This is so frustrating, i thought this would be the easiest thing on Azure..How does everyone else manage their servers on Azure ? thought there would be more info out there regarding this..

– AAD Joined PCs at the office, no local AD, no Azure VMs
– Separate VPN solution allows remote connection to the office
– RDP to AAD joined PC – used to work from an AAD-Registered personal PC – I think when NLA was disabled on the office PC.
– MFA is enabled on the AAD User account, no conditional access policies.

I replaced my office PC – and now it seems I can only RDP to the AAD-joined PC from another AAD-Joined PC, where I am asked for my PIN only to authenticate, not any MFA etc. Is this NLA kicking in?

Is it possible to connect with NLA required on the remote, but the client is not AAD-Joined (only registered)?

I couldn’t find out much about how NLA works, especially with AAD-Join, but I feel like I should leave it on for security.

Also any knowledge of the enablerdsaadauth:i:1 setting? If I enable this on my aad-registered device I go through MFA but then get error CAA20002 which from searching seems like an authentication issue, but no results specific to RDS.

Thanks

Thanks again.

Could not find RDP file settings to achieve a ‘Copy and Paste’ functionality to the login screen so far.
If someone has an idea then do not hesitate to tell me 🙂

Few things can be added to the RDP file.

Has anyone already solved the problem that username and password can not be sent via copy&paste to the VM’s login screen?

Especially if you run many VMs it is very time consuming to enter your password manually again and again.

kind regards

Excellent question, currently Microsoft don’t have any solution apart from excluding the Azure VM sign-in in MFA conditional policy. But we need to find a way so that MFA also work with it.

Thank you Prajwal for the detail explanation and waiting for your reply on MFA.

Cody, would you mind going into more detail on what the policy is doing? Is it about bypassing MFA for the Virtual Machine logins or what? Prajwal, maybe you can test this and add this info to the document? That would be valuable and seems to be missing from your otherwise comprehensive write-up here.

Arriving at the vm login or lock screen was not practical for me because you are not allowed to paste the password which can be drag.

If you update the RDP file with the VM-LOCALLY ACTIVE name of the user account, you can just authenticate (and paste) locally and you will just end up _in_ your VM, not at the front door.

In my case, after using ‘whomai’ in Powershell, I updated in the rdp file from:
domain:s:AzureAD
username:s:name@domain.tld
to
domain:s:AzureAD
username:s:namedomain

Note that the .tld is gone as well as the @ sign, but we shouldn’t assume universal logic.
The notation whomai returned was:
azuread\namedomain

I also had to use:
enablecredsspsupport:i:1
and I temporary enabled:
prompt for credentials:i:1

After that I saved my credentials in my local windows credential store and I can now just login the VM without being force to type a password.

P.s. It is a bit much this all requires this many steps, anyhow I am grateful for your post! Before, I couldn’t get in at all. After I could get in with some hoops. Now, I double click rdp file.