Home » Blog » Sign Into On-Prem Windows Server with Entra ID Using Azure Arc

Sign Into On-Prem Windows Server with Entra ID Using Azure Arc

Moving toward a cloud-native identity model no longer means leaving your on-premises servers behind.

In this video, I walk through how to sign into a Windows Server 2025 machine that lives on-prem using Microsoft Entra ID, powered by Azure Arc. This approach removes the need for a traditional Active Directory domain to enable remote access, and instead uses Entra authentication with Azure RBAC for secure, centralized control.

Why This Matters

For years, managing authentication for Windows servers outside of Azure required Active Directory. Even organizations embracing cloud identity often kept AD around just to support on-prem workloads.

That model is changing.

With Azure Arc, you can extend Azure management and identity capabilities to your on-prem servers. By combining Azure Arc with Entra ID and RBAC, authentication shifts from domain-based to cloud-based identity. This enables a more modern, flexible approach to access control without requiring domain join.

How It Works

The process starts by bringing your Windows Server into Azure through Azure Arc. Once connected, the server becomes a managed resource in Azure, similar to a virtual machine running in the cloud.

From there, the Microsoft Entra-based Windows Server Login extension is installed. This is what enables Entra ID authentication and registers the server with your tenant. After that, authentication flows through Entra instead of Active Directory, and access is enforced using Azure RBAC roles.

The result is a cloud-first authentication model applied to an on-prem Windows system.

Key Requirements to Keep in Mind

Connecting to on-prem resources with Azure Are-enable machines is currently supported with Windows Server 2025 with Desktop Experience and Windows 11 24H2 or newer computers. It also relies on outbound connectivity over ports 80 and 443 to reach Azure and Entra services.

DNS plays an important role as well. Since authentication maps to the device identity, connections must use the hostname instead of an IP address. Proper name resolution is required for sign-in to work correctly.

Another important consideration is identity. You can use cloud-native Entra accounts or hybrid identities synced from Active Directory. However, B2B guest users are not supported for this type of login.

Access is controlled through Azure RBAC, which requires explicit role assignments. The Virtual Machine User Login role provides standard access, while the Virtual Machine Administrator Login role grants admin rights. These assignments are required even if broader permissions such as Owner are already in place.

Video Overview

The video walks through the full configuration process in Azure and on the server.

Enable the Microsoft Entra Sign-in Extension

First, the Entra login extension is added to the Arc-enabled Windows Server. This enables Entra authentication and joins the system to the tenant.

Next, the configuration is validated directly on the server to confirm it is Entra joined and ready for authentication.

Enable Remote connections

Remote desktop access is then enabled to allow RDP connections. Without this step, remote sign-in would not be possible.

Verify the PKU2U Policy Setting

After that, the necessary security policy settings are reviewed to ensure Entra authentication can function correctly during the login process.

Set RBAC Roles

RBAC roles are then assigned through the Azure portal. One account is granted administrator access, while another is configured with standard user permissions. This demonstrates how access is controlled entirely through Azure roles rather than local group membership.

Configure DNS

DNS configuration is addressed next. In the demo environment, the host file is updated to resolve the server name to its IP address. This allows connections to be made using the hostname, which is required for Entra authentication.

Sign In with Entra ID Authentication

Finally, the connection is tested using the RDP client. The web account sign-in option is selected, which launches a browser-based authentication experience tied to Entra ID. The demo shows logging in as both an administrator and a standard user, highlighting how RBAC determines the level of access after sign-in.

A Step Toward Cloud-Native Identity

What this demonstration shows is a practical shift away from traditional directory dependencies for Windows environments. By using Azure Arc, Entra ID, and RBAC together, organizations can modernize how authentication and access control are handled across both cloud and on-prem resources.

This approach does not just simplify management. It aligns on-prem systems with the same identity model used across Azure and other cloud services, helping create a more consistent and scalable environment.

If you are exploring ways to reduce reliance on Active Directory while still supporting Windows workloads, this is a capability worth understanding.