Home
%3CLINGO-SUB%20id%3D%22lingo-sub-827840%22%20slang%3D%22en-US%22%3EAzure%20AD%20authentication%20to%20Windows%20VMs%20in%20Azure%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-827840%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHowdy%20folks%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EI%E2%80%99m%20excited%20to%20announce%20that%20Azure%20AD%20authentication%20to%20Windows%20Virtual%20Machines%20(VMs)%20in%20Azure%20is%20now%20available%20in%20public%20preview%3C%2FSPAN%3E%E2%80%94giving%20you%20the%20ability%20to%20manage%20and%20control%20who%20can%20access%20a%20VM%3CSPAN%3E.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EDeployment%20of%20Windows%20VMs%20in%20Azure%20is%20becoming%20very%20common%20and%20a%20challenge%20everyone%20faces%20is%20securely%20managing%20the%20accounts%20and%20credentials%20used%20to%20login%20to%20these%20VMs.%20Typically%2C%20people%20create%20local%20administrator%20accounts%20to%20login%20to%20these%20VMs%20and%20it%20becomes%20difficult%20to%20manage%20these%20accounts%20as%20people%20join%20or%20leave%20teams.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ETo%20make%20things%20simple%20people%20often%20follow%20the%20risky%20practice%20of%20sharing%20admin%20account%20passwords%20among%20big%20groups%20of%20people.%20This%20makes%20it%20very%20hard%20to%20protect%20your%20production%20Windows%20VMs%20and%20collaborate%20with%20your%20team%20when%20using%20shared%20Windows%20VMs.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ENow%2C%20organizations%20can%20utilize%20Azure%20AD%20authentication%20over%20a%20Remote%20Desk%20Protocol%20(RDP)%20for%20their%20Azure%20VMs%20running%20%3CSTRONG%3EWindows%20Server%202019%20Datacenter%20edition%3C%2FSTRONG%3E%20or%20%3CSTRONG%3EWindows%2010%201809%3C%2FSTRONG%3E%20and%20later.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EUsing%20Azure%20AD%20to%20authenticate%20to%20VMs%20provides%20the%20ability%20to%20centrally%20control%20and%20enforce%20policies%20using%20tools%20like%20Azure%20Role-Based%20Access%20Control%20(RBAC)%20and%20Azure%20AD%20Conditional%20Access%20to%20allow%20you%20to%20control%20who%20can%20access%20a%20VM.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThere%20are%20many%20benefits%20of%20using%20Azure%20AD%20authentication%20to%20login%20to%20Windows%20VMs%20in%20Azure%2C%20including%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3EUtilizing%20the%20same%20federated%20or%20managed%20Azure%20AD%20credentials%20you%20normally%20use.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ENo%20longer%20having%20to%20manage%20local%20administrator%20accounts.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EUsing%20Azure%20RBAC%20to%20grant%20the%20appropriate%20access%20to%20VMs%20based%20on%20need%20and%20remove%20it%20when%20it%20is%20no%20longer%20needed.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ERequiring%20AD%20Conditional%20Access%20to%20enforce%20additional%20requirements%20such%20as%3A%20%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EMulti-factor%20authentication%20(MFA)%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ESign-in%20risk%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EAutomating%20and%20scaling%20Azure%20AD%20join%20for%20Azure%20based%20Windows%20VMs.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYou%20can%20use%20Azure%20Portal%2C%20AZ%20CLI%2C%20or%20PSH%20to%20enable%20this%20capability.%20Below%20is%20a%20quick%20example%20of%20how%20to%20do%20this%20from%20Azure%20Portal.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%20id%3D%22toc-hId-1820325177%22%3EUsing%20Azure%20Portal%20create%20VM%20experience%20to%20enable%20Azure%20AD%20login%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%3EYou%20can%20enable%20Azure%20AD%20login%20for%20Windows%20Server%202019%20Datacenter%20or%20Windows%2010%201809%20and%20later%20VM%20images.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ETo%20create%20a%20Windows%20Server%202019%20Datacenter%20VM%20in%20Azure%20with%20Azure%20AD%20login%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%3ESign%20in%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20portal%3C%2FA%3E%2C%20with%20an%20account%20that%20has%20access%20to%20create%20VMs%2C%20and%20select%20%3C%2FSPAN%3E%3CSTRONG%3E%2B%20Create%20a%20resource%3C%2FSTRONG%3E%3CSPAN%3E.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EIn%20Search%20the%20Marketplace%20search%20bar%2C%20type%20%3C%2FSPAN%3E%3CSTRONG%3EWindows%20Server%3C%2FSTRONG%3E%3CSPAN%3E.%20%3C%2FSPAN%3E%3CUL%3E%0A%3CLI%3E%3CSPAN%3EClick%20%3C%2FSPAN%3E%3CSTRONG%3EWindows%20Server%3C%2FSTRONG%3E%3CSPAN%3E%20and%20from%20Select%20a%20software%20plan%20drop-down%2C%20select%20%3C%2FSPAN%3E%3CSTRONG%3EWindows%20Server%202019%20Datacenter%3C%2FSTRONG%3E%3CSPAN%3E.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20%3C%2FSPAN%3E%3CSTRONG%3ECreate%3C%2FSTRONG%3E%3CSPAN%3E.