Managing Windows virtual machines using Remote Desktop Protocol (RDP) and public IP addresses over the internet poses a significant security risk. However, this is the default access method for Windows VMs deployed through the Azure portal. A more secure and convenient alternative is to utilize Azure Bastion for remote access. Azure Bastion offers an easy and secure solution that supports Domain and local credentials. However, its support for Entra ID logins has been limited. Entra ID authentication and Azure Bastion require a Standard or Premium SKU, the mstsc.exe client, and the Azure CLI. Until now, portal access with cloud credentials was not an option.
The introduction of Entra ID authentication through Azure Bastion represents a significant improvement in both usability and Cloud Security. The ability to log in directly through the Azure Portal without exposing RDP to the internet gives Azure users a cleaner and safer way to perform VM Login and Remote Access. This post and video walks through the value of this new feature, the requirements you need in place, and the steps to enable Entra ID authentication on both new and existing VMs. If you want to modernize your Azure administration process, this update is one of the most impactful enhancements in the platform today.
Why Entra ID Authentication With Azure Bastion Matters
One of the most common risks in cloud environments is leaving RDP open to the internet. Even with strong passwords or just-in-time access, exposure remains a threat vector. Azure Bastion has been the recommended path for secure Remote Access because it eliminates the need for public IPs while still allowing browser-based connectivity. Until recently, the missing piece was first-party Entra ID integration inside the Azure Portal.
That limitation has now changed. Administrators can authenticate to Windows VMs using their Entra ID accounts, which aligns VM access with Azure identity controls. This creates a unified identity experience that reduces credential exposure and simplifies the login workflow. It also supports the principle of least privilege with native RBAC roles for VM access.
Requirements for Entra ID Login Through Azure Bastion
Before enabling this feature, several elements need to be in place:
- A VM running Windows 10 20H2 or later, Windows 11 21H2 or later, or Windows Server 2022.
- The AAD Login for Windows extension installed.
- System assigned managed identity enabled on the VM.
- Reader permissions for the VM, NIC, Bastion resource and virtual network.
- The correct RBAC roles applied. Users must have either the Virtual Machine User Login role or the Virtual Machine Administrator Login role.
When all requirements are met, Entra ID automatically appears as the default VM Login option when connecting through Azure Bastion in the Azure Portal.
Enabling Entra ID Login on a New VM
To configure Entra ID for a new VM, the process begins during deployment. After selecting or creating your VM, disable public inbound ports and remove the public IP from the Networking section. From there, use the Management tab to enable Login with Entra ID. This automatically applies the AAD Login extension and creates a system assigned managed identity.
Once deployment is complete, you can assign the required RBAC roles at the VM, resource group or subscription level. In many environments, assigning at the resource group or subscription level is more efficient.
Enabling Entra ID Login on an Existing VM
For an existing VM, the steps begin inside the Security and Identity section. Allow the system assigned managed identity and save the configuration.
After that, navigate to Extensions and Applications and install the Azure AD based Windows Login extension. When finished, verify the extension is active and then move on to RBAC assignments.
Setting RBAC Roles for VM Login
Azure Bastion requires Reader permissions on specific resources and the VM requires login roles separate from those. Administrators should confirm that users are assigned one of the VM Login roles. The Virtual Machine User Login role grants standard access. The Virtual Machine Administrator Login role grants full administrative rights.
It is important to confirm that Reader permissions cover the correct networks, especially when VNet peering is used and Bastion resides in a different virtual network than the VM.
Testing Entra ID Authentication in the Azure Portal
After configuration is complete, the login experience becomes much simpler. When opening the VM and selecting Bastion under the Connect menu, the authentication type defaults to Microsoft Entra ID. Users then proceed to a browser-based Remote Access session without any public exposure of RDP.
The first connection prompts for consent. Subsequent logins use that approval and transition directly into the session. For many administrators, this is the most seamless VM Login workflow Azure has offered.
A More Secure Future for Azure VM Access
The addition of Entra ID authentication through Azure Bastion represents a major step forward for secure cloud operations. It removes the need for public RDP, eliminates reliance on external clients and aligns VM authentication with modern identity practices in Azure. For organizations focused on Cloud Security and simplified operations, this is a feature worth adopting right away.
If you want to see the full walkthrough, including step-by-step portal guidance and a live demo, check out the video linked above.
Links:
Secure VM Access with Azure Bastion | Step-by-Step Deployment & Demo
A Beginner’s Guide to the AZ-900
https://www.udemy.com/course/beginners-guide-az-900/?referralCode=C74C266B74E837F86969
Zero to Hero with Azure Virtual Desktop
https://www.udemy.com/course/zero-to-hero-with-windows-virtual-desktop/?referralCode=B2FE49E6FCEE7A7EA8D4
Hybrid Identity with Windows AD and Azure AD
https://www.udemy.com/course/hybrid-identity-and-azure-active-directory/?referralCode=7F62C4C6FD05C73ACCC3
Windows 365 Enterprise and Intune Management
https://www.udemy.com/course/windows-365-enterprise-and-intune-management/?referralCode=4A1ED105341D0AA20D2E
