- Article
- Applies to:
- ✅ Windows 11, ✅ Windows 10
Windows supports remote connections to devices joined to Active Directory s well as devices joined to Microsoft Entra ID using Remote Desktop Protocol (RDP).
- Starting in Windows 10, version 1809, you can use biometrics to authenticate to a remote desktop session.
- Starting in Windows 10/11, with 2022-10 update installed, you can use Microsoft Entra authentication to connect to the remote Microsoft Entra device.
Prerequisites
- Both devices (local and remote) must be running a supported version of Windows.
- Remote device must have the Connect to and use this PC from another device using the Remote Desktop app option selected under Settings > System > Remote Desktop.
- It's recommended to select Require devices to use Network Level Authentication to connect option.
- If the user who joined the device to Microsoft Entra ID is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the device remotely, you must add users to the Remote Desktop Users group on the remote device.
- Ensure Remote Credential Guard is turned off on the device you're using to connect to the remote device.
Connect with Microsoft Entra authentication
Microsoft Entra authentication can be used on the following operating systems for both the local and remote device:
- Windows 11 with 2022-10 Cumulative Updates for Windows 11 (KB5018418) or later installed.
- Windows 10, version 20H2 or later with 2022-10 Cumulative Updates for Windows 10 (KB5018410) or later installed.
- Windows Server 2022 with 2022-10 Cumulative Update for Microsoft server operating system (KB5018421) or later installed.
There's no requirement for the local device to be joined to a domain or Microsoft Entra ID. As a result, this method allows you to connect to the remote Microsoft Entra joined device from:
- Microsoft Entra joined or Microsoft Entra hybrid joined device.
- Active Directory joined device.
- Workgroup device.
Microsoft Entra authentication can also be used to connect to Microsoft Entra hybrid joined devices.
To connect to the remote computer:
Launch Remote Desktop Connection from Windows Search, or by running
mstsc.exe.Select Use a web account to sign in to the remote computer option in the Advanced tab. This option is equivalent to the
enablerdsaadauthRDP property. For more information, see Supported RDP properties with Remote Desktop Services.Specify the name of the remote computer and select Connect.
Note
IP address cannot be used when Use a web account to sign in to the remote computer option is used.The name must match the hostname of the remote device in Microsoft Entra ID and be network addressable, resolving to the IP address of the remote device.
When prompted for credentials, specify your user name in
user@domain.comformat.You're then prompted to allow the remote desktop connection when connecting to a new PC. Microsoft Entra remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select Yes to connect.
Important
If your organization has configured and is using Microsoft Entra Conditional Access, your device must satisfy the conditional access requirements to allow connection to the remote computer. Conditional Access policies with grant controls and session controls may be applied to the application Microsoft Remote Desktop (a4a365df-50f1-4397-bc59-1a1564b8bb9c) for controlled access.
Disconnection when the session is locked
The Windows lock screen in the remote session doesn't support Microsoft Entra authentication tokens or passwordless authentication methods like FIDO keys. The lack of support for these authentication methods means that users can't unlock their screens in a remote session. When you try to lock a remote session, either through user action or system policy, the session is instead disconnected and the service sends a message to the user explaining they've been disconnected.
Disconnecting the session also ensures that when the connection is relaunched after a period of inactivity, Microsoft Entra ID reevaluates the applicable conditional access policies.
Connect without Microsoft Entra authentication
By default, RDP doesn't use Microsoft Entra authentication, even if the remote PC supports it. This method allows you to connect to the remote Microsoft Entra joined device from:
- Microsoft Entra joined or Microsoft Entra hybrid joined device using Windows 10, version 1607 or later.
- Microsoft Entra registered device using Windows 10, version 2004 or later.
Note
Both the local and remote device must be in the same Microsoft Entra tenant. Microsoft Entra B2B guests aren't supported for Remote desktop.
To connect to the remote computer:
- Launch Remote Desktop Connection from Windows Search, or by running
mstsc.exe. - Specify the name of the remote computer.
- When prompted for credentials, specify your user name in either
user@domain.comorAzureAD\user@domain.comformat.
Tip
If you specify your user name in domain\user format, you may receive an error indicating the logon attempt failed with the message Remote machine is Microsoft Entra joined. If you are signing in to your work account, try using your work email address.
Note
For devices running Windows 10, version 1703 or earlier, the user must sign in to the remote device first before attempting remote connections.
Supported configurations
This table lists the supported configurations for remotely connecting to a Microsoft Entra joined device without using Microsoft Entra authentication:
| Criteria | Client operating system | Supported credentials |
|---|---|---|
| RDP from Microsoft Entra registered device | Windows 10, version 2004 or later | Password, smart card |
| RDP from Microsoft Entra joined device | Windows 10, version 1607 or later | Password, smart card, Windows Hello for Business certificate trust |
| RDP from Microsoft Entra hybrid joined device | Windows 10, version 1607 or later | Password, smart card, Windows Hello for Business certificate trust |
Note
If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Microsoft Entra joined devices, it must allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities.
