question

WardAnderson-0632 avatar image
0 Votes"
WardAnderson-0632 asked ·

Allowing on all users to login on remote AAD joined machine

Morning!

I'm trying to build out new offices with smaller footprints. One of my ideas was to put the machines into AzureAD. I've done that, but what I see is I can only login with the user that's assigned to the machine. Is there a way I can register these machines in AAD and have them allow all of my users to login to these devices? I have M365 licensing with P1 and all of that now on top of my E3 licensing.

If I can sort this out it'll be a game changer for us because I can setup offices very cheap. Any ideas would be awesome.

Thanks!
Ward

azure-active-directory
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Users from the same organization (Azure AD tenant) will be able to sign-in to Azure AD joined machines. Can you elaborate on how you are registering the devices?

https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join

0 Votes 0 · ·
ByronViljoen-5856 avatar image
0 Votes"
ByronViljoen-5856 answered ·

If your servers are hosted within Azure you can install the Azure Active Directory Domain Services extension.

https://azure.microsoft.com/en-us/services/active-directory-ds/

This will allow you to join your Azure hosted servers to your domain.

Once the servers are joined you will be able to assign roles and permissions from users within your Azure active directory.

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

So those roles will allow random Azure AD users to log into azure joined machines? Example: I use my account to join a remote machine to AzureAD with no on prem DCs. Let’s say User B (who exists in AzureAD and on prem) wants to log into that machine.. is that doable?


Right now only I can login to the machine that I registered


0 Votes 0 · ·
amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered ·

@WardAnderson-0632

In order to allow all Azure AD users in your Azure AD tenant to log into azure joined machines using RDP, you need to configure Remote Desktop settings as highlighted below:

3581-untitled.png

Once this is done, you can login by using AzureAD\UPN format i.e., AzureAD\username@your_tenant.onmicrosoft.com or AzureAD\username@your_verified_domain.com


Please "Accept as answer" wherever the information provided helps you to help others in the community.



untitled.png (23.2 KiB)
· 3 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Right that's for RDP. But what about them authenticating locally? Basically I want to make these remote offices like my offices that have domain controllers in their closets. I want to have remote machines AAD joined but allow everyone to login to them when they are sitting at these desks. Is that doable?


0 Votes 0 · ·

@WardAnderson-0632 Yes, this is doable. You can perform Azure AD Join on a device using Global Administrator account and all other users in that tenant can login to that device via console session. For console sessions, you won't even need to perform any additional steps that I mentioned for RDP. All you need is to enter username in AzureAD\UPN format i.e., AzureAD\username@your_tenant.onmicrosoft.com or AzureAD\username@your_verified_domain.com at the login screen after joining to Azure AD.




Please "Accept as answer" wherever the information provided helps you to help others in the community.


0 Votes 0 · ·

Ahhh ok let me give this a shot and let you know. That'd be awesome if this works.


0 Votes 0 · ·
WardAnderson-0632 avatar image
0 Votes"
WardAnderson-0632 answered ·

That doesn't seem to work. I tried AzureAD\user@domain.tld on this machine I just added and it's saying "Invalid password." I joined it with my global administrator account in AAD.

The steps I took were:

  1. Took a test machine of mine off the domain.

  2. Joined it to Azure AD through Settings > etc etc

  3. Switched user.

  4. Logged in with the account that I registered it with.

  5. Switched user.

  6. Tried AzureAD\OtherUser@domain.tld

No dice thus far. Maybe I'm missing some settings in AAD? I have Password Hash sync setup and password writeback as well. I feel like I'm close!

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EnricoGiacomin-5198 avatar image
0 Votes"
EnricoGiacomin-5198 answered ·

Hi Ward,

I'm looking at your request that is similar to mine.

https://docs.microsoft.com/answers/questions/10517/azure-vm-rdp-access-using-aad-user-credential.html

I hope we may find the solution.

Enrico

· 6 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yeah similar indeed. I just have all of these remote offices we're trying to setup and we give them Dell desktops. Instead of me buying some PowerEdges with ESXi licensing to throw some Windows DCs on I'm trying to just stick them in AzureAD for login. It'd be soooo much easier.

1 Vote 1 · ·

Could you please share the output of dsregcmd /status command.

0 Votes 0 · ·

Attached


3592-dss.txt


0 Votes 0 · ·
dss.txt (4.0 KiB)
Show more comments