Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Entra ID authentication for Azure Bastion lets you sign in to your virtual machines using your organizational identity instead of local virtual machine credentials. With Entra ID authentication, you can enforce multifactor authentication (MFA), apply conditional access policies, and centralize identity management across your Azure virtual machines.
Note
Microsoft Entra ID authentication for RDP connections in the portal is in public preview. Microsoft Entra ID authentication for SSH connections in the portal is generally available.
Prerequisites
Before you configure Entra ID authentication, verify the following:
Azure Bastion host: A Bastion host deployed in the virtual network where the virtual machine is located, or in a peered virtual network. The minimum SKU depends on the connection method:
Connection method Minimum SKU Azure portal (RDP or SSH) Basic Native client (RDP with --enable-mfa)Standard Native client (SSH with --auth-type AAD)Standard Supported operating systems:
- Windows virtual machines (RDP): Windows 10 version 20H2 or later, Windows 11 21H2 or later, or Windows Server 2022 or later.
- Linux virtual machines (SSH): Any Linux distribution that supports the AADSSHLoginForLinux extension.
Native client connections: Azure CLI version 2.32 or later. Run
az extension add --name sshto install the SSH extension. For setup details, see Configure Bastion for native client connections.
Entra ID authentication overview
Entra ID authentication supports both RDP and SSH connections. The authentication flow works as follows:
- You initiate a connection to a virtual machine through Azure Bastion.
- Bastion redirects you to Microsoft Entra ID for authentication, where MFA and conditional access policies are evaluated.
- After successful authentication, Bastion brokers the connection to the target virtual machine.
- The virtual machine-level extension (AADLoginForWindows or AADSSHLoginForLinux) validates the Entra ID token and grants access based on your assigned role.
Entra ID authentication is available through two connection methods:
- Azure portal: Connect directly from the Azure portal using RDP (Windows virtual machines) or SSH (Linux virtual machines). The Basic SKU or higher is required.
- Native client" Connect using the Azure CLI from your local computer with the
az network bastion rdporaz network bastion sshcommand. The Standard SKU or higher is required.
When all requirements are met, Microsoft Entra ID appears as the default authentication option on the Bastion connection page in the Azure portal. If any requirement isn't met, the option doesn't appear.
Note
The sign-in experience differs between connection methods. Portal connections use passwordless authentication—you sign in with your Entra ID credentials and don't need a local VM password. Native client RDP connections prompt for password entry after MFA completes. For more information, see Sign in using password/passwordless authentication with Microsoft Entra ID.
Assign roles
Users connecting with Entra ID authentication need one of the following role assignments:
- Virtual Machine Administrator Login: Grants administrator-level access to the virtual machine.
- Virtual Machine User Login: Grants regular user-level access to the virtual machine.
The following Reader role assignments on the relevant resources are also required:
- Reader role on the virtual machine.
- Reader role on the NIC with private IP of the virtual machine.
- Reader role on the Azure Bastion resource.
- Reader role on the virtual network of the target virtual machine (if the Bastion deployment is in a peered virtual network).
You can assign roles at the virtual machine, resource group, or subscription scope.
Follow these steps to assign the required roles using the Azure portal:
- In the Azure portal, navigate to the virtual machine you want to configure.
- Select Access control (IAM) from the left menu.
- Select Add > Add role assignment.
- On the Role tab, search for and select Virtual Machine Administrator Login (or Virtual Machine User Login for standard access). Select Next.
- On the Members tab, select + Select members, search for the user or group, select them, and choose Select.
- Select Review + assign to complete the role assignment.
- Repeat the previous steps to assign the required Reader roles on the virtual machine, NIC, Bastion resource, and virtual network.
Install the virtual machine extension
The virtual machine extension validates the Entra ID token and grants access to the virtual machine. You can enable the extension during virtual machine creation by selecting Login with Microsoft Entra ID, or add it to an existing virtual machine using the following steps.
Install the AADLoginForWindows extension on Windows virtual machines.
Supported operating systems: Windows 10 version 20H2 or later, Windows 11 21H2 or later, Windows Server 2022 or later.
Azure portal
- In the Azure portal, navigate to your Windows virtual machine.
- Select Extensions + applications from the left menu.
- Select + Add.
- Search for AADLoginForWindows, select the extension, and select Next.
- Select Review + create, then select Create to install the extension.
- Wait for the extension to finish provisioning. Verify the status on the Extensions + applications page shows Provisioning succeeded.
Azure CLI
az vm extension set \
--publisher Microsoft.Azure.ActiveDirectory \
--name AADLoginForWindows \
--resource-group "<ResourceGroupName>" \
--vm-name "<VMName>"
Tip
For detailed setup guidance, see Enable Microsoft Entra sign in for a Windows virtual machine in Azure or Enable Microsoft Entra sign in for a Linux virtual machine in Azure.
Connect using Entra ID authentication
After you complete the role assignments and install the virtual machine extension, you can connect to your virtual machine using Entra ID authentication. When all requirements are met, Microsoft Entra ID appears as the default authentication option on the Bastion connection page in the Azure portal.
Connect to a Windows virtual machine using RDP with Entra ID authentication in the Azure portal. The Basic SKU or higher is required.
- In the Azure portal, navigate to your Windows virtual machine. Select Connect > Bastion.
- In the Connection settings section, set Protocol to RDP. Enter the port number if you changed it from the default of 3389.
- For Authentication type, select Microsoft Entra ID (Preview). If this option doesn't appear, verify that the virtual machine extension is installed and the required roles are assigned.
- Select Connect to open the RDP connection in a new browser tab.
- When prompted, sign in with your Microsoft Entra ID credentials. Multifactor authentication (MFA) and conditional access policies are evaluated during this step.
Note
If you encounter sign-in issues, see Troubleshoot Microsoft Entra sign-in problems.
Limitations
- RDP and Entra ID authentication in the portal can't be used concurrently with graphical session recording.
- Microsoft Entra ID authentication isn't supported for IP-based RDP or SSH connections.
- Microsoft Entra ID authentication for portal connections is supported for RDP to Windows virtual machines and SSH to Linux virtual machines only.
- For native client RDP connections, remote connection to virtual machines joined to Microsoft Entra ID is allowed only from Windows 10 or later PCs that are Microsoft Entra registered, Microsoft Entra joined, or Microsoft Entra hybrid joined to the same directory as the virtual machine.