cloudflare · ranbel · Jul 28, 2025 · Jul 25, 2025 · Jul 25, 2025 · Jul 28, 2025
@@ -13,8 +13,8 @@ import { Render, GlossaryTooltip, Details  } from "~/components"
 Users can connect to an RDP server without installing an RDP client or the [WARP client](/cloudflare-one/connections/connect-devices/warp/) on their device. Browser-based RDP leverages [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/), which creates a secure, outbound-only connection from your RDP server to Cloudflare's global network. Setup involves running the `cloudflared` daemon on the RDP server (or any other host machine within the private network) and routing RDP traffic over a public hostname.
 
 There are two ways for users to [reach the RDP server in their browser](#4-connect-as-a-user):
-- **App Launcher**: Users can log in to the [Access App Launcher](/cloudflare-one/applications/app-launcher/) with their Cloudflare Access credentials and then initiate an RDP connection within the browser to their Windows machine. Users will authenticate to the Windows machine using their pre-configured Windows username and password. Cloudflare does not manage any credentials on the Windows server.
-- **Direct URL**: A user may also navigate directly to the Windows server at `https://<app-domain>/rdp/<vnet-id>/<target-ip>/<port>`. The authentication flow is the same as for the App Launcher; first users must log in to Cloudflare Access and then use their Windows credentials to authenticate to the Windows machine.
+- **App Launcher (recommended)**: Users can log in to the [Access App Launcher](/cloudflare-one/applications/app-launcher/) with their Cloudflare Access credentials and then initiate an RDP connection within the browser to their Windows machine. Users will authenticate to the Windows machine using their pre-configured Windows username and password. Cloudflare does not manage any credentials on the Windows server.
+- **Direct URL**: A user may also navigate directly to the Windows server at `https://<app-domain>/rdp/<vnet-id>/<target-ip>/<port>`, where `vnet-id` is the <GlossaryTooltip term="Virtual network">virtual network</GlossaryTooltip> assigned to the Cloudflare Tunnel route. The authentication flow is the same as for the App Launcher; first users must log in to Cloudflare Access and then use their Windows credentials to authenticate to the Windows machine.
 
 Browser-based RDP can be used in conjunction with [routing over WARP](/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-warp-to-tunnel/) so that there are multiple ways to connect to the server. You can reuse the same Cloudflare Tunnel when configuring each connection method.
 
@@ -143,9 +143,15 @@ To connect to a Windows machine over RDP:
 3. Select the target you want to connect to.
 
 	The App Launcher tile will launch a URL of the form `https://<app-domain>/rdp/<vnet-id>/<target-ip>/<port>`. You may also navigate directly to this URL.
+
+	:::note[Virtual network ID]
+	`vnet-id` refers to the [virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/) (VNET) that the RDP target is assigned to in your Cloudflare Tunnel configuration. If you did not specify a VNET when routing the target through Cloudflare Tunnel, the target is automatically added to the default VNET.
+
+	To fetch a list of all VNETs and their IDs, make a `GET` request to the [List Virtual Networks](/api/resources/zero_trust/subresources/networks/subresources/virtual_networks/methods/list/) endpoint. The default VNET will have the parameter `"is_default_network": true`.
+	:::
 4. Select the port that you want to connect to. The port selection screen only appears if the Access application allows RDP traffic on multiple ports (for example, port `3389` and port `65321`).
 5. (Optional) In your browser settings, allow the Access application to access the clipboard. Clipboard permissions grant the ability to copy or paste text between the local machine and the remote Windows machine.
-6. Enter your Windows username and password. For more information on supported login credentials, refer to [User identifier formats](#user-identifier-formats).
+6. Enter your Windows username and password. For more information on how to format your username, refer to [User identifier formats](#user-identifier-formats).
 
 You now have access to the remote Windows desktop.
 
@@ -175,6 +181,10 @@ Browser-based RDP supports connecting to Windows machines that run the following
 | Other Chromium-based browsers (Opera, Brave) | ✅            |
 | Internet Explorer 11 and below               | ❌            |
 
+### Powershell
+
+Run Powershell 7 or higher to mitigate a prior Microsoft issue where keystrokes are not recorded.
+
 ### User identifier formats
 
 Browser-based RDP supports connecting to Windows machines using the following login credentials:
@@ -210,6 +220,16 @@ Examples:
 Cloudflare will not configure user identifiers on the RDP target. Any user identifier used to authenticate must be pre-configured on the server.
 :::
 
+#### Microsoft Entra ID
+
+User identifiers that are bound to Microsoft Entra ID domains must enter their username as `AzureAD\[email protected]` or `AzureAD\user`. The `AzureAD\` prefix is case-insensitive.
+
+The login flow differs slightly when using an Microsoft Entra ID-bound username:
+
+1. Enter your username in one of the formats outlined above.
+2. Once the username is entered, the password box will disappear and the RDP connection will initiate.
+3. The RDP server will then prompt for the password before granting access to the RDP server.
+
 ### Cloudflare products
 
  <Render file="access/self-hosted-app/product-compatibility" product="cloudflare-one" />
@@ -219,5 +239,6 @@ Cloudflare will not configure user identifiers on the RDP target. Any user ident
 - **TLS certificate verification**: Cloudflare uses TLS to connect to the RDP target but does not verify the origin TLS certificate.
 - **WARP authentication**: Since browser-based RDP traffic does not go through the WARP client, users cannot use their [WARP session identity](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/#configure-warp-sessions-in-access) to authenticate.
 - **Audio over RDP**: Users cannot use their microphone and speaker to interact with the remote machine.
+- **Clipboard size limit**: Data copied between the local machine and the browser-based RDP session may not exceed 500 KB.
 - **Clipboard controls**: Admins do not have the ability to restrict copy/paste actions between the remote machine and the user's local clipboard.
 - **File transfers**: Users cannot copy/paste files from their local machine to the remote machine and vice versa.