RDP with Entra user

Welcome to the Microsoft Q&A Platform!

Thank you for sharing your concern with us.

Based on your description, this behavior is expected when connecting from an on‑premises Active Directory–joined PC to an Azure AD (Microsoft Entra ID) only device. Disabling Network Level Authentication (NLA) or modifying the .rdp file alone is not sufficient. On Azure AD only devices, Azure AD authentication for Remote Desktop must be explicitly enabled. By default, Remote Desktop does not allow Azure AD authentication on Azure AD–joined devices, so authentication will fail even if NLA is disabled, CredSSP settings are modified and valid credentials are provided. Azure AD authentication must be enabled either at the operating system level or at the Host Pool level (for AVD).

Recommendations

1.Enable Azure AD Authentication for RDP

Configure the following registry value on the Azure AD only device:

• Path: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
• Type: DWORD
• Name: fEnableRdsAadAuth
• Value: 1

2.Verify User Permissions

Add the connecting user to the "Remote Desktop Users" group.

3. Check RDP Listener and Port

Ensure RDP is enabled and listening on port 3389.

4.Use Correct Sign-In Method

For Azure AD accounts, use the full UPN (e.g AzureAD******@domain.com) when connecting.

5. If Using Azure Virtual Desktop

Enable Azure AD authentication at the Host Pool level by configuring RDP Properties and adding: enablerdsaadauth:i:1 (Host Pool → RDP Properties → Advanced)

Reference: Supported RDP properties - Azure Virtual Desktop | Microsoft Learn

Hope this helps, and I wish you a great day!

As per https://learn.microsoft.com/en-us/windows/client-management/client-tools/connect-to-remote-aadj-pc

• If the user who joined the device to Microsoft Entra ID is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the device remotely, you must add users to the Remote Desktop Users group on the remote device.
• Ensure Remote Credential Guard is turned off on the device you're using to connect to the remote device.

To connect to the remote computer:

Launch Remote Desktop Connection from Windows Search, or by running mstsc.exe.

Select Use a web account to sign in to the remote computer option in the Advanced tab. This option is equivalent to the enablerdsaadauth RDP property. For more information, see Supported RDP properties with Remote Desktop Services.

Specify the name of the remote computer and select Connect.

IP address cannot be used when Use a web account to sign in to the remote computer option is used. The name must match the hostname of the remote device in Microsoft Entra ID and be network addressable, resolving to the IP address of the remote device.

• When prompted for credentials, specify your user name in ******@domain.com format.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin