Create an RDP connection to a Windows VM using Azure Bastion

This article describes how to create a secure RDP connection to your Windows virtual machines using Azure Bastion. You can connect through the Azure portal (browser-based), via a specified IP address, or using a native client on your local Windows computer. When you use Azure Bastion, your virtual machines don't require a client, agent, or additional software. Azure Bastion securely connects to all virtual machines in the virtual network without exposing RDP/SSH ports to the public internet. For more information, see What is Azure Bastion?

For native client connections using Azure CLI (including SSH and tunnel), see Connect to a VM using a native client. To connect to a Windows virtual machine using SSH, see Create an SSH connection to a Windows VM.

The following diagram shows the dedicated deployment architecture using an RDP connection.

Prerequisites

Before you begin, verify that you meet the following criteria:

An Azure Bastion host deployed in the virtual network where the virtual machine is located, or in a peered virtual network. To set up a Bastion host, see Create a bastion host. The SKU you need depends on your connection method:

Connection method	Minimum SKU	Additional configuration
Azure portal (browser)	Basic	None
Azure portal with custom ports	Standard	None
IP-based connection	Standard	IP-based connection enabled
Native client (RDP)	Standard	Native client support enabled

Users connecting via RDP must have rights on the target virtual machine. If the user isn't a local administrator, add them to the Remote Desktop Users group.
Azure Bastion uses RDP port 3389 by default. Custom ports require the Standard SKU or higher. To upgrade, see Upgrade a SKU.
A Windows virtual machine in the virtual network (or reachable from the virtual network for IP-based connections).
Required roles:
- Reader role on the virtual machine.
- Reader role on the NIC with the IP of the virtual machine.
- Reader role on the Azure Bastion resource.
- Reader role on the virtual network of the target virtual machine (if the Bastion deployment is in a peered virtual network).
- Virtual Machine Administrator Login or Virtual Machine User Login role (only required for Microsoft Entra ID authentication).

See the Azure Bastion FAQ for additional requirements.

Authentication methods

The following authentication methods are available for RDP connections through Azure Bastion. Select an authentication method to see the corresponding steps.

Authentication method	Supported connection methods	Minimum SKU
Microsoft Entra ID (Preview) (Preview for RDP)	Azure portal, native client	Basic (portal), Standard (native client)
Username and password	Azure portal, IP address (portal), native client	Basic (portal), Standard (IP address, native client)
Kerberos	Azure portal	Basic

Connect to a virtual machine using RDP

Select a connection method to see the corresponding steps. After you navigate to the Bastion connection page, choose your authentication method.

Use the Azure portal to create a browser-based RDP connection to your Windows virtual machine. This method connects directly through your browser. No native RDP client or additional software is required on your local computer. The Basic SKU or higher is required, or the Standard SKU if you need custom ports.

In the Azure portal, select your virtual machine. On the left pane select Connect, then select Bastion.
In the Connection settings tab, select RDP as the protocol, and enter the port number if you changed it from the default of 3389.
Select your authentication method. Microsoft Entra ID (Preview) is recommended. For other options, see Authentication methods.
Select Connect to open the RDP connection to your virtual machine in a new browser tab.

Note

For troubleshooting tips, see Troubleshooting RDP connections and Troubleshoot Microsoft Entra sign in for a Windows virtual machine in Azure or Arc-enabled Windows Server

Connect to your Windows virtual machine from a local Windows computer using Azure CLI (az network bastion rdp). This method requires the Standard SKU or higher with native client support configured.

When a user connects to a Windows VM via RDP, they must have rights on the target VM. If the user isn't a local administrator, add the user to the Remote Desktop Users group on the target VM.

Sign in to your Azure account using az login. If you have more than one subscription, you can view them using az account list and select the subscription containing your Bastion resource using az account set --subscription "<subscription ID>".

To connect via RDP, use the following example.

az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>"

After running the command, you're prompted to input your credentials. You can use either a local username and password, or your Microsoft Entra credentials. Once you sign in to your target VM, the native client on your computer opens up with your VM session via MSTSC.

Important

Remote connection to VMs that are joined to Microsoft Entra ID is allowed only from Windows 10 or later PCs that are Microsoft Entra registered (starting with Windows 10 20H1), Microsoft Entra joined, or Microsoft Entra hybrid joined to the same directory as the VM.

Specify authentication method

Optionally, you can also specify the authentication method as part of the command.

Microsoft Entra authentication: For Windows 10 version 20H2+, Windows 11 21H2+, and Windows Server 2022, use --enable-mfa. For more information, see az network bastion rdp - optional parameters.

Specify a custom port

You can specify a custom port when you connect to a Windows VM via RDP.

One scenario where this could be especially useful would be connecting to a Windows VM via port 22. This is a potential workaround for the limitation with the az network bastion ssh command, which can't be used by a Windows native client to connect to a Windows VM.

To specify a custom port, include the field --resource-port in the sign-in command, as shown in the following example.

az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>" --resource-port "22"

RDP to a Windows VM IP address

You can also connect to a VM private IP address, instead of the resource ID. Microsoft Entra authentication, and custom ports and protocols aren't supported when using this type of connection. For more information about IP-based connections, see Connect to a VM - IP address.

Using the az network bastion command, replace --target-resource-id with --target-ip-address and the specified IP address to connect to your VM.

az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-ip-address "<VMIPAddress>"

For SSH and tunnel connections, see Connect to a VM using Bastion and the Windows native client.

Limitations

IP-based connections: IP-based connection doesn't work with force tunneling over VPN, or when a default route is advertised over an ExpressRoute circuit. Azure Bastion requires access to the Internet and force tunneling, or the default route advertisement, results in traffic blackholing.
IP-based connections: UDR isn't supported on the Bastion subnet, including with IP-based connections.
IP-based connections: Custom ports and protocols aren't currently supported when connecting to a virtual machine via native client with IP-based connections.
Microsoft Entra ID: Microsoft Entra authentication isn't supported for IP-based RDP connections. IP-based SSH connections via native client do support Entra ID authentication. For Entra ID auth details, see About Microsoft Entra ID authentication.
Session recording: RDP + Entra ID authentication in the portal can't be used concurrently with graphical session recording.

Next steps

Connect to a Windows VM using SSH
What is Azure Bastion?
Configure Microsoft Entra ID authentication for identity-based access.
Configure Kerberos authentication for domain-joined virtual machines.
Transfer files to your virtual machine using a native client.
Configure a shareable link for users without Azure portal access.
Azure Bastion FAQ

Feedback

Was this page helpful?

Last updated on 2026-03-11

Share via

Enable IP-based connection

Connect using an IP address