Update howto-vm-sign-in-azure-ad-windows.md

Author: SanDeo-MSFT

articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: devices
 ms.topic: how-to
-ms.date: 01/05/2023
+ms.date: 03/27/2023
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -16,22 +16,22 @@ ms.reviewer: sandeo
 ms.custom: references_regions, devx-track-azurecli, subject-rbac-steps
 ms.collection: M365-identity-device-management
 ---
-# Log in to a Windows virtual machine in Azure by using Azure AD
+# Log in to a Windows virtual machine in Azure by using Azure AD including passwordless
 
 Organizations can improve the security of Windows virtual machines (VMs) in Azure by integrating with Azure Active Directory (Azure AD) authentication. You can now use Azure AD as a core authentication platform to RDP into *Windows Server 2019 Datacenter edition* and later, or *Windows 10 1809* and later. You can then centrally control and enforce Azure role-based access control (RBAC) and Conditional Access policies that allow or deny access to the VMs. 
 
 This article shows you how to create and configure a Windows VM and log in by using Azure AD-based authentication.
 
 There are many security benefits of using Azure AD-based authentication to log in to Windows VMs in Azure. They include:
 
-- Use Azure AD credentials to log in to Windows VMs in Azure. The result is federated and managed domain users.
+- Use Azure AD authentication including passwordless to log in to Windows VMs in Azure.
 - Reduce reliance on local administrator accounts.
 - Password complexity and password lifetime policies that you configure for Azure AD also help secure Windows VMs.
 - With Azure RBAC:
    - Specify who can log in to a VM as a regular user or with administrator privileges. 
    - When users join or leave your team, you can update the Azure RBAC policy for the VM to grant access as appropriate. 
    - When employees leave your organization and their user accounts are disabled or removed from Azure AD, they no longer have access to your resources.
-- Configure Conditional Access policies to require multifactor authentication (MFA) and other signals, such as user sign-in risk, before you can RDP into Windows VMs. 
+- Configure Conditional Access policies to "phishing resistant MFA" using require authentication strength (preview) grant control or require multifactor authentication (MFA) and other signals, such as user sign-in risk, before you can RDP into Windows VMs. 
 - Use Azure Policy to deploy and audit policies to require Azure AD login for Windows VMs and to flag the use of unapproved local accounts on the VMs.
 - Use Intune to automate and scale Azure AD join with mobile device management (MDM) auto-enrollment of Azure Windows VMs that are part of your virtual desktop infrastructure (VDI) deployments. 
 
@@ -48,9 +48,7 @@ This feature currently supports the following Windows distributions:
 
 - Windows Server 2019 Datacenter and later
 - Windows 10 1809 and later
-
-> [!IMPORTANT]
-> Remote connection to VMs that are joined to Azure AD is allowed only from Windows 10 or later PCs that are Azure AD registered (starting with Windows 10 20H1), Azure AD joined, or hybrid Azure AD joined to the *same* directory as the VM. 
+- Windows 11 21H2 and later
 
 This feature is now available in the following Azure clouds:
 
@@ -224,22 +222,50 @@ For more information about how to use Azure RBAC to manage access to your Azure
 - [Assign Azure roles by using the Azure portal](../../role-based-access-control/role-assignments-portal.md)
 - [Assign Azure roles by using Azure PowerShell](../../role-based-access-control/role-assignments-powershell.md)
 
-## Enforce Conditional Access policies
+## Log in by using Azure AD credentials to a Windows VM
+
+You can do this over RDP using one of two methods:
+1. Passwordless using any of the supported Azure AD credential (recommended)
+1. Password/limited passwordless using Windows Hello for Business deployed using certificate trust model
+
+### Log in using passwordless authentication with Azure AD
 
-You can enforce Conditional Access policies, such as multifactor authentication or user sign-in risk check, before you authorize access to Windows VMs in Azure that are enabled with Azure AD login. To apply a Conditional Access policy, you must select the **Azure Windows VM Sign-In** app from the cloud apps or actions assignment option. Then use sign-in risk as a condition and/or require MFA as a control for granting access. 
+To use passwordless authentication for your Windows VMs in Azure, you need the Windows client machine and the session host (VM) on the following operating systems:
+
+- Windows 11 with [2022-10 Cumulative Updates for Windows 11 (KB5018418)](https://support.microsoft.com/kb/KB5018418) or later installed.
+- Windows 10, version 20H2 or later with [2022-10 Cumulative Updates for Windows 10 (KB5018410)](https://support.microsoft.com/kb/KB5018410) or later installed.
+- Windows Server 2022 with [2022-10 Cumulative Update for Microsoft server operating system (KB5018421)](https://support.microsoft.com/kb/KB5018421) or later installed.
+
+> [!IMPORTANT]
+> There is no requirement for Windows client machine to be either Azure AD registered, or Azure AD joined or hybrid Azure AD joined to the *same* directory as the VM. Additionally, to RDP by using Azure AD credentials, users must belong to one of the two Azure roles, Virtual Machine Administrator Login or Virtual Machine User Login.
+
+To connect to the remote computer:
+
+- Launch **Remote Desktop Connection** from Windows Search, or by running `mstsc.exe`.
+- Select **Use a web account to sign in to the remote computer** option in the **Advanced** tab. This option is equivalent to the `enablerdsaadauth` RDP property. For more information, see [Supported RDP properties with Remote Desktop Services](/windows-server/remote/remote-desktop-services/clients/rdp-files).
+- Specify the name of the remote computer and select **Connect**. 
 
