Merge pull request #312715 from AbdullahBell/bastion-rdp-windows-3

JillGrant615 · web-flow · commit 0d9dc5a2d744 · 2026-03-10T20:25:32.000-06:00
Overhaul of RDP Windows article
diff --git a/articles/bastion/bastion-connect-vm-rdp-windows.md b/articles/bastion/bastion-connect-vm-rdp-windows.md
@@ -1,98 +1,157 @@
 ---
 title: 'Connect to a Windows VM using RDP'
 titleSuffix: Azure Bastion
-description: Learn how to use Azure Bastion to connect to Windows VM using RDP.
+description: Learn how to use Azure Bastion to connect to a Windows VM using RDP via the Azure portal, a specified IP address, or a native client.
 author: abell
 ms.service: azure-bastion
 ms.topic: how-to
-ms.date: 03/31/2025
+ms.date: 03/06/2026
 ms.author: abell
 
 # Customer intent: "As a cloud administrator, I want to establish a secure RDP connection to a Windows VM using a Bastion host, so that I can access my virtual machines without exposing them to the public internet."
 ---
 
 # Create an RDP connection to a Windows VM using Azure Bastion
 
-This article shows you how to securely and seamlessly create an RDP connection to your Windows VMs located in an Azure virtual network directly through the Azure portal. When you use Azure Bastion, your VMs don't require a client, agent, or additional software. You can also connect to a Windows VM using SSH. For information, see [Create an SSH connection to a Windows VM](bastion-connect-vm-ssh-windows.md).
+This article describes how to create a secure RDP connection to your Windows virtual machines using Azure Bastion. You can connect through the Azure portal (browser-based), via a specified IP address, or using a native client on your local Windows computer. When you use Azure Bastion, your virtual machines don't require a client, agent, or additional software. Azure Bastion securely connects to all virtual machines in the virtual network without exposing RDP/SSH ports to the public internet. For more information, see [What is Azure Bastion?](bastion-overview.md)
 
-Azure Bastion provides secure connectivity to all of the VMs in the virtual network in which it's provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH. For more information, see [What is Azure Bastion?](bastion-overview.md)
+For native client connections using Azure CLI (including SSH and tunnel), see [Connect to a VM using a native client](connect-vm-native-client-windows.md). To connect to a Windows virtual machine using SSH, see [Create an SSH connection to a Windows VM](bastion-connect-vm-ssh-windows.md).
 
-> [!NOTE]
-> Entra ID authentication for RDP connections is now available in public preview! See [Microsoft Entra ID](#microsoft-entra-id-authentication-preview) for details.
+The following diagram shows the dedicated deployment architecture using an RDP connection.
+
+:::image type="content" source="./media/connect-vm-rdp-windows/host-architecture-rdp.png" alt-text="Diagram that shows the Azure Bastion architecture." lightbox="./media/connect-vm-rdp-windows/host-architecture-rdp.png":::
 
 ## Prerequisites
 
-Before you begin, verify that you've met the following criteria:
+Before you begin, verify that you meet the following criteria:
 
-* A VNet with the Bastion host already installed.
+* An Azure Bastion host deployed in the virtual network where the virtual machine is located, or in a [peered virtual network](vnet-peering.md). To set up a Bastion host, see [Create a bastion host](quickstart-host-portal.md#createhost). The SKU you need depends on your connection method:
 
-  * Make sure that you have set up an Azure Bastion host for the virtual network in which the VM is located. Once the Bastion service is provisioned and deployed in your virtual network, you can use it to connect to any VM in the virtual network.
-  * To set up an Azure Bastion host, see [Create a bastion host](quickstart-host-portal.md#createhost). If you plan to configure custom port values, be sure to select the Standard SKU or higher when configuring Bastion.
+  | Connection method | Minimum SKU | Additional configuration |
+  |---|---|---|
+  | Azure portal (browser) | Basic | None |
+  | Azure portal with custom ports | Standard | None |
+  | IP-based connection | Standard | [IP-based connection](connect-ip-address.md#configure-bastion) enabled |
+  | Native client (RDP) | Standard | [Native client support](native-client.md) enabled |
 
-* A Windows virtual machine in the virtual network.
+* Users connecting via RDP must have rights on the target virtual machine. If the user isn't a local administrator, add them to the **Remote Desktop Users** group.
 
-### Required roles
+* Azure Bastion uses RDP port 3389 by default. Custom ports require the [Standard SKU or higher](bastion-sku-comparison.md). To upgrade, see [Upgrade a SKU](upgrade-sku.md).
 
