These steps describe how to configure Remote Desktop (RDP) to successfully connect to a Microsoft Entra\u202fID (Azure AD) joined device over VPN or office network. This includes editing the Heavily based on these three articles and built from ticket #2571<\/a><\/p>\n\n\n\n Especially useful for Santiam Water Control District staff. https:\/\/rublon.com\/blog\/how-to-rdp-into-azure-ad-joined-vm<\/a><\/p>\n\n\n\n https:\/\/www.howtogeek.com\/27350\/beginner-geek-how-to-edit-your-hosts-file<\/a><\/p>\n\n\n\n If you are not already part of the Remote Desktop Users group on the remote device, you may need to add your account or Azure AD group to it via local admin<\/strong> or MDM policy<\/strong>:<\/p>\n\n\n\n When your client cannot resolve NetBIOS names over a VPN Connection or Wi\u2011Fi, you can manually define them:<\/p>\n\n\n\n Note: some of these are already added in, so only copy and paste the missing ones and change the relevant entries.<\/p>\n\n\n\n.rdp<\/code> connection file and optionally editing the Windows hosts<\/strong> file on the VPN client to resolve NetBIOS or FQDN names more reliably.<\/p>\n\n\n\n
https:\/\/learn.microsoft.com\/en-us\/windows\/client-management\/client-tools\/connect-to-remote-aadj-pc<\/a><\/p>\n\n\n\n
\n\n\n\n\u2705 Requirements & Prerequisites<\/h2>\n\n\n\n
\n
\n\n\n\n\ud83d\udee0 Step 1 \u2013 Edit the
.rdp<\/code> file<\/h2>\n\n\n\n\n
mstsc.exe<\/code>), enter the hostname (NOT the IP Address, often fails in this setup) of the remote device, expand\u00a0Show Options<\/strong>, and click\u00a0Save As\u2026<\/strong>\u00a0to store a\u00a0.rdp<\/code>\u00a0file locally. (Stack Overflow<\/a>)<\/li>\n\n\n\n.rdp<\/code>\u00a0file using a text editor like Notepad.<\/li>\n\n\n\nfull address:s:<\/code>\u00a0field to use the\u00a0NetBIOS hostname<\/strong>\u00a0or\u00a0FQDN<\/strong>, not the IP address. Example:full address:s:Desktop\u2011Manager <\/code>(Replaces earlier\u00a0s: \\\\192.168.1.119<\/code>\u00a0usage.) (ronamosa.io<\/a>)
Your internal ticket notes confirm that Azure AD\u2013joined devices\u00a0cannot<\/strong>\u00a0be reached by IP if using Azure AD authentication\u2014they require name resolution.enablecredsspsupport:i:0 authentication level:i:2 <\/code>This disables CredSSP and sets a proper authentication level for Azure AD RDP login. (Stack Overflow<\/a>)<\/li>\n\n\n\nenablerdsaadauth:i:1 <\/code>This flag ensures the client uses the web-account sign\u2011in flow. Without it, authentication via Azure AD may fail. (Microsoft Learn<\/a>)<\/li>\n\n\n\nusername@domain.com<\/code>You will be prompted to fully sign in through a popup Microsoft login window and approve this new host; accept it. (Rublon<\/a>,\u00a0Microsoft Learn<\/a>)<\/li>\n<\/ol>\n\n\n\n
\n\n\n\n\ud83e\uddea Step 2 \u2013 (Optional) Add the Azure AD user to the Remote Desktop Users group<\/h2>\n\n\n\n
\n
net localgroup \"Remote Desktop Users\" \/add \"AzureAD\\username@domain.onmicrosoft.com\"<\/code><\/li>\n\n\n\nAdd-LocalGroupMember -Group \"Remote Desktop Users\" -Member \"AzureAD\\username@domain.com\" <\/code>(Prajwal Desai<\/a>)<\/li>\n<\/ul>\n\n\n\n
\n\n\n\n\ud83e\udded Step 3 \u2013 (Optional) Edit the hosts file for name resolution over VPN<\/h2>\n\n\n\n
\n
C:\\Windows\\System32\\drivers\\etc\\hosts<\/code><\/li>\n\n\n\n192.168.1.119 Desktop\u2011Manager<\/code><\/li>\n\n\n\n.rdp<\/code>\u00a0file to resolve correctly even if DNS or NetBIOS resolution fails.<\/li>\n<\/ol>\n\n\n\n
\n\n\n\n\ud83e\udde9 Troubleshooting Scenarios & Notes<\/h2>\n\n\n\n
\n
\n\n\n\n<\/h2>\n\n\n\n
\u2705 Example
.rdp<\/code> snippet<\/h2>\n\n\n\nfull address:s:Desktop\u2011Manager\nenablecredsspsupport:i:0\nauthentication level:i:2\nenablerdsaadauth:i:1\n<\/code><\/pre>\n\n\n\n
\n\n\n\n\u2139\ufe0f Why these settings matter<\/h2>\n\n\n\n
\n
\n\n\n\n\ud83d\udccc Final Notes<\/h2>\n\n\n\n