RDP and SSH connections via native client and for SSH connections via the portal. Today, we are introducing public preview for Entra ID support for RDP connections in the portal, delivering a more seamless and secure experience for users.

Why Entra ID authentication?

When Bastion users connect to Windows VMs through the portal, they authenticate using either a VM password or a password stored in Azure Key Vault. By leveraging Microsoft Entra ID, authentication becomes identity-based, eliminating the need for local credentials and reducing complexity. This approach provides a seamless, one-click sign-in experience, making it easier for users to access their Windows VMs without managing separate passwords. Beyond convenience, Entra ID strengthens organizational security by centralizing identity management and enforcing robust access controls. The result is a simplified, secure, and user-friendly way to connect to virtual machines while improving the overall security posture.

Getting Started in Azure Portal

Prerequisites:

Ensure that the user connecting either has Virtual Machine User Login OR Virtual Machine Administrator Login role on the virtual machine
Ensure that AADLoginForWindows extension is enabled on the VM. Microsoft Entra ID Login can be enabled during VM creation by checking the box for Login with Microsoft Entra ID or by adding the AADLogin extension to a pre-existing VM.

Steps: