Introduction

 
To make things simple people often follow the risky practice of sharing admin account passwords among big groups of individuals. This makes it very hard to guard your production Windows VMs and collaborate with your team when using shared Windows VMs.
 
So, now organizations can utilize Azure AD authentication over a Remote Desk Protocol (RDP) for Azure VMs running Windows Server 2019 Datacenter edition or Windows 10 1809 and later.
 
When using the Azure AD to authenticate VMs, it provides the power to centrally control and enforce policies using tools like Azure Role-Based Access Control (RBAC) and Azure AD Conditional Access to permit you to regulate who can access a VM.
 
There are many benefits including,
  • Utilizing an equivalent federated or managed Azure AD credentials you normally use.
  • Not having to manage local administrator accounts.
  • Using Azure RBAC to grant acceptable access to VMs supported need and take away it when it's not needed.
  • Requiring AD Conditional Access to additional requirements:
    • Multi-factor authentication (MFA)
    • Sign-in risk
  • Automating and scaling Azure AD join for the Azure-based Windows VMs.

Using Azure portal creates VM to enable Azure AD login

Login to your Azure portal with your account.
 
Create VM and select >> Create a resource.
 
In Search Windows Server, select Windows Server 2019 Datacenter.
 
Click Create.
 
On the "Management" tab >> enable the option to log in with AAD credentials (Preview) under the Azure Active Directory section from Off to On.
 
Make sure the System assigned managed identity under the Identity section is about to On. And this action should happen automatically once you enable Login with Azure AD credentials.
 
Go through the remainder of the experience of making a VM. And during this preview, you need to create an administrator username and password for the VM.
 
Using Azure Active Directory authentication in Sign into Windows virtual machine

Configure role assign for the VM

Open to the specific Virtual Machine overview page.
 
Select the Access control (IAM) from the menu options.
 
Select +Add >> open to the Add role assignment.
 
In the Role drop-down list, select a role such as Virtual Machine Administrator Login or Virtual Machine User Login.
 
In the Select field >> select a user, group and service principal, or managed identity. And you can search the directory for display names, email addresses, and object identifiers.
 
Then, to assign the role >> select Save.
 
After that, into the selected scope >> assigned the security principal role.
 
Using Azure Active Directory authentication in Sign into Windows virtual machine


Log into Windows VM using Azure AD credentials

Enabled with Azure AD log on in the virtual machine.
 
Then, select and open >> Connect.
 
Select and click download RDP File.
 
Select >> Open the Remote Desktop Connection client.
 
Select >> Connect to launch the Windows logon dialog option.
 
Log on using your Azure AD credentials.


Summary 

In this article, I talked about using Azure Active Directory authentication to sign in to Windows virtual machine. In my next article, I will cover the next step of this series.