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EOn%20the%20Management%20tab%2C%20under%20the%20Azure%20Active%20Directory%2C%20toggle%20%3C%2FSPAN%3E%3CSTRONG%3ELogin%20with%20AAD%20credentials%20(Preview)%3C%2FSTRONG%3E%3CSPAN%3E%20to%20%3C%2FSPAN%3E%3CSTRONG%3EOn%3C%2FSTRONG%3E%3CSPAN%3E.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EMake%20sure%20%3C%2FSPAN%3E%3CSTRONG%3ESystem%20assigned%20managed%20identity%3C%2FSTRONG%3E%3CSPAN%3E%20under%20the%20Identity%20section%20is%20set%20to%20%3C%2FSPAN%3E%3CSTRONG%3EOn%3C%2FSTRONG%3E%3CSPAN%3E.%20This%20action%20should%20happen%20automatically%20once%20you%20enable%20Login%20with%20Azure%20AD%20credentials.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%3EGo%20through%20the%20rest%20of%20the%20experience%20of%20creating%20a%20VM.%20During%20this%20preview%2C%20you%E2%80%99ll%20have%20to%20create%20an%20administrator%20username%20and%20password%20for%20the%20VM.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20909px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F161267i6C51EC0C299604AC%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Azure%20AD%20authentication%20to%20Windows%20VMs%201.png%22%20title%3D%22Azure%20AD%20authentication%20to%20Windows%20VMs%201.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%20id%3D%22toc-hId--731831784%22%3EUsing%20Azure%20AD%20portal%20experience%20to%20configure%20role%20assignment%20for%20the%20VM%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%3ETo%20use%20your%20Azure%20AD%20credentials%20for%20Windows%20VMs%20in%20Azure%2C%20you%20must%20belong%20to%20Virtual%20Machine%20Administrator%20Login%20or%20Virtual%20Machine%20User%20Login%20role.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20configure%20role%20assignments%20for%20your%20Azure%20AD%20enabled%20%3CSPAN%3EWindows%20Server%202019%20Datacenter%20or%20Windows%2010%201809%20and%20later%20VM%20images%3C%2FSPAN%3E%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%3ENavigate%20to%20the%20specific%20Virtual%20Machine%20overview%20page.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ESelect%20%3CSTRONG%3EAccess%20control%20(IAM)%3C%2FSTRONG%3E%20from%20the%20menu%20options%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ESelect%20%3CSTRONG%3EAdd%3C%2FSTRONG%3E%2C%20%3CSTRONG%3EAdd%20role%20assignment%3C%2FSTRONG%3E%20to%20open%20the%20Add%20role%20assignment%20pane.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EIn%20the%20%3CSTRONG%3ERole%3C%2FSTRONG%3E%20drop-down%20list%2C%20select%20a%20%3CSTRONG%3Erole%3C%2FSTRONG%3E%20such%20as%20Virtual%20Machine%20Administrator%20Login%20or%20Virtual%20Machine%20User%20Login.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EIn%20the%20%3CSTRONG%3ESelect%3C%2FSTRONG%3E%20field%2C%20select%20a%20%3CSTRONG%3Euser%3C%2FSTRONG%3E%2C%20%3CSTRONG%3Egroup%3C%2FSTRONG%3E%2C%20%3CSTRONG%3Eservice%3C%2FSTRONG%3E%20%3CSTRONG%3Eprincipal%3C%2FSTRONG%3E%2C%20or%20%3CSTRONG%3Emanaged%3C%2FSTRONG%3E%20%3CSTRONG%3Eidentity%3C%2FSTRONG%3E.%20If%20you%20don't%20see%20the%20security%20principal%20in%20the%20list%2C%20you%20can%20type%20in%20the%20%3CSTRONG%3ESelect%3C%2FSTRONG%3E%20box%20to%20search%20the%20directory%20for%20display%20names%2C%20email%20addresses%2C%20and%20object%20identifiers.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ETo%20assign%20the%20role%2C%20select%20%3CSTRONG%3ESave%3C%2FSTRONG%3E.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%3EAfter%20a%20few%20moments%2C%20the%20security%20principal%20is%20assigned%20the%20role%20at%20the%20selected%20scope.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20954px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F161268iC46BB56147B30AEE%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Azure%20AD%20authentication%20to%20Windows%20VMs%202.png%22%20title%3D%22Azure%20AD%20authentication%20to%20Windows%20VMs%202.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYou%20can%20check%20out%20our%20%3C%2FSPAN%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fhowto-vm-sign-in-azure-ad-windows%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edocumentation%3C%2FA%3E%3C%2FSPAN%3E%3CSPAN%3E%20to%20learn%20more%20about%20this%20feature%20and%20its%20prerequisites.%20%3C%2FSPAN%3EPlease%20let%20us%20know%20what%20you%20think%20in%20the%20comments%20below.%20We%20look%20forward%20to%20hearing%20from%20you!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EAlex%20Simons%20(%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FAlex_A_Simons%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40Alex_A_Simons%3C%2FA%3E%3C%2FSPAN%3E%20)%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ECorporate%20VP%20of%20Program%20Management%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EMicrosoft%20Identity%20Division%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-827840%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20AD%20authentication%20to%20Windows%20VMs%20gives%20you%20the%20ability%20to%20manage%20and%20control%20who%20can%20access%20a%20VM.Azure%20AD%20authentication%20to%20Windows%20VMs%20gives%20you%20the%20ability%20to%20manage%20and%20control%20who%20can%20access%20a%20VM.