Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
To secure remote access to virtual machines (VMs) that run in a Microsoft Entra Domain Services managed domain, you can use Remote Desktop Services (RDS) and Network Policy Server (NPS). Domain Services authenticates users as they request access through the RDS environment. For enhanced security, you can integrate Microsoft Entra multifactor authentication to provide another authentication prompt during sign-in events. Microsoft Entra multifactor authentication uses an extension for NPS to provide this feature.
Important
The recommended way to securely connect to your VMs in a Domain Services managed domain is using Azure Bastion, a fully platform-managed PaaS service that you provision inside your virtual network. A bastion host provides secure and seamless Remote Desktop Protocol (RDP) connectivity to your VMs directly in the Azure portal over SSL. When you connect via a bastion host, your VMs don't need a public IP address, and you don't need to use network security groups to expose access to RDP on TCP port 3389.
We strongly recommend that you use Azure Bastion in all regions where it's supported. In regions without Azure Bastion availability, follow the steps detailed in this article until Azure Bastion is available. Take care with assigning public IP addresses to VMs joined to Domain Services where all incoming RDP traffic is allowed.
For more information, see What is Azure Bastion?.
This article shows you how to configure RDS in Domain Services and optionally use the Microsoft Entra multifactor authentication NPS extension.
To complete this article, you need the following resources:
- An active Azure subscription.
- If you don't have an Azure subscription, create an account.
- A Microsoft Entra tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory.
- A Microsoft Entra Domain Services managed domain enabled and configured in your Microsoft Entra tenant.
- A workloads subnet created in your Microsoft Entra Domain Services virtual network.
- A user account that's a member of the AAD DC administrators group in your Microsoft Entra tenant.
To get started, create a minimum of two Azure VMs that run Windows Server 2016 or Windows Server 2019. For redundancy and high availability of your Remote Desktop (RD) environment, you can add and load balance hosts later.
A suggested RDS deployment includes the following two VMs:
- RDGVM01 - Runs the RD Connection Broker server, RD Web Access server, and RD Gateway server.
- RDSHVM01 - Runs the RD Session Host server.
Make sure that VMs are deployed into a workloads subnet of your Domain Services virtual network, then join the VMs to managed domain. For more information, see how to create and join a Windows Server VM to a managed domain.
The RD environment deployment contains a number of steps. The existing RD deployment guide can be used without any specific changes to use in a managed domain:
- Sign in to VMs created for the RD environment with an account that's part of the AAD DC Administrators group, such as contosoadmin.
- To create and configure RDS, use the existing Remote Desktop environment deployment guide. Distribute the RD server components across your Azure VMs as desired.
- Specific to Domain Services - when you configure RD licensing, set it to Per Device mode, not Per User as noted in the deployment guide.
- If you want to provide access using a web browser, set up the Remote Desktop web client for your users.
With RD deployed into the managed domain, you can manage and use the service as you would with an on-premises AD DS domain.
For more information on improving resiliency of your deployment, see Remote Desktop Services - High availability.
For more information about securing user sign-in, see How it works: Microsoft Entra multifactor authentication.