Many organizations are adopting a cloud only approach to infrastructure. Why wouldn’t they? It’s scalable with predictable costs, and it can be accessed from virtually anywhere. However, authenticating with services and virtual machines on the cloud can be more involved than with traditional on-premises infrastructure. This blog aims to demonstrate how one can configure a Virtual Machine in Azure to authenticate remote sessions using only an Azure AD account and a Windows Machine bound to the same Tenant as the Azure AD account. It is possible to achieve the same results by deploying Active Directory in Azure and binding it to the Domain or by using AADDS to bind machines. However, both options require additional costs and overhead. Please note that this feature is still in preview and only works on Azure Bound Windows Machines. Also, “strong authentication” is required to use this feature. This can be accomplished by using Windows Hello or by disabling MFA on a user’s account on the VM using conditional access.
Create a Virtual Machine
To begin with, we must create a virtual machine in the Azure Portal.
Configure the VM to your needs then Navigate to the Management Tab.
Make sure you select Login with Azure AD and check the managed identity.
Once the VM is deployed we must set user permissions in the IAM section and add a role assignment.
Add Roles
Add the roles Virtual Machine User or Administrator which will in turn give the user Admin Rights on the Virtual machine.
Download the RDP file
Once assigned, download the RDP file.
Double click on the RDP file and authenticate using windows Hello.
Authenticate
Finally, if authentication is approved the VM will log you into your Azure Windows Environment.
Things to Note
If you already created a VM and didn’t check the Azure AD authentication option.
You can enable it after the fact by enabling RBAC and adding the AAD extension on the VM.
No doubt, Microsoft will continue to leverage tools in Windows 10 and 11 to connect to Azure Tools. Using the same logins to authenticate with Azure services is safer than using multiple credentials and it improves the end user experience. Furthermore, this guide assumes that RDP is open to the internet which adds a security risk. You may want to consider Azure VPN which also support authentication via Azure AD credentials to remote into Azure VMs.
Contact us if you have questions or need help with your set up.