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20398px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F161266iE694C82A09CF99FC%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Azure%20AD%20authentication%20to%20Windows%20VMs%20teaser.png%22%20title%3D%22Azure%20AD%20authentication%20to%20Windows%20VMs%20teaser.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-827840%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EProduct%20Announcements%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1063733%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20authentication%20to%20Windows%20VMs%20in%20Azure%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1063733%22%20slang%3D%22en-US%22%3E%3CP%3EDo%20the%20VM's%20actually%20get%20the%20status%20of%20beeing%20'Azure%20AD%20joined'%20if%20you%20enable%20this%3F%20And%20does%20this%20mean%20that%20we%20can%20skip%20things%20like%20ADConnect%20and%20AADDS%20in%20the%20(near)%20future%3F%20Because%20the%20only%20reason%20to%20have%20that%20is%20to%20unify%20your%20logon%20identity%20and%20obtain%20SSO%20or%20do%20I%20misunderstand%20something%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1063788%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20authentication%20to%20Windows%20VMs%20in%20Azure%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1063788%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20these%20VMs%20do%20get%20Azure%20AD%20joined%20to%20your%20tenant.%20If%20you%20are%20user%20identities%20are%20on%20prem%2C%20you%20do%20need%20them%20to%20be%20synced%20to%20Azure%20AD%20using%20Azure%20AD%20Connect.%20Since%20these%20VMs%20are%20joined%20to%20your%20Azure%20AD%20tenant%2C%20you%20no%20longer%20need%20these%20VMs%20to%20join%20to%20Azure%20AD%20DS.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1063791%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20authentication%20to%20Windows%20VMs%20in%20Azure%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1063791%22%20slang%3D%22en-US%22%3E%3CP%3EWindows%20Virtual%20Desktop%20scenario%20support%3F%20PLEASE%20say%20yes%20(or%20soon)%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1063842%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20authentication%20to%20Windows%20VMs%20in%20Azure%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1063842%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20hope%20to%20enable%20this%20sometime%20next%20year%20(sooner%20than%20later).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1063858%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20authentication%20to%20Windows%20VMs%20in%20Azure%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1063858%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20that%20AAD%20Auth%20is%20available%2C%20does%20the%20VM%20required%20to%20be%20on%20AAD%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EAllan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1063913%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20authentication%20to%20Windows%20VMs%20in%20Azure%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1063913%22%20slang%3D%22en-US%22%3E%3CP%3EHow%20does%20this%20impact%20RDP%20authentication%20at%20the%20protocol%20level%3F%20Is%20it%20still%20Network%20Level%20Authentication%20under%20the%20hood%2C%20or%20something%20new%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1063925%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20authentication%20to%20Windows%20VMs%20in%20Azure%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1063925%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%20class%3D%22lia-message-author-with-avatar%22%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20display%3A%20inline-block%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20padding-top%3A%2010px%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20vertical-align%3A%20top%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Visitor%20lia-component-message-view-widget-author-username%22%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20white-space%3A%20nowrap%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F487258%22%20target%3D%22_blank%22%3E%40chokigwapo%3C%2FA%3E%20%3C%2FSPAN%3EWhen%20you%20enable%20this%20capability%2C%20the%20VM%20will%20be%20Azure%20AD%20joined%20to%20the%20same%20tenant%20where%20you%20are%20deploying%20the%20VM.%20This%20is%20currently%20only%20available%20for%20VMs%20deployed%20in%20Azure.%20We%20are%20looking%20to%20support%20this%20for%20non%20Azure%20VMs%20too%20sometime%20next%20year.%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F174632%22%20target%3D%22_blank%22%3E%40Marc-Andre%20Moreau%3C%2FA%3E%20Nothing%20new%2C%20for%20RDP%20will%20still%20use%20NLA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1063928%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20authentication%20to%20Windows%20VMs%20in%20Azure%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1063928%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20particularly%20interested%20in%20MFA%20enforcement%20for%20RDP.