Azure AD Join and login with RDP
WIth Azure AD Device Groups and the ability to Join the Device to Azure we can easily deploy our VMs, onboard them to Intune and apply Policies even Onboard to Defender automatically! But what about RDP to the VM with the User Credentials ? Yes it is already possible and quite mature so it is a quick way to utilize the whole nine yards!
Create a VM with Windows Professional or Enterprise and select Login with Azure AD on the Management Step:
The managed identity check box will be activated and we proceed to Monitoring leaving defaults and on the Advanced Tab we select an Extension to install, which is Azure AD based Windows Login :
Proceed to create the VM and in the meantime verify you have an Azure AD user ready with Intune License, and assigned to MDM Intune setting from Azure AD. We have already the ability to onboard the VM to Defender for Endpoint , and control the device with Endpoint Management – Intune for Windows, so we create the CNAME for Windows AutoEnrollement as documented here from Microsoft.
Add from IAM (Role Based Access Control ) the Virtual Machine Administrator Login and User Login roles to the user you want to login.
The VM should be ready so login with the initial Administrator and perform 3 tasks – open sysdm.cpl , uncheck the Requirement for NLA , and run with Admin Powershell the command below
net localgroup "remote desktop users" /add "AzureAD\firstname.lastname@example.org"
Now download and edit the RDP file with Notepad++ and make it look like this :
prompt for credentials:i:1
We need also a setting to add the User as a Local Admin in case we want that option :
Restart the VM and login with the edited RDP connecion using :
And thats it ! We can have a Conditional Access Policy to force Intune OnBoarding or add from the Accouns menu our Work account.
We will examine the Onboarding on MDM and Defender in a later post !