Windows11

RDP to IP address for Entra joined Windows 11 computer

To RDP to a Win11 computer using an Entra ID (i.e. Azure AD, AAD), the official requirement is to select the Advanced tab in the remote desktop client and tick the option for “Use a web account to sign in to the remote computer”.

This mechanism then uses Edge to provide web authentication for the user before the remote desktop client will connect. Unfortunately this leads to leakage of account information into the browser and may present confusion for users who connect to multiple Microsoft accounts, and concerns by users when they see their personal and work accounts presented in the same prompt screen. It also has the requirement that the remote computer can be referenced by name and not IP Address, which may be difficult with some VPNs.

To work around these restriction (in test environments) it is necessary to:

  1. Disable Network Level Authentication on the remote computer (not recommended for businesses)
  2. Save the RDP connection file, then edit in a text editor to add:
    enablecredsspsupport:i:0
  3. In the RDP file save the username in the format:
    username:s:.\AzureAD\Username
    (note the preceding .\ characters)

Remember: never expose your remote desktop connections to the Internet, always use a VPN!

Leave a Reply

Your email address will not be published. Required fields are marked *