%20The%20section%20here%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fhowto-vm-sign-in-azure-ad-windows%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fhowto-vm-sign-in-azure-ad-windows%3C%2FA%3E)%20describes%20the%20client%20requirements%2C%20where%20a%20Windows%2010%20version%201809%20RDP%20client%20is%20required%20with%20Windows%20Hello%20for%20Business%20or%20biometric%20authentication%2C%20in%20addition%20to%20being%20Azure%20AD%20joined%20to%20same%20directory%20as%20the%20target%20VM.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20there%20plans%20to%20add%20support%20for%20a%20wider%20range%20of%20client%20use%20cases%20with%20MFA%20enabled%3F%20I%20am%20thinking%20something%20like%20a%20non%20domain-joined%20client%20and%20MFA%20with%20the%20Microsoft%20Authenticator%20app%20on%20a%20mobile%20phone.%20Bonus%20points%20for%20requiring%20a%20confirmation%20in%20Microsoft%20Authenticator%20for%20every%20RDP%20connection%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1064098%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20authentication%20to%20Windows%20VMs%20in%20Azure%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1064098%22%20slang%3D%22en-US%22%3E%3CP%3EWill%20this%20also%20become%20available%20for%20older%20Windows%20Server%20versions%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1064139%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20authentication%20to%20Windows%20VMs%20in%20Azure%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1064139%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F174632%22%20target%3D%22_blank%22%3E%40Marc-Andre%20Moreau%3C%2FA%3E%26nbsp%3BWe%20want%20to%20support%20other%20credential%20types%20besides%20username%2Fpassword%20or%20Windows%20Hello%20credentials.%20It%20will%20have%20to%20be%20in%20one%20of%20future%20Windows%2010%20releases.%20No%20ETA%20as%20of%20now.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F205438%22%20target%3D%22_blank%22%3E%40Jordy%20Blommaert%3C%2FA%3E%26nbsp%3BWe%20don%E2%80%99t%20plan%20to%20until%20there%20is%20significant%20demand%20to%20enable%20this%20for%20WS%202016.%20You%20can%20submit%20feedback%20on%20our%20forum%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1064171%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20authentication%20to%20Windows%20VMs%20in%20Azure%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1064171%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F68638%22%20target%3D%22_blank%22%3E%40Sandeep%20Deo%3C%2FA%3E%26nbsp%3BI%20created%20a%20topic%20for%20this%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F39249502-login-with-azure-ad-credentials-on-windows-server%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F39249502-login-with-azure-ad-credentials-on-windows-server%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1065167%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20authentication%20to%20Windows%20VMs%20in%20Azure%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1065167%22%20slang%3D%22en-US%22%3E%3CP%3EOn%20which%20Azure%20Portal%20blade%20is%20the%20%22Login%20with%20AAD%20Credentials%22%20option%20found%20on%20an%20existing%20VM%3F%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20which%20data%20centers%20is%20the%20preview%20feature%20available%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1065392%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20authentication%20to%20Windows%20VMs%20in%20Azure%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1065392%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F255418%22%20target%3D%22_blank%22%3E%40ms_dba%3C%2FA%3E%26nbsp%3BThe%20option%20is%20available%20on%20the%20Management%20tab%20during%20VM%20create.%20The%20capability%20is%20available%20in%20all%20data%20centers%20that%20map%20to%20our%20public%20cloud.%20For%20more%20information%20visit%20our%20documentation%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fhowto-vm-sign-in-azure-ad-windows%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fhowto-vm-sign-in-azure-ad-windows%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1066284%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20authentication%20to%20Windows%20VMs%20in%20Azure%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1066284%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20feature!%20The%20next%20step%20would%20be%20enrolling%20machines%20under%20Windows%20Server%20in%20Microsoft%20Intune%20(sorry%2C%20Endpoint%20Manager%20in%20the%20cloud%20%5E%5E)%20to%20apply%20them%20security%20baselines%20and%20configuration%20parameters.%20In%20a%20full-cloud%20strategy%2C%20we%20could%20use%20Auure%20built-in%20features%20for%20some%20basic%20config%20but%20customers%20want%20a%20unified%20management%20platform%20For%20client%20and%20servers%20and%20don%E2%80%99t%20want%20to%20deploy%20ConfigMgr%20for%20that%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1066351%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20authentication%20to%20Windows%20VMs%20in%20Azure%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1066351%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20can%20I%20make%20additional%20DC%20on%20premise%20from%20this%20VM%2C%20and%20what%20about%20the%20GP%20is%20this%20will%20still%20come%20from%20Windows%20Server%20or%20can%20I%20use%20Azure%20AD%20also%20for%20Group%20politics%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1066973%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20authentication%20to%20Windows%20VMs%20in%20Azure%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1066973%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F384993%22%20target%3D%22_blank%22%3E%40Ahmedtameem%3C%2FA%3E%2C%20if%20you%20have%20a%20requirement%20for%20centralised%20policy-based%20management%20you%20will%20still%20need%20to%20AD%20join.%20If%20you%20decide%20to%20AD%20join%2C%20AADDS%20join%2C%20or%20promote%20the%20server%20to%20become%20a%20DC%20after%20deployment%2C%20this%20functionality%20would%20be%20superseded%20based%20on%20my%20understanding.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1067107%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20authentication%20to%20Windows%20VMs%20in%20Azure%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1067107%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20was%20a%20bit%20of%20a%20Bummer....%20Client%20must%20be%20connected%20to%20same%20AAD....%3F%3F%3F%20on%20RDP%20Connection%20error%20%22Your%20credentials%20did%20not%20work%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EVerify%20that%20the%20Windows%2010%20PC%20you%20are%20using%20to%20initiate%20the%20remote%20desktop%20connection%20is%20one%20that%20is%20either%20Azure%20AD%20joined%2C%20or%20hybrid%20Azure%20AD%20joined%20to%20the%20same%20Azure%20AD%20directory%20where%20your%20VM%20is%20joined%20to.%20For%20more%20information%20about%20device%20identity.%20(%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fhowto-vm-sign-in-azure-ad-windows%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fhowto-vm-sign-in-azure-ad-windows%3C%2FA%3E%3C%2FFONT%3E%20)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1067455%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20authentication%20to%20Windows%20VMs%20in%20Azure%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1067455%22%20slang%3D%22en-US%22%3E%3CP%3EWill%20this%20logon%20be%20available%20from%20Bastion%20and%20will%20the%20option%20to%20have%20a%20single%20sign%20on%20with%20bastion%20be%20enabled%20(like%20SQL%20DB%20AD%20authentication%20data%20explorer%20logon)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1067725%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20authentication%20to%20Windows%20VMs%20in%20Azure%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1067725%22%20slang%3D%22en-US%22%3E%3CP%3ESo%2C%20just%20for%20me%20to%20understand%20the%20RDP%20topic%3A%20I%20need%20another%20Win10%20machine%20in%20the%20AAD%20structure%20so%20I%20can%20open%20an%20RDP%20session%20to%20server%20machines%20created%20the%20above%20mentioned%20way%3F!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20scenario%3A%20I'm%20in%20charge%20of%20sevaral%20customers%20Azure%20Tenants.%20Every%20tenant%20has%20a%20handful%20of%20Windows%20Server%202019%20machines%20which%20have%20activated%20this%20feature.%20Does%20every%20tenant%20now%20needs%20an%20AAD%20joined%20Win10%20machine%20so%20I%20can%20do%20my%20work%3F%3C%2FP%3E%3CP%3EDoes%20this%20also%20affects%20machines%20that%20are%20later%20joined%20an%20AAD%20domain%3F%20This%20would%20%22slightly%22%20differ%20the%20way%20of%20work%20with%20several%20environments...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1068450%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20authentication%20to%20Windows%20VMs%20in%20Azure%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1068450%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F125230%22%20target%3D%22_blank%22%3E%40Maxime%20RASTELLO%3C%2FA%3E%20Windows%20Servers%20do%20not%20have%20MDM%20stack%20so%20at%20present%20they%20cannot%20be%20managed%20by%20Endpoint%20Manager%20in%20the%20cloud.%20I%20would%20recommend%20taking%20a%20look%20at%20Azure%20Management%20Services%20-%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fgovernance%2Fazure-management%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fgovernance%2Fazure-management%3C%2FA%3E.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F384993%22%20target%3D%22_blank%22%3E%40Ahmedtameem%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F204415%22%20target%3D%22_blank%22%3E%40Kelvin%20Papp%3C%2FA%3E%20Once%20you%20enable%20this%20capability%20on%20an%20Azure%20IaaS%20Windows%20VM%2C%20then%20the%20VM%20is%20Azure%20AD%20joined.%20You%20cannot%20then%20promote%20it%20to%20a%20DC%20or%20join%20to%20any%20other%20AD%20or%20Azure%20AD%20DS%20domain.