-* Reader role on the virtual machine.
-* Reader role on the NIC with private IP of the virtual machine.
-* Reader role on the Azure Bastion resource.
-* Reader role on the virtual network of the target virtual machine (if the Bastion deployment is in a peered virtual network).
+* A Windows virtual machine in the virtual network (or reachable from the virtual network for [IP-based connections](connect-ip-address.md)).
 
-## Microsoft Entra ID authentication (Preview)
+* **Required roles:**
 
-> [!NOTE]
-> Microsoft Entra ID Authentication support for RDP connections within the portal is only supported for Windows VMs. For SSH connections to Linux VMs, see [Connect to a Linux VM using SSH](bastion-connect-vm-ssh-linux.md#microsoft-entra-id-authentication).
+  * Reader role on the virtual machine.
+  * Reader role on the NIC with the IP of the virtual machine.
+  * Reader role on the Azure Bastion resource.
+  * Reader role on the virtual network of the target virtual machine (if the Bastion deployment is in a peered virtual network).
+  * Virtual Machine Administrator Login or Virtual Machine User Login role (only required for [Microsoft Entra ID authentication](bastion-entra-id-authentication.md)).
+
+
+See the [Azure Bastion FAQ](bastion-faq.md) for additional requirements.
+
+<a name="entra-id"></a>
+
+## Authentication methods
+
+<a name="microsoft-entra-id-authentication-preview"></a>
 
-If the following prerequisites are met, Microsoft Entra ID becomes the default option to connect to your VM. If any prerequisite is not met, Microsoft Entra ID will not be presented as a Connection Method. To learn more about Entra ID authentication for Azure machines, see [Enable Microsoft Entra sign in for a Windows virtual machine in Azure or Arc-enabled Windows Server](/entra/identity/devices/howto-vm-sign-in-azure-ad-windows#enable-microsoft-entra-sign-in-for-a-windows-virtual-machine-in-azure-or-arc-enabled-windows-server)
+The following authentication methods are available for RDP connections through Azure Bastion. Select an authentication method to see the corresponding steps.
 
-Prerequisites:
-* Ensure that your virtual machine is compliant with the following requirements: Windows 10 version 20H2 or later, Windows 11 21H2 or later, or Windows Server 2022 or later.
+| Authentication method | Supported connection methods | Minimum SKU |
+|---|---|---|
+| [Microsoft Entra ID (Preview)](bastion-entra-id-authentication.md) (Preview for RDP) | Azure portal, native client | Basic (portal), Standard (native client) |
+| Username and password | Azure portal, IP address (portal), native client | Basic (portal), Standard (IP address, native client) |
+| [Kerberos](kerberos-authentication-portal.md) | Azure portal | Basic |
 
-* **AADLoginForWindows** extension should be enabled on the VM. Microsoft Entra ID Login can be enabled during VM creation by checking the box for **Login with Microsoft Entra ID** or by adding the **AADLogin** extension to a pre-existing VM.
+<a name="connect-to-a-vm"></a>
 
-* One of the following required roles should be configured on the VM for the user:
+## Connect to a virtual machine using RDP 
 
-  * **Virtual Machine Administrator Login**: This role is necessary if you want to sign in with administrator privileges.
-  * **Virtual Machine User Login**: This role is necessary if you want to sign in with regular user privileges.
+Select a connection method to see the corresponding steps. After you navigate to the Bastion connection page, choose your [authentication method](#authentication-methods).
 
-Use the following steps to authenticate using Microsoft Entra ID.
+# [Azure portal](#tab/portal)
 
-1. To authenticate using Microsoft Entra ID, configure the following settings.
+<a name="rdp"></a>
 
-    | Setting                | Description                                                                 |
-    |------------------------|-----------------------------------------------------------------------------|
-    | **Connection Settings**| Only available for SKUs higher than the Basic SKU.                          |
-    | **Protocol**           | Select RDP.                                                                 |
-    | **Port**               | Specify the port number.                                                    |
-    | **Authentication type**| Select **Microsoft Entra ID (Preview)** from the dropdown.                            |
-    
-1. To work with the VM in a new browser tab, select **Open in new browser tab**.
+Use the Azure portal to create a browser-based RDP connection to your Windows virtual machine. This method connects directly through your browser. No native RDP client or additional software is required on your local computer. The [Basic SKU](bastion-sku-comparison.md) or higher is required, or the Standard SKU if you need custom ports.
 