 > [!NOTE]
-> If you require MFA as a control for granting access to the Azure Windows VM Sign-In app, then you must supply an MFA claim as part of the client that initiates the RDP session to the target Windows VM in Azure. The only way to achieve this on a Windows 10 or later client is to use a Windows Hello for Business PIN or biometric authentication with the RDP client. Support for biometric authentication was added to the RDP client in Windows 10 version 1809. 
->
-> Remote desktop using Windows Hello for Business authentication is available only for deployments that use a certificate trust model. It's currently not available for a key trust model.
+> IP address cannot be used when **Use a web account to sign in to the remote computer** option is used.
+> The name must match the hostname of the remote device in Azure AD and be network addressable, resolving to the IP address of the remote device.
 
-## Log in by using Azure AD credentials to a Windows VM
+- When prompted for credentials, specify your user name in `[email protected]` format.
+- You're then prompted to allow the remote desktop connection when connecting to a new PC. Azure AD remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select **Yes** to connect.
+
+> [!IMPORTANT]
+> If your organization has configured and is using [Azure AD Conditional Access](/azure/active-directory/conditional-access/overview), your device must satisfy the conditional access requirements to allow connection to the remote computer. Conditional Access policies may be applied to the application **Microsoft Remote Desktop (a4a365df-50f1-4397-bc59-1a1564b8bb9c)** for controlled access.
+
+> [!NOTE]
+> The Windows lock screen in the remote session doesn't support Azure AD authentication tokens or passwordless authentication methods like FIDO keys. The lack of support for these authentication methods means that users can't unlock their screens in a remote session. When you try to lock a remote session, either through user action or system policy, the session is instead disconnected and the service sends a message to the user explaining they've been disconnected. Disconnecting the session also ensures that when the connection is relaunched after a period of inactivity, Azure AD reevaluates the applicable conditional access policies.
+
+### Log in using password/limited passwordless authentication with Azure AD
 
 > [!IMPORTANT]
 > Remote connection to VMs that are joined to Azure AD is allowed only from Windows 10 or later PCs that are either Azure AD registered (minimum required build is 20H1) or Azure AD joined or hybrid Azure AD joined to the *same* directory as the VM. Additionally, to RDP by using Azure AD credentials, users must belong to one of the two Azure roles, Virtual Machine Administrator Login or Virtual Machine User Login. 
 >
 > If you're using an Azure AD-registered Windows 10 or later PC, you must enter credentials in the `AzureAD\UPN` format (for example, `AzureAD\[email protected]`). At this time, you can use Azure Bastion to log in with Azure AD authentication [via the Azure CLI and the native RDP client mstsc](../../bastion/connect-native-client-windows.md). 
 
+
 To log in to your Windows Server 2019 virtual machine by using Azure AD: 
 
 1. Go to the overview page of the virtual machine that has been enabled with Azure AD login.
@@ -254,6 +280,13 @@ You're now logged in to the Windows Server 2019 Azure virtual machine with the r
 > [!NOTE]
 > You can save the .rdp file locally on your computer to start future remote desktop connections to your virtual machine, instead of going to the virtual machine overview page in the Azure portal and using the connect option.
 
+## Enforce Conditional Access policies
+
+You can enforce Conditional Access policies, such as "phishing resistant MFA" using require authentication strength (preview) grant contorl or multifactor authentication or user sign-in risk check, before you authorize access to Windows VMs in Azure that are enabled with Azure AD login. To apply a Conditional Access policy, you must select the **Azure Windows VM Sign-In** app from the cloud apps or actions assignment option. Then use sign-in risk as a condition and/or "phishing resistant MFA" using require authentication strength (preview) grant contorl or require MFA as a control for granting access. 
+
+> [!NOTE]
+> If you require MFA as a control for granting access to the Azure Windows VM Sign-In app, then you must supply an MFA claim as part of the client that initiates the RDP session to the target Windows VM in Azure. This can be achieved using passwordless authentication method for RDP that satisfies the conditional access polices, however if you are using limited passwordless method for RDP then the only way to achieve this on a Windows 10 or later client is to use a Windows Hello for Business PIN or biometric authentication with the RDP client. Support for biometric authentication was added to the RDP client in Windows 10 version 1809. Remote desktop using Windows Hello for Business authentication is available only for deployments that use a certificate trust model. It's currently not available for a key trust model.
+
 ## Use Azure Policy to meet standards and assess compliance
 
 Use Azure Policy to: