Search code examples
azureazure-virtual-machineazure-virtual-network

Using Point-to-Site and an Azure AD User Account, how do I access an Azure VM that is AzureADjoined?

I have created a VM in Azure as mentioned below

resource "azurerm_windows_virtual_machine" "virtual_machine_hub" {
  name                = "vm-hub"
  resource_group_name = azurerm_resource_group.ipz12-dat-np-connection-rg.name
  location            = azurerm_resource_group.ipz12-dat-np-connection-rg.location
  size                = "Standard_B8ms"
  admin_username      = "xxxxx"
  admin_password      = "xxxxx"
  network_interface_ids = [
    azurerm_network_interface.virtual_machine_hub_nic.id
  ]

  os_disk {
    caching              = "ReadWrite"
    storage_account_type = "Standard_LRS"
  }

  source_image_reference {
    publisher = "MicrosoftWindowsDesktop"
    offer     = "Windows-10"
    sku       = "21h1-pro"
    version   = "latest"
  }

  depends_on = [
    azurerm_network_interface.virtual_machine_hub_nic
  ]    
}

and enabled the AADLoginForWindows extension

resource "azurerm_virtual_machine_extension" "virtual_machine_hub_ext" {
  name                 = "AADLoginForWindows"
  virtual_machine_id   = azurerm_windows_virtual_machine.virtual_machine_hub.id
  type                       = "AADLoginForWindows"
  type_handler_version       = "1.0"
  auto_upgrade_minor_version = true
  publisher                  = "Microsoft.Azure.ActiveDirectory"

  depends_on = [
    azurerm_windows_virtual_machine.virtual_machine_hub
  ] 
}

and it is AzureADConnected

enter image description here

My Azure user account is given access on the VM using RBAC

enter image description here

Now, the client machine (laptop) is connected to another domain in Azure AD (say, demo.com) as well as DomainJoined.

enter image description here

I am using the Azure VPN client to connect to the Azure Network using Point-to-Site.

While trying to RDP into the VM, it is falling with the below error message

enter image description here

What am I missing?

Solution

  • I tried to reproduce the same in my environment I also get the same error like below

    enter image description here

    To resolve this issue:

    Try to allow system properties like below:

    enter image description here

    Try to add the user to rdp group via cmd like below:

    net localgroup "Remote Desktop Users" /add "AzureAD\xx@xxxxx.onmicrosoft.com"
Get-LocalGroupMember -Name "Remote Desktop users"

    enter image description here

    In your local machine try to modify the rdp file in order to authenticate with different user:

    Right click on downloaded Rdp file -> Open with note pad try to add bottom line like below:

    enablecredsspsupport:i:0
authentication level:i:2

    enter image description here

    Now double click on rdp file try to connect like below:

    use .\AzureAD\email@company.com or AzureAD\email@company.com

    enter image description here

    Orelse, In your virtual machine -> run command under operation -> disable NLA -> Run

    enter image description here

    Reference:

    Remote Desktop to Azure AD Joined Computer – Bradley Schacht By Bradley Schacht