Blog Post

ITOps Talk Blog
3 MIN READ

How to configure the RDP connection for Azure VMs via Azure Bastion

ViniciusApolinario's avatar
ViniciusApolinario
Icon for Microsoft rankMicrosoft
Jul 27, 2023

When connecting to Azure VMs, there are a few ways you can establishing the connection. If using Windows VMs, most likely, you are connecting through Remote Desktop Protocol (RDP) session, so you can open a remote GUI session. However, opening the RDP port (3389) to the internet is not a secure best practice. Instead, many companies are now restricting how their users access VMs on Azure to limit it to Azure Bastion. Azure Bastion operates as a broker to VMs in a specific Azure Virtual Network, allowing secure traffic only (443 port).

 

When using Azure Bastion, you can either see the GUI of the VM in the browser window or use the native RDP client – and that’s when I started to notice that I could not edit some regular configs that I usually do when connecting to a remote VM.

 

Azure Bastion and RDP native client

By default, Azure Bastion doesn’t allow for usage of the RDP native client. This feature needs to be enabled and is not available on the Basic SKU. To enable it, you need to make sure you’re using the Standard tier, and mark the Native client support option:

Once that is deployed, you can connect to the VM using the PowerShell command:

az login
az account set --subscription <subscription id>
az network bastion rdp --name Test-vnet-bastion --resource-group TestRG --target-resource-id <vm resource id>

From the command above, the less obvious information needed is the VM Resource ID. To get that, you can either run a PowerShell command or use the Azure Portal. On PowerShell you can use:

Get-AzVM -ResourceGroupName TestRG -Name VM01 | Select-Object -Property id

On the Azure Portal, navigate to the VM, and on the overview page, select the JSON view link on the right-hand side. That will open the JSON output of the resource, but on top of that, you can see (and copy) the resource ID. It should look like this:

/subscriptions/<subscriptionID>/resourceGroups/TestRG/providers/Microsoft.Compute/virtualMachines/VM01

The command to open an RDP connection to the VM would look like this:

az network bastion rdp --name Test-vnet-bastion --resource-group TestRG --target-resource-id /subscriptions/<subscriptionID>/resourceGroups/TestRG/providers/Microsoft.Compute/virtualMachines/VM01

 

Changing the RDP settings for Bastion connections

If you successfully ran the command above, the next screen that you’ll see is this:

The problem with this behavior is that you can’t change the screen/display size and other configurations. In my case, I have 3 monitors on my home setup, each with a different screen resolution. By using the command above, the RDP connection was using all my monitors.

 

To fix this, you can simply add --configure to the end of the command:

az network bastion rdp --name Test-vnet-bastion --resource-group TestRG --target-resource-id /subscriptions/<subscriptionID>/resourceGroups/TestRG/providers/Microsoft.Compute/virtualMachines/VM01 --configure

The command above will open the following screen:

This is much better as it allows you to configure the RDP session just like any other VM you’re used to connecting to.

 

I hope this quick trick is useful to you as it has been to me. Let us know what you think in the comments section below!

Published Jul 27, 2023
Version 1.0
azure
powershell
security
windows
Windows Server
  • DirkJellese's avatar
    DirkJellese
    Copper Contributor
    Jul 17, 2024

    In my script before I connect, I kill the RDP session. Locate the RDP file and mod it.
    (Get-Content $ConnRDPNQ).Replace("use multimon:i:1", "use multimon:i:0") | Set-Content $ConnRDPNQ


    $ConnRDPNQ is the location of the .con file.

    After the mod, I use:
    Start-Process -FilePath "$env:windir\system32\mstsc.exe" -ArgumentList "$ConnRDP /prompt"

    Now the RDP session starts with a single screen.

    With: Start-Process -FilePath "$env:windir\system32\mstsc.exe" -ArgumentList "/l"
    You get a pop-up with your screen ids, Because you can also set the RDP to use 2 out of 3 screens.
    So on my workplace My screens are 4 and 5 they need to be comma seperated

    Add-Content $ConnRDPNQ -value "selectedmonitors:s:$screenselect"
    In this case $screenselect should be 4,5 making this: 
    Add-Content $ConnRDPNQ -value "selectedmonitors:s:4,5

    Now when I start
    Start-Process -FilePath "$env:windir\system32\mstsc.exe" -ArgumentList "$ConnRDPNQ /prompt"
    My laptop screen "normal" and the monitors on the dock are used by the RDP session

     

  • rayprab's avatar
    rayprab
    Copper Contributor
    Nov 21, 2023

    Thank you so much for sharing the --configure option. The fact that bastion takes over all your screens has been driving me mad! 

  • arifcoskun's avatar
    arifcoskun
    Copper Contributor
    Nov 23, 2023

    Great article! The az network bastion rdp command example was particularly useful for secure Azure Bastion RDP connections. It's practical tips like these that really help. Keep up the good work and looking forward to more of such content!

  • ranj-singh111's avatar
    ranj-singh111
    Brass Contributor
    Mar 05, 2024

    Can you somehow use the Remote Desktop app for windows to connect to a azure VM via Bastion?