Note
When a Microsoft Entra group is added to the Remote Desktop Users group on a Windows device, it isn't honored when the user that belongs to the Microsoft Entra group logs in through RDP, resulting in failure to establish the remote connection. In this scenario, Network Level Authentication should be disabled to allow the connection.
Add users to Remote Desktop Users group
Remote Desktop Users group is used to grant users and groups permissions to remotely connect to the device. Users can be added either manually or through MDM policies:
Adding users manually:
You can specify individual Microsoft Entra accounts for remote connections by running the following command, where
<userUPN>is the UPN of the user, for exampleuser@domain.com:net localgroup "Remote Desktop Users" /add "AzureAD\<userUPN>"In order to execute this command, you must be a member of the local Administrators group. Otherwise, you may see an error similar to
There is no such global user or group: <name>.Adding users using policy:
Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in How to manage the local administrators group on Microsoft Entra joined devices.
Related articles
How to use Remote Desktop
As an AI language model, I have access to a wide range of information and can provide insights on various topics. However, it's important to note that I don't have direct access to my training data or know where it came from. I was trained on a mixture of licensed data, data created by human trainers, and publicly available data. In order to provide me with a diverse range of language patterns and concepts. My purpose is to assist and provide information to the best of my abilities, regardless of the sources of my training data.
Now, let's dive into the information related to the concepts mentioned in the article you provided.
Remote Desktop Protocol (RDP)
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that allows users to connect to and control a remote computer over a network connection. It enables users to access and use the resources and applications on a remote computer as if they were sitting in front of it. RDP is commonly used for remote administration, remote support, and remote access to virtual desktops.
Biometrics for Remote Desktop Session Authentication
Starting in Windows 10, version 1809, users can use biometrics, such as fingerprint or facial recognition, to authenticate to a remote desktop session. This means that instead of entering a username and password, users can use their biometric information to securely log in to a remote computer.
Microsoft Entra Authentication for Remote Desktop
Starting in Windows 10/11, with the 2022-10 update installed, users can use Microsoft Entra authentication to connect to a remote Microsoft Entra device using Remote Desktop. Microsoft Entra authentication can be used on Windows 11, Windows 10 (version 20H2 or later), and Windows Server 2022. It allows users to connect to remote devices joined to Microsoft Entra ID or devices joined to Active Directory.
Prerequisites for Remote Desktop Connection
To establish a remote desktop connection, there are several prerequisites that need to be met:
- Both the local and remote devices must be running a supported version of Windows.
- The remote device must have the "Connect to and use this PC from another device using the Remote Desktop app" option selected under Settings > System > Remote Desktop.
- It is recommended to select the "Require devices to use Network Level Authentication to connect" option.
- If multiple users or groups need to connect to the remote device remotely, they must be added to the Remote Desktop Users group on the remote device.
- Remote Credential Guard should be turned off on the device used to connect to the remote device.
Connecting with Microsoft Entra Authentication
To connect to a remote computer using Microsoft Entra authentication, follow these steps:
- Launch Remote Desktop Connection from Windows Search or by running
mstsc.exe. - Select the "Use a web account to sign in to the remote computer" option in the Advanced tab.
- Specify the name of the remote computer and select Connect.
- When prompted for credentials, specify your user name in the
user@domain.comformat. - If prompted to allow the remote desktop connection, select Yes to connect.
Disconnection when the Session is Locked
In a remote session, the Windows lock screen does not support Microsoft Entra authentication tokens or passwordless authentication methods like FIDO keys. As a result, when a remote session is locked, it is disconnected instead of being locked. This ensures that when the connection is relaunched after a period of inactivity, Microsoft Entra ID reevaluates the applicable conditional access policies.
Connecting without Microsoft Entra Authentication
By default, Remote Desktop Protocol (RDP) does not use Microsoft Entra authentication, even if the remote PC supports it. However, you can still connect to a remote Microsoft Entra joined device without using Microsoft Entra authentication. The supported configurations for remotely connecting to a Microsoft Entra joined device without using Microsoft Entra authentication are listed in the article.
Adding Users to Remote Desktop Users Group
The Remote Desktop Users group is used to grant users and groups permissions to remotely connect to a device. Users can be added to the Remote Desktop Users group manually or through MDM policies. The article provides instructions on how to add users manually using a command or through MDM policies.
These are the main concepts related to the article you provided. If you have any further questions or need more information, feel free to ask!
