Set Up your Entra ID Tenant

This guide contains the Microsoft Azure configuration required for users to authenticate to an Entra ID-joined virtual machine (VM) using their Entra ID credentials (username and password) over RDP.

NOTE:
Multi-Factor Authentication (MFA) is not supported for this feature.

The goal of this guide is for you to obtain three required values required by the feature:

  • Tenant ID: Your Azure Active Directory tenant identifier.

  • Application ID: The client ID of the app registration.

  • Azure-Provided Public DNS Name (FQDN): The VM's public hostname.

Use the table to review the required values, their location in this guide, and an example:

Required Value Location in this Guide Sample
Tenant ID

Section A, Step 1

Section B, Step 4

 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Application ID

Section A, Step 1

Section B, Step 4

 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Azure-Provided Public DNS Name (FQDN) Section E, Step 14 my-vm.eastus.cloudapp.azure.com
IMPORTANT:
Other sections and steps are essential to validate the configuration and ensure the feature works properly. Consider reading this guide to its entirety.

Requirements

To follow this guide you must meet the following requirements:

  • An active Azure subscription.

  • A global administrator (or equivalent) role in Entra ID.

  • A Windows Virtual Machine (VM).
    Entra ID login is only supported on Windows Operating System (OS)

Step-by-Step Guide

This guide contains the following sections:

A. Register an Application Registration

B. Verify or Configure an Existing Application Registration

C. Tenant Configuration

D. Creating a New VM

E. Verify/Configure an Existing VM

 

Follow these steps to create a new App Registration from scratch. If you have already created an App Registration, continue to Section B.

1. Create a New App Registration

  1. Navigate to your Microsoft Entra ID instance > Manage > App registrations > New registration.

  2. Assign a unique name, for example: RDP Entra ID Auth.

  3. Select the account type Single tenant.
    This is the only supported account type.

  4. Skip the Redirect URI field.

  5. Click Register.

  6. Navigate to the App Overview page.

IMPORTANT:
From the App Overview page, ensure you capture the following items:

  • Application (client) ID: This is your Application ID.

  • Directory (tenant) ID: This is your Tenant ID.

2. Enable ROPC (Public Client Flow)

  1. In the app registration, open the Manage > Authentication page.

  2. Open Settings.

  3. Set Allow public client flows to Enabled.

  4. Click Save.

3. Grant Microsoft Remote Desktop API Permission

  1. In the app registration, open the Manage > API permissions > Add a permission.

  2. Select APIs my organization uses.
    The system displays a list of your organization's APIs.

  3. Search and select Microsoft Remote Desktop.
    The Microsoft Remote Desktop API configurations page opens.

  4. Select Permissions > user_impersonation > Add permissions.

  5. Click Grant admin consent for [your tenant] and confirm.

NOTE:
The feature uses the scope ms-device-service://termsrv.wvd.microsoft.com/name/{vm-hostname}/user_impersonation. Granting user_impersonation on the Microsoft Remote Desktop API covers this scope.

This tenant probably does not have the Microsoft Remote Desktop enterprise application instantiated.

Have a user with Application Administrator or Cloud Application Administrator run the following command in Azure Cloud Shell and then return to this step:

Import-Module Microsoft.Graph.Authentication

Import-Module Microsoft.Graph.Applications

Connect-MgGraph -TenantId "[tenantID]" -Scopes "Application.ReadWrite.All"

New-MgServicePrincipal -AppId "a4a365df-50f1-4397-bc59-1a1564b8bb9c"

After the App Registration is configured, continue with Step 7 in Section B.

Follow these steps if an App Registration already exists. Each step verifies that the required configuration is in place.

4. Locate the Existing App Registration

  1. Navigate to your Microsoft Entra ID instance > Manage > App registrations > All applications.

  2. Search for and select the existing App Registration.

IMPORTANT:
From the App Overview page, ensure you capture the following items:

  • Application (client) ID: This is your Application ID.

  • Directory (tenant) ID: This is your Tenant ID.

5. Verify ROPC is Enabled

  1. In the app registration, open the Manage > Authentication page.

  2. Open Settings.

  3. Ensure that Allow public client flows is set to Enabled.
    You can enable this flag it at this point.

6. Verify API Permission is Granted

  1. In the app registration, open the Manage > API permissions.

  2. Ensure that Microsoft Remote Desktop / user_impersonation is listed with Status: Granted.
    You can grant this permission at this point.

7. Run the approve-rdp-client-cloudshell Cloud Shell Script

To complete an App Registration configurations, your must run a Cloud Shell script once for each App Registration. This script connects to Microsoft Graph in the specified tenant and adds the specified client app’s service principal to Microsoft Remote Desktop’s approvedClientApps list so that app is allowed to request RDP remote-connection tokens. Run the approve-rdp-client-cloudshell script with the following steps:

  1. In your Azure Portal, click the Cloud Shell icon (>_) in the top navigation bar.

  2. Select PowerShell when prompted for the shell type.

  3. Select Subscription if prompted

  4. Right-click the link to download and upload the approve-rdp-client-cloudshell script into the Cloud Shell session.

  5. Run the script using the following syntax:

    ./approve-rdp-client-cloudshell.ps1 -ClientId “[clientID]” -TenantId “[tenantID]”

    NOTE:
    Use the clientID and tenantID values captured on Step 1, Section A or in Step 4, Section B.

  6. The system displays the following message:

    To sign in, use a web browser to open the page https://login.microsoft.com/device and enter the code [code] to authenticate.

    Copy the [code] section of the message.

  7. Open https://login.microsoft.com/device in your browser.

  8. Paste the code and login using your account.

  9. Click Continue

IMPORTANT:
This script only needs to be run once per App Registration.

After you run the script, the App Registration is complete and you can continue to configure your tenant.

8. Disable MFA for RDP Users

Create a Conditional Access policy targeting only the RDP app registration and granting access without requiring MFA. This is the recommended approach, as it keeps MFA enforced for all other apps in your tenant.

NOTE:
If you already have Conditional Access policies that enforce MFA for all apps, add the RDP app registration to their exclusion list instead of creating a new policy.

  1. Navigate to your Microsoft Entra ID instance > Security > Conditional Access > New policy.

  2. Assign a unique name, for example: RDP Entra ID – No MFA.

  3. Select the user(s) or group(s) that will connect via RDP in the Users section.

  4. Target resources in Cloud appsRegistered App
    You Created a New App Registration in Step 1, Part A; or validated the regisitration in Step 4, Part B.

  5. Ensure that Require multifactor authentication is Unchecked.

  6. Set policy to Enabled and click Create.

After you configure your tenant to remove MFA requests for RDP apps, you can continue to create a new VM.

If your tenant does not use Conditional Access at all, you can disable Security Defaults in the following path:

Microsoft Entra ID > Manage > Properties > Manage security defaults > Disabled.

This removes MFA enforcement globally for all users and apps, which is not recommended in production environments.

Follow these steps when provisioning a brand-new virtual machine. Azure will automatically Entra ID-join the VM and install the required extension during the creation process.

9. Create the VM in the Basics Tab

  1. Navigate to Virtual Machines > Create > Virtual machine.

  2. Fill in Subscription, Resource group, and Virtual machine name.

  3. Choose a Region and select a Windows image, for example: Windows Server 2022 Datacenter or Windows 11 Enterprise.

  4. Choose the Size and set a local admin Administrator account used for emergency access only.

  5. Ensure port 3389 RDP is allowed under Inbound port rules.

NOTE:
The local administrator account is separate from Entra ID and is used as a fallback only. It does not affect Entra ID authentication.

10. Enable Entra ID Login in the Management Tab

This is the step that Entra ID-joins the VM and installs AADLoginForWindows automatically.

  1. Click the Management tab at the top of the creation wizard.

  2. Under Microsoft Entra ID, check the box Login with Microsoft Entra ID.

NOTE:
Enabling this option automatically Entra ID-joins the VM and installs the AADLoginForWindows extension after provisioning. No manual extension installation is needed.

11. Review and Create

  1. Click Review + create and wait for validation to pass.

  2. Click Create and wait for the deployment to complete.

After the VM is created, continue on Step 13, Part E.

Follow these steps if the VM already exists. Each step verifies the required configuration is in place and guides you to add anything that is missing. Steps 13 and 14 also apply to VMs created in Section D.

12. Verify/Install the AADLoginForWindows Extension

  1. On the VM page, navigate to Settings > Extensions + applications.

  2. Review if AADLoginForWindows is listed with status Provisioning succeeded.

  3. If installed, continue to step 13.
    If it is not installed:

    1. Click Add.

    2. Search for Azure AD Login (AADLoginForWindows) and select it.

    3. Click Next > Review + create > Create.

    4. Wait until the extension status displays Provisioning succeeded.

13. Assign the VM Login Role to the User

The user must be assigned a role on the VM resource to log in via Entra ID.

  1. On the VM page, navigate to Access control (IAM) > Role assignments.

  2. Review if the user already has one of the following roles: Virtual Machine User Login or Virtual Machine Administrator Login role

  3. If the role is assigned, continue to Step 14.

    If it is not assigned:

    1. Click Add role assignment.

    2. Select the role

      • Virtual Machine User Login

      • Virtual Machine Administrator Login for admin access

    3. Select the Entra ID user(s) that will connect via RDP.

    4. Click Review + assign.

14. Note the FQDN and Verify it Matches the VM Name

  1. On the VM Overview page, locate the DNS name field.

  2. If it shows Not configured, click the link and assign a DNS name label to the public IP.

    IMPORTANT:
    Capture the Azure-Provided Public DNS Name (FQDN). This is the full hostname in the DNS name field, for example my-vm.eastus.cloudapp.azure.com.

  3. Verify the DNS hostname matches the VM's machine name in Entra ID considering the following:

    • The DNS hostname is the first segment of the FQDN, before the first dot, for example:
      my-vm from my-vm.eastus.cloudapp.azure.com

  4. Navigate to Microsoft Entra ID > Manage > Devices > All Devices.

  5. Find the device entry for this VM.

  6. Confirm its Name matches the DNS hostname exactly.

NOTE:
The DNS hostname and the Entra ID device name must match exactly for the feature to work. If they differ, update the DNS name label on the public IP to match the machine name shown in Entra ID Devices.

15. Initial RDP Authentication (Required Once per User per VM)

Before you can use the Entra ID RDP feature, each user must authenticate to the VM at least once using a direct RDP connection with their Entra ID credentials. This registers the user on the VM and is required before feature-based connections will work. To do this, using any RDP client:

  1. Connect to the VM using its FQDN, captured in Step 14.

  2. Log in with the Entra ID username (e.g. user@domain.com) and password.

  3. After the log in is successful, the initial authentication is complete and the session can be disconnected.

Repeat this step for every user and for each VM they will access through this feature.

NOTE:
This is a one-time requirement per user per VM. Once completed, the feature will authenticate subsequent connections automatically without requiring this step again.

After you successfully authenticate each user, the feature works automatically.

Troubleshooting

Navigate to Troubleshooting Entra ID Authentication for RDP Services for known error codes during this process.