%20If%20you%20need%20policy%20management%2C%20I%20would%20recommend%20you%20to%20take%20a%20look%20at%20the%20different%20services%20offered%20by%20Azure%20Management%20Services%20-%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fgovernance%2Fazure-management%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fgovernance%2Fazure-management%3C%2FA%3E.%20Additionally%2C%20this%20capability%20does%20not%20supersede%20on%20a%20VM%20that%20is%20joined%20to%20AD%2FAzure%20AD%20DS.%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F13961%22%20target%3D%22_blank%22%3E%40Jasper%20Kraak%3C%2FA%3E%20We%20are%20working%20with%20Windows%20on%20this%20and%20it%20will%20take%20sometime%20to%20support%20other%20configurations%20and%20extend%20this%20to%20non%20Windows%20platforms%20too.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F489842%22%20target%3D%22_blank%22%3E%40bel_from_nz%3C%2FA%3E%20We%20are%20working%20with%20Azure%20Networking%20team%20to%20determine%20how%20to%20best%20integrate%20this%20capability%20with%20Azure%20BAstion%20Service.%20Expect%20more%20details%20on%20this%20sometime%20next%20year.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F388384%22%20target%3D%22_blank%22%3E%40airliner%3C%2FA%3E%20We%20have%20added%20support%20in%20the%20next%20release%20of%20Windows%20to%20allow%20an%20Azure%20AD%20Registered%20Windows%2010%20client%20to%20RDP%20to%20an%20Azure%20AD%20join%20target%20machine.%20This%20will%20allow%20you%20to%20add%20additional%20work%20or%20school%20accounts%20on%20you%20Windows%2010%20PC%20for%20each%20of%20the%20customer%20tenants%20you%20manage%20and%20then%20use%20the%20respective%20account%20to%20connect%20over%20RDP%20to%20your%20target%20Azure%20AD%20joined%20machine.%20You%20can%20verify%20this%20using%20any%20of%20our%20latest%20Windows%2010%20Insider%20Build%20%3CA%20href%3D%22https%3A%2F%2Finsider.windows.com%2Fen-us%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Finsider.windows.com%2Fen-us%2F%3C%2FA%3E.%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1068895%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20authentication%20to%20Windows%20VMs%20in%20Azure%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1068895%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F68638%22%20target%3D%22_blank%22%3E%40Sandeep%20Deo%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20confirm%2C%20it%E2%80%99s%20not%20possible%20to%20deploy%20a%20VM%20with%20this%20option%20enabled%2C%20and%20subsequently%20change%20the%20configuration%20to%20support%20a%20traditional%20AD%20scenario%3F%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EI%E2%80%99m%20surprised%20by%20this.%20Do%20you%20not%20see%20a%20use%20case%20for%20managed%20authentication%20via%20Azure%20AD%20in%20advance%20of%20post%20deployment%20configuration%20for%20traditional%20domain%20join%20scenarios%3F%20Is%20this%20planned%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1069599%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20authentication%20to%20Windows%20VMs%20in%20Azure%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1069599%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F204415%22%20target%3D%22_blank%22%3E%40Kelvin%20Papp%3C%2FA%3E%3A%20I%20wouldn't%20see%20this%20either.%20Maybe%20you%20could%20explain%20why%20you%20would%20switch%20your%20machines%20from%20an%20AAD%20join%20to%20a%20%22traditional%22%20AD%20join%20with%20hosted%20Domain%20Controller%2C%20etc.%3F!%20This%20would%20be%20an%20interesting%20scenario%20I%20think.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1133277%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20authentication%20to%20Windows%20VMs%20in%20Azure%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1133277%22%20slang%3D%22en-US%22%3E%3CP%3EI%20created%202%20windows%2010%20machines%20with%20azure%20ad%20joined%20feature%20enable%20or%20login%20with%20azure%20ad%20credential.%20My%20both%20machines%20are%20AD%20joined%20I%20can%20see%20under%20Azure%20Ad%20devices%20but%20when%20I%20try%20to%20login%20with%20azure%20ad%20credential%20after%20assigning%20rbac%20role...%20Getting%26nbsp%3B%3C%2FP%3E%3CP%3E%22Your%20credentials%20did%20not%20work%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20unable%20to%20understand%20what's%20missing...%20Both%20VM%20are%20win%2010%20latest%20and%20joined%20to%20AD%20as%20we%20can%20only%20RDP%20from%20AD%20joined%20VM%20so%20I%20loved%20in%20first%20windows%2010%20machine%20and%20trying%20to%20login%20with%20azure%20ad%20credential%20to%20the%20second%20VM%20still%20same%20issue%26nbsp%3B%3C%2FP%3E%3CP%3E%22Your%20credentials%20did%20not%20work%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20suggest..%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1182490%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20authentication%20to%20Windows%20VMs%20in%20Azure%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1182490%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20post%2C%20great%20feature.%3C%2FP%3E%3C%2FLINGO-BODY%3E