-1. Click **Connect** to connect to the VM.
 
-Limitations
-* RDP + Entra ID authentication support in the portal cannot be used concurrently with graphical session recording.
+1. In the [Azure portal](https://portal.azure.com), select your virtual machine. On the left pane select **Connect**, then select **Bastion**.
 
-### Ports
+1. In the **Connection settings** tab, select **RDP** as the protocol, and enter the port number if you changed it from the default of 3389.
 
-To connect to the Windows VM, you must have the following ports open on your Windows VM:
+1. Select your authentication method. [Microsoft Entra ID (Preview)](bastion-entra-id-authentication.md) is recommended. For other options, see [Authentication methods](#authentication-methods).
 
-* Inbound port: RDP (3389) ***or***
-* Inbound port: Custom value (you'll then need to specify this custom port when you connect to the VM via Azure Bastion)
+1. Select **Connect** to open the RDP connection to your virtual machine in a new browser tab.
 
 > [!NOTE]
-> If you want to specify a custom port value, Azure Bastion must be configured using the Standard SKU or higher. The Basic SKU does not allow you to specify custom ports.
+> For troubleshooting tips, see [Troubleshooting RDP connections](troubleshoot.md) and [Troubleshoot Microsoft Entra sign in for a Windows virtual machine in Azure or Arc-enabled Windows Server](/entra/identity/devices/howto-vm-sign-in-azure-ad-windows#troubleshoot-sign-in-problems)
 
-### Rights on target VM
 
-[!INCLUDE [Remote Desktop Users](../../includes/bastion-remote-desktop-users.md)]
+# [IP address (portal)](#tab/ip-address)
 
-See the [Azure Bastion FAQ](bastion-faq.md) for additional requirements.
+<a name="ip-address"></a>
+
+Use the Azure portal to create a browser-based RDP connection to your Windows virtual machine using a specified IP address. This method connects through your browser and doesn't require a native RDP client or additional software on your local computer. The Standard SKU or higher is required, and you must enable [IP-based connection](connect-ip-address.md).
+
+### Enable IP-based connection
+
+Before you can connect using an IP address, you must enable IP-based connection on your Bastion deployment.
+
+1. In the [Azure portal](https://portal.azure.com), go to your Bastion deployment.
+
+1. On the **Configuration** page, for **Tier**, verify the SKU is set to the **Standard** SKU or higher. If the SKU is set to the Basic SKU, select a higher SKU from the dropdown.
+
+1. Select **IP based connection**.
+
+1. Select **Apply** to apply the changes. It takes a few minutes for the Bastion configuration to complete.
+
+1. You specify the IP address of the target virtual machine directly on the Bastion **Connect** page, rather than selecting a virtual machine from the Azure portal.
+
+### Connect using an IP address
+
+1. To connect to a virtual machine using a specified IP address, make the connection from Bastion, not directly from the virtual machine page. On your Bastion resource, select **Connect** to open the Connect page.
+
+1. On the Bastion **Connect** page, for **IP address**, enter the IP address of the target virtual machine.
+
+    :::image type="content" source="./media/connect-ip-address/ip-address.png" alt-text="Screenshot of the Connect using Azure Bastion page." lightbox="./media/connect-ip-address/ip-address.png":::
+
+1. Adjust your connection settings to the desired **Protocol** (RDP) and **Port**.
+
+1. Enter your credentials in **Username** and **Password**.
+
+1. Select **Connect** to connect to your virtual machine.
+
+For native client RDP connections via IP address, see the **Native client** tab on this page.
+
+# [Native client](#tab/native-client)
+
+Connect to your Windows virtual machine from a local Windows computer using Azure CLI (`az network bastion rdp`). This method requires the [Standard SKU](bastion-sku-comparison.md) or higher with [native client support configured](native-client.md).
+
+:::image type="content" source="./media/native-client/native-client-architecture.png" alt-text="Diagram shows a connection via native client." lightbox="./media/native-client/native-client-architecture.png":::
+
+[!INCLUDE [Native client RDP to Windows VM](../../includes/bastion-native-rdp-windows.md)]
+
+For SSH and tunnel connections, see [Connect to a VM using Bastion and the Windows native client](connect-vm-native-client-windows.md).
+
+---
+
+## Limitations
 
-## <a name="rdp"></a>Connect
+* **IP-based connections:** IP-based connection doesn't work with force tunneling over VPN, or when a default route is advertised over an ExpressRoute circuit. Azure Bastion requires access to the Internet and force tunneling, or the default route advertisement, results in traffic blackholing.
+* **IP-based connections:** UDR isn't supported on the Bastion subnet, including with IP-based connections.
+* **IP-based connections:** Custom ports and protocols aren't currently supported when connecting to a virtual machine via native client with IP-based connections.
+* **Microsoft Entra ID:** Microsoft Entra authentication isn't supported for IP-based RDP connections. IP-based SSH connections via native client do support Entra ID authentication. For Entra ID auth details, see [About Microsoft Entra ID authentication](bastion-entra-id-authentication.md).
+* **Session recording:** RDP + Entra ID authentication in the portal can't be used concurrently with [graphical session recording](session-recording.md).
 
-[!INCLUDE [Connect to a Windows VM](../../includes/bastion-vm-rdp.md)]
- 
 ## Next steps
 
-Read the [Bastion FAQ](bastion-faq.md) for more connection information.
+* [Connect to a Windows VM using SSH](bastion-connect-vm-ssh-windows.md)
+* [What is Azure Bastion?](bastion-overview.md)
+* [Configure Microsoft Entra ID authentication](bastion-entra-id-authentication.md) for identity-based access.
+* [Configure Kerberos authentication](kerberos-authentication-portal.md) for domain-joined virtual machines.
+* [Transfer files](vm-upload-download-native.md) to your virtual machine using a native client.
+* [Configure a shareable link](shareable-link.md) for users without Azure portal access.
+* [Azure Bastion FAQ](bastion-faq.md)
diff --git a/articles/bastion/media/connect-vm-rdp-windows/host-architecture-rdp.png b/articles/bastion/media/connect-vm-rdp-windows/host-architecture-rdp.png
diff --git a/includes/bastion-native-rdp-windows.md b/includes/bastion-native-rdp-windows.md
@@ -0,0 +1,51 @@
+---
+title: Connect to a Windows VM using native RDP client
+description: Steps to connect to a Windows virtual machine using Azure Bastion with a native RDP client via Azure CLI.
+author: abell
+ms.service: azure-bastion
+ms.topic: include
+ms.date: 03/06/2026
+ms.author: abell
+---
+When a user connects to a Windows VM via RDP, they must have rights on the target VM. If the user isn't a local administrator, add the user to the Remote Desktop Users group on the target VM.
+
+1. Sign in to your Azure account using `az login`. If you have more than one subscription, you can view them using `az account list` and select the subscription containing your Bastion resource using `az account set --subscription "<subscription ID>"`.
+
+1. To connect via RDP, use the following example.
+
+   ```azurecli
+   az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>"
+   ```
+
+1. After running the command, you're prompted to input your credentials. You can use either a local username and password, or your Microsoft Entra credentials. Once you sign in to your target VM, the native client on your computer opens up with your VM session via **MSTSC**.
+
+   > [!IMPORTANT]
+   > Remote connection to VMs that are joined to Microsoft Entra ID is allowed only from Windows 10 or later PCs that are Microsoft Entra registered (starting with Windows 10 20H1), Microsoft Entra joined, or Microsoft Entra hybrid joined to the *same* directory as the VM.
+
+#### Specify authentication method
+
+Optionally, you can also specify the authentication method as part of the command.
+
+* **Microsoft Entra authentication:** For Windows 10 version 20H2+, Windows 11 21H2+, and Windows Server 2022, use `--enable-mfa`. For more information, see [az network bastion rdp - optional parameters](/cli/azure/network/bastion?#az-network-bastion-rdp(bastion)-optional-parameters).
+
+#### Specify a custom port
+
+You can specify a custom port when you connect to a Windows VM via RDP.
+
+One scenario where this could be especially useful would be connecting to a Windows VM via port 22. This is a potential workaround for the limitation with the *az network bastion ssh* command, which can't be used by a Windows native client to connect to a Windows VM.
+
+To specify a custom port, include the field **--resource-port** in the sign-in command, as shown in the following example.
+
+```azurecli
+az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>" --resource-port "22"
+```
+
+#### RDP to a Windows VM IP address
+
+You can also connect to a VM private IP address, instead of the resource ID. Microsoft Entra authentication, and custom ports and protocols aren't supported when using this type of connection. For more information about IP-based connections, see [Connect to a VM - IP address](../articles/bastion/connect-ip-address.md).
+
+Using the `az network bastion` command, replace `--target-resource-id` with `--target-ip-address` and the specified IP address to connect to your VM.
+
+```azurecli
+az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-ip-address "<VMIPAddress>"
+```
