Edit

Share via

Create an RDP connection to a Windows VM using Azure Bastion

This article shows you how to securely and seamlessly create an RDP connection to your Windows VMs located in an Azure virtual network directly through the Azure portal. When you use Azure Bastion, your VMs don't require a client, agent, or additional software. You can also connect to a Windows VM using SSH. For information, see Create an SSH connection to a Windows VM.

Azure Bastion provides secure connectivity to all of the VMs in the virtual network in which it's provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH. For more information, see What is Azure Bastion?

Note

Entra ID authentication for RDP connections is now available in public preview! See Microsoft Entra ID for details.

Prerequisites

Before you begin, verify that you've met the following criteria:

  • A VNet with the Bastion host already installed.

    • Make sure that you have set up an Azure Bastion host for the virtual network in which the VM is located. Once the Bastion service is provisioned and deployed in your virtual network, you can use it to connect to any VM in the virtual network.
    • To set up an Azure Bastion host, see Create a bastion host. If you plan to configure custom port values, be sure to select the Standard SKU or higher when configuring Bastion.

  • A Windows virtual machine in the virtual network.

Required roles

  • Reader role on the virtual machine.
  • Reader role on the NIC with private IP of the virtual machine.
  • Reader role on the Azure Bastion resource.
  • Reader role on the virtual network of the target virtual machine (if the Bastion deployment is in a peered virtual network).

Microsoft Entra ID authentication (Preview)

Note

Microsoft Entra ID Authentication support for RDP connections within the portal is only supported for Windows VMs. For SSH connections to Linux VMs, see Connect to a Linux VM using SSH.

If the following prerequisites are met, Microsoft Entra ID becomes the default option to connect to your VM. If any prerequisite is not met, Microsoft Entra ID will not be presented as a Connection Method. To learn more about Entra ID authentication for Azure machines, see Enable Microsoft Entra sign in for a Windows virtual machine in Azure or Arc-enabled Windows Server

Prerequisites:

  • AADLoginForWindows extension should be enabled on the VM. Microsoft Entra ID Login can be enabled during VM creation by checking the box for Login with Microsoft Entra ID or by adding the AADLogin extension to a pre-existing VM.

  • One of the following required roles should be configured on the VM for the user:

    • Virtual Machine Administrator Login: This role is necessary if you want to sign in with administrator privileges.
    • Virtual Machine User Login: This role is necessary if you want to sign in with regular user privileges.

Use the following steps to authenticate using Microsoft Entra ID.

  1. To authenticate using Microsoft Entra ID, configure the following settings.

    Setting Description
    Connection Settings Only available for SKUs higher than the Basic SKU.
    Protocol Select RDP.
    Port Specify the port number.
    Authentication type Select Microsoft Entra ID (Preview) from the dropdown.

  2. To work with the VM in a new browser tab, select Open in new browser tab.

  3. Click Connect to connect to the VM.

Limitations

  • RDP + Entra ID authentication support in the portal cannot be used concurrently with graphical session recording.

Ports

To connect to the Windows VM, you must have the following ports open on your Windows VM:

  • Inbound port: RDP (3389) or
  • Inbound port: Custom value (you'll then need to specify this custom port when you connect to the VM via Azure Bastion)

Note

If you want to specify a custom port value, Azure Bastion must be configured using the Standard SKU or higher. The Basic SKU does not allow you to specify custom ports.

Rights on target VM

When a user connects to a Windows VM via RDP, they must have rights on the target VM. If the user isn't a local administrator, add the user to the Remote Desktop Users group on the target VM.

See the Azure Bastion FAQ for additional requirements.

Connect

  1. In the Azure portal, go to the virtual machine that you want to connect to. On the Overview page, select Connect, then select Bastion from the dropdown to open the Bastion page. You can also select Bastion from the left pane.

    Screenshot of Connect.

  2. On the Bastion page, enter the required authentication credentials, then click Connect. If you configured your bastion host using the Standard SKU, you'll see additional credential options on this page. If your VM is domain-joined, you must use the following format: username@domain.com.

    Screenshot of Connect button.

  3. When you click Connect,the RDP connection to this virtual machine via Bastion will open in your browser (over HTML5) using port 443 and the Bastion service. The following example shows a connection to a Windows 11 virtual machine in a new browser tab. The page you see depends on the VM you're connecting to.

    Screenshot of connecting to a Windows 11 VM.

    When working with the VM, using keyboard shortcut keys may not result in the same behavior as shortcut keys on a local computer. For example, when connected to a Windows VM from a Windows client, CTRL+ALT+END is the keyboard shortcut for CTRL+ALT+Delete on a local computer. To do this from a Mac while connected to a Windows VM, the keyboard shortcut is Fn+CTRL+ALT+Backspace.

Next steps

Read the Bastion FAQ for more connection information.

  • Last updated on