Howdy folks, 

 

I’m excited to announce that Azure AD authentication to Windows Virtual Machines (VMs) in Azure is now available in public preview—giving you the ability to manage and control who can access a VM.

 

Deployment of Windows VMs in Azure is becoming very common and a challenge everyone faces is securely managing the accounts and credentials used to login to these VMs. Typically, people create local administrator accounts to login to these VMs and it becomes difficult to manage these accounts as people join or leave teams.

 

To make things simple people often follow the risky practice of sharing admin account passwords among big groups of people. This makes it very hard to protect your production Windows VMs and collaborate with your team when using shared Windows VMs.

 

Now, organizations can utilize Azure AD authentication over a Remote Desk Protocol (RDP) for their Azure VMs running Windows Server 2019 Datacenter edition or Windows 10 1809 and later.

 

Using Azure AD to authenticate to VMs provides the ability to centrally control and enforce policies using tools like Azure Role-Based Access Control (RBAC) and Azure AD Conditional Access to allow you to control who can access a VM.

 

There are many benefits of using Azure AD authentication to login to Windows VMs in Azure, including:

  • Utilizing the same federated or managed Azure AD credentials you normally use.
  • No longer having to manage local administrator accounts.
  • Using Azure RBAC to grant the appropriate access to VMs based on need and remove it when it is no longer needed.
  • Requiring AD Conditional Access to enforce additional requirements such as:
  • Multi-factor authentication (MFA)
  • Sign-in risk
  • Automating and scaling Azure AD join for Azure based Windows VMs.

 

You can use Azure Portal, AZ CLI, or PSH to enable this capability. Below is a quick example of how to do this from Azure Portal.

Using Azure Portal create VM experience to enable Azure AD login

You can enable Azure AD login for Windows Server 2019 Datacenter or Windows 10 1809 and later VM images.

To create a Windows Server 2019 Datacenter VM in Azure with Azure AD login:

  1. Sign in to the Azure portal, with an account that has access to create VMs, and select + Create a resource.
  2. In Search the Marketplace search bar, type Windows Server.
    • Click Windows Server and from Select a software plan drop-down, select Windows Server 2019 Datacenter.
    • Click Create.
  3. On the Management tab, under the Azure Active Directory, toggle Login with AAD credentials (Preview) to On.
  4. Make sure System assigned managed identity under the Identity section is set to On. This action should happen automatically once you enable Login with Azure AD credentials.

Go through the rest of the experience of creating a VM. During this preview, you’ll have to create an administrator username and password for the VM.

 

Azure AD authentication to Windows VMs 1.png

 

Using Azure AD portal experience to configure role assignment for the VM

To use your Azure AD credentials for Windows VMs in Azure, you must belong to Virtual Machine Administrator Login or Virtual Machine User Login role.

 

To configure role assignments for your Azure AD enabled Windows Server 2019 Datacenter or Windows 10 1809 and later VM images:

  1. Navigate to the specific Virtual Machine overview page.
  2. Select Access control (IAM) from the menu options
  3. Select Add, Add role assignment to open the Add role assignment pane.
  4. In the Role drop-down list, select a role such as Virtual Machine Administrator Login or Virtual Machine User Login.
  5. In the Select field, select a user, group, service principal, or managed identity. If you don't see the security principal in the list, you can type in the Select box to search the directory for display names, email addresses, and object identifiers.
  6. To assign the role, select Save.

After a few moments, the security principal is assigned the role at the selected scope.

 

Azure AD authentication to Windows VMs 2.png

 

You can check out our documentation to learn more about this feature and its prerequisites. Please let us know what you think in the comments below. We look forward to hearing from you!

 

Best regards,

 

Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division

24 Comments
Occasional Contributor

Do the VM's actually get the status of beeing 'Azure AD joined' if you enable this? And does this mean that we can skip things like ADConnect and AADDS in the (near) future? Because the only reason to have that is to unify your logon identity and obtain SSO or do I misunderstand something?

Microsoft

Yes, these VMs do get Azure AD joined to your tenant. If you are user identities are on prem, you do need them to be synced to Azure AD using Azure AD Connect. Since these VMs are joined to your Azure AD tenant, you no longer need these VMs to join to Azure AD DS. 

Occasional Contributor

Windows Virtual Desktop scenario support? PLEASE say yes (or soon) :)

Microsoft

We hope to enable this sometime next year (sooner than later).

Occasional Visitor

Hi there,

 

Now that AAD Auth is available, does the VM required to be on AAD?

 

Thanks,

Allan

Regular Visitor

How does this impact RDP authentication at the protocol level? Is it still Network Level Authentication under the hood, or something new?

Microsoft

 

@chokigwapo When you enable this capability, the VM will be Azure AD joined to the same tenant where you are deploying the VM. This is currently only available for VMs deployed in Azure. We are looking to support this for non Azure VMs too sometime next year.

 

@Marc-Andre Moreau Nothing new, for RDP will still use NLA.

Regular Visitor

I am particularly interested in MFA enforcement for RDP. The section here (https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows) describes the client requirements, where a Windows 10 version 1809 RDP client is required with Windows Hello for Business or biometric authentication, in addition to being Azure AD joined to same directory as the target VM.

 

Are there plans to add support for a wider range of client use cases with MFA enabled? I am thinking something like a non domain-joined client and MFA with the Microsoft Authenticator app on a mobile phone. Bonus points for requiring a confirmation in Microsoft Authenticator for every RDP connection :)

Occasional Contributor

Will this also become available for older Windows Server versions?

Microsoft

@Marc-Andre Moreau We want to support other credential types besides username/password or Windows Hello credentials. It will have to be in one of future Windows 10 releases. No ETA as of now.

 

@Jordy Blommaert We don’t plan to until there is significant demand to enable this for WS 2016. You can submit feedback on our forum https://feedback.azure.com/forums/169401-azure-active-directory

Occasional Contributor
Regular Visitor

On which Azure Portal blade is the "Login with AAD Credentials" option found on an existing VM? 

In which data centers is the preview feature available?

Microsoft

@ms_dba The option is available on the Management tab during VM create. The capability is available in all data centers that map to our public cloud. For more information visit our documentation https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows

Great feature! The next step would be enrolling machines under Windows Server in Microsoft Intune (sorry, Endpoint Manager in the cloud ^^) to apply them security baselines and configuration parameters. In a full-cloud strategy, we could use Auure built-in features for some basic config but customers want a unified management platform For client and servers and don’t want to deploy ConfigMgr for that

Occasional Visitor

So can I make additional DC on premise from this VM, and what about the GP is this will still come from Windows Server or can I use Azure AD also for Group politics?

Occasional Contributor

@Ahmedtameem, if you have a requirement for centralised policy-based management you will still need to AD join. If you decide to AD join, AADDS join, or promote the server to become a DC after deployment, this functionality would be superseded based on my understanding. 

Senior Member

This was a bit of a Bummer.... Client must be connected to same AAD....??? on RDP Connection error "Your credentials did not work".

 

Verify that the Windows 10 PC you are using to initiate the remote desktop connection is one that is either Azure AD joined, or hybrid Azure AD joined to the same Azure AD directory where your VM is joined to. For more information about device identity. (https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows )

 

 

 

Occasional Visitor

Will this logon be available from Bastion and will the option to have a single sign on with bastion be enabled (like SQL DB AD authentication data explorer logon)

Senior Member

So, just for me to understand the RDP topic: I need another Win10 machine in the AAD structure so I can open an RDP session to server machines created the above mentioned way?!

 

My scenario: I'm in charge of sevaral customers Azure Tenants. Every tenant has a handful of Windows Server 2019 machines which have activated this feature. Does every tenant now needs an AAD joined Win10 machine so I can do my work?

Does this also affects machines that are later joined an AAD domain? This would "slightly" differ the way of work with several environments...

Microsoft

@Maxime RASTELLO Windows Servers do not have MDM stack so at present they cannot be managed by Endpoint Manager in the cloud. I would recommend taking a look at Azure Management Services - https://docs.microsoft.com/en-us/azure/governance/azure-management.

 

@Ahmedtameem@Kelvin Papp Once you enable this capability on an Azure IaaS Windows VM, then the VM is Azure AD joined. You cannot then promote it to a DC or join to any other AD or Azure AD DS domain. If you need policy management, I would recommend you to take a look at the different services offered by Azure Management Services - https://docs.microsoft.com/en-us/azure/governance/azure-management. Additionally, this capability does not supersede on a VM that is joined to AD/Azure AD DS. 

 

@Jasper Kraak We are working with Windows on this and it will take sometime to support other configurations and extend this to non Windows platforms too.

 

@bel_from_nz We are working with Azure Networking team to determine how to best integrate this capability with Azure BAstion Service. Expect more details on this sometime next year.

 

@airliner We have added support in the next release of Windows to allow an Azure AD Registered Windows 10 client to RDP to an Azure AD join target machine. This will allow you to add additional work or school accounts on you Windows 10 PC for each of the customer tenants you manage and then use the respective account to connect over RDP to your target Azure AD joined machine. You can verify this using any of our latest Windows 10 Insider Build https://insider.windows.com/en-us/.

Occasional Contributor

Thanks @Sandeep Deo

 

To confirm, it’s not possible to deploy a VM with this option enabled, and subsequently change the configuration to support a traditional AD scenario?


I’m surprised by this. Do you not see a use case for managed authentication via Azure AD in advance of post deployment configuration for traditional domain join scenarios? Is this planned?

Senior Member

@Kelvin Papp: I wouldn't see this either. Maybe you could explain why you would switch your machines from an AAD join to a "traditional" AD join with hosted Domain Controller, etc.?! This would be an interesting scenario I think.

Occasional Visitor

I created 2 windows 10 machines with azure ad joined feature enable or login with azure ad credential. My both machines are AD joined I can see under Azure Ad devices but when I try to login with azure ad credential after assigning rbac role... Getting 

"Your credentials did not work".

 

I am unable to understand what's missing... Both VM are win 10 latest and joined to AD as we can only RDP from AD joined VM so I loved in first windows 10 machine and trying to login with azure ad credential to the second VM still same issue 

"Your credentials did not work".

 

Please suggest.. 

 

Regular Visitor

Good post, great feature.