You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory-domain-services/secure-remote-vm-access.md
+9-9Lines changed: 9 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,13 +9,13 @@ ms.service: active-directory
9
9
ms.subservice: domain-services
10
10
ms.workload: identity
11
11
ms.topic: how-to
12
-
ms.date: 09/23/2023
12
+
ms.date: 09/21/2023
13
13
ms.author: justinha
14
14
15
15
---
16
16
# Secure remote access to virtual machines in Microsoft Entra Domain Services
17
17
18
-
To secure remote access to virtual machines (VMs) that run in a Microsoft Entra Domain Services managed domain, you can use Remote Desktop Services (RDS) and Network Policy Server (NPS). Domain Services authenticates users as they request access through the RDS environment. For enhanced security, you can integrate Microsoft Entra multifactor authentication to provide an additional authentication prompt during sign-in events. Microsoft Entra multifactor authentication uses an extension for NPS to provide this feature.
18
+
To secure remote access to virtual machines (VMs) that run in a Microsoft Entra Domain Services managed domain, you can use Remote Desktop Services (RDS) and Network Policy Server (NPS). Domain Services authenticates users as they request access through the RDS environment. For enhanced security, you can integrate Microsoft Entra multifactor authentication to provide another authentication prompt during sign-in events. Microsoft Entra multifactor authentication uses an extension for NPS to provide this feature.
19
19
20
20
> [!IMPORTANT]
21
21
> The recommended way to securely connect to your VMs in a Domain Services managed domain is using Azure Bastion, a fully platform-managed PaaS service that you provision inside your virtual network. A bastion host provides secure and seamless Remote Desktop Protocol (RDP) connectivity to your VMs directly in the Azure portal over SSL. When you connect via a bastion host, your VMs don't need a public IP address, and you don't need to use network security groups to expose access to RDP on TCP port 3389.
@@ -44,7 +44,7 @@ To complete this article, you need the following resources:
44
44
45
45
## Deploy and configure the Remote Desktop environment
46
46
47
-
To get started, create a minimum of two Azure VMs that run Windows Server 2016 or Windows Server 2019. For redundancy and high availability of your Remote Desktop (RD) environment, you can add and load balance additional hosts later.
47
+
To get started, create a minimum of two Azure VMs that run Windows Server 2016 or Windows Server 2019. For redundancy and high availability of your Remote Desktop (RD) environment, you can add and load balance hosts later.
48
48
49
49
A suggested RDS deployment includes the following two VMs:
50
50
@@ -66,15 +66,15 @@ With RD deployed into the managed domain, you can manage and use the service as
66
66
67
67
## Deploy and configure NPS and the Microsoft Entra multifactor authentication NPS extension
68
68
69
-
If you want to increase the security of the user sign-in experience, you can optionally integrate the RD environment with Microsoft Entra multifactor authentication. With this configuration, users receive an additional prompt during sign-in to confirm their identity.
69
+
If you want to increase the security of the user sign-in experience, you can optionally integrate the RD environment with Microsoft Entra multifactor authentication. With this configuration, users receive another prompt during sign-in to confirm their identity.
70
70
71
-
To provide this capability, an additional Network Policy Server (NPS) is installed in your environment along with the Microsoft Entra multifactor authentication NPS extension. This extension integrates with Microsoft Entra ID to request and return the status of multifactor authentication prompts.
71
+
To provide this capability, a Network Policy Server (NPS) is installed in your environment along with the Microsoft Entra multifactor authentication NPS extension. This extension integrates with Microsoft Entra ID to request and return the status of multifactor authentication prompts.
72
72
73
-
Users must be [registered to use Microsoft Entra multifactor authentication][user-mfa-registration], which may require additional Microsoft Entra ID licenses.
73
+
Users must be [registered to use Microsoft Entra multifactor authentication][user-mfa-registration], which may require other Microsoft Entra ID licenses.
74
74
75
75
To integrate Microsoft Entra multifactor authentication in to your Remote Desktop environment, create an NPS Server and install the extension:
76
76
77
-
1. Create an additional Windows Server 2016 or 2019 VM, such as *NPSVM01*, that's connected to a *workloads* subnet in your Domain Services virtual network. Join the VM to the managed domain.
77
+
1. Create another Windows Server 2016 or 2019 VM, such as *NPSVM01*, that's connected to a *workloads* subnet in your Domain Services virtual network. Join the VM to the managed domain.
78
78
1. Sign in to NPS VM as account that's part of the *Microsoft Entra DC Administrators* group, such as *contosoadmin*.
79
79
1. From **Server Manager**, select **Add Roles and Features**, then install the *Network Policy and Access Services* role.
80
80
1. Use the existing how-to article to [install and configure the Microsoft Entra multifactor authentication NPS extension][nps-extension].
@@ -87,7 +87,7 @@ With the NPS server and Microsoft Entra multifactor authentication NPS extension
87
87
88
88
To integrate the Microsoft Entra multifactor authentication NPS extension, use the existing how-to article to [integrate your Remote Desktop Gateway infrastructure using the Network Policy Server (NPS) extension and Microsoft Entra ID][azure-mfa-nps-integration].
89
89
90
-
The following additional configuration options are needed to integrate with a managed domain:
90
+
The following configuration options are needed to integrate with a managed domain:
91
91
92
92
1. Don't [register the NPS server in Active Directory][register-nps-ad]. This step fails in a managed domain.
93
93
1. In [step 4 to configure network policy][create-nps-policy], also check the box to **Ignore user account dial-in properties**.
@@ -97,7 +97,7 @@ The following additional configuration options are needed to integrate with a ma
97
97
sc sidtype IAS unrestricted
98
98
```
99
99
100
-
Users are now prompted for an additional authentication factor when they sign in, such as a text message or prompt in the Microsoft Authenticator app.
100
+
Users are now prompted for another authentication factor when they sign in, such as a text message or prompt in the Microsoft Authenticator app.
0 commit comments