You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/bastion/bastion-entra-id-authentication.md
+7-13Lines changed: 7 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ description: Learn how to configure Microsoft Entra ID authentication for RDP an
5
5
author: abell
6
6
ms.service: azure-bastion
7
7
ms.topic: how-to
8
-
ms.date: 03/04/2026
8
+
ms.date: 03/09/2026
9
9
ms.author: abell
10
10
11
11
# Customer intent: "As a cloud administrator, I want to configure Microsoft Entra ID authentication with Azure Bastion, so that I can use identity-based access policies and MFA for my virtual machines."
@@ -57,19 +57,22 @@ Entra ID authentication is available through two connection methods:
57
57
58
58
When all requirements are met, Microsoft Entra ID appears as the default authentication option on the Bastion connection page in the Azure portal. If any requirement isn't met, the option doesn't appear.
59
59
60
+
> [!NOTE]
61
+
> The sign-in experience differs between connection methods. Portal connections use passwordless authentication—you sign in with your Entra ID credentials and don't need a local VM password. Native client RDP connections prompt for password entry after MFA completes. For more information, see [Sign in using password/passwordless authentication with Microsoft Entra ID](/entra/identity/devices/howto-vm-sign-in-azure-ad-windows#sign-in-using-passwordpasswordless-authentication-with-microsoft-entra-id).
62
+
60
63
## Assign roles
61
64
62
-
Users connecting with Entra ID authentication need the following role assignments:
65
+
Users connecting with Entra ID authentication need **one of**the following role assignments:
63
66
64
67
***[Virtual Machine Administrator Login:](/azure/role-based-access-control/built-in-roles#virtual-machine-administrator-login)** Grants administrator-level access to the virtual machine.
65
68
***[Virtual Machine User Login:](/azure/role-based-access-control/built-in-roles#virtual-machine-user-login)** Grants regular user-level access to the virtual machine.
66
69
67
-
The following [Bastion Reader roles](bastion-connect-vm-rdp-windows.md#prerequisites) are also required:
70
+
The following [Reader](/azure/role-based-access-control/built-in-roles#reader) role assignments on the relevant resources are also required:
68
71
69
72
* Reader role on the virtual machine.
70
73
* Reader role on the NIC with private IP of the virtual machine.
71
74
* Reader role on the Azure Bastion resource.
72
-
* Reader role on the virtual network of the target virtual machine.
75
+
* Reader role on the virtual network of the target virtual machine (if the Bastion deployment is in a peered virtual network).
73
76
74
77
You can assign roles at the virtual machine, resource group, or subscription scope.
75
78
@@ -183,9 +186,6 @@ After you complete the role assignments and install the virtual machine extensio
183
186
184
187
Connect to a Windows virtual machine using RDP with Entra ID authentication in the Azure portal. The [Basic SKU](bastion-sku-comparison.md) or higher is required.
185
188
186
-
> [!NOTE]
187
-
> Microsoft Entra ID authentication for RDP connections in the portal is in **public preview**.
188
-
189
189
1. In the [Azure portal](https://portal.azure.com), navigate to your Windows virtual machine. Select **Connect** > **Bastion**.
190
190
1. In the **Connection settings** section, set **Protocol** to **RDP**. Enter the port number if you changed it from the default of 3389.
191
191
1. For **Authentication type**, select **Microsoft Entra ID (Preview)**. If this option doesn't appear, verify that the virtual machine extension is installed and the required roles are assigned.
@@ -220,9 +220,6 @@ az network bastion rdp \
220
220
221
221
When prompted, sign in with your Microsoft Entra ID credentials.
222
222
223
-
> [!IMPORTANT]
224
-
> Remote connection to virtual machines joined to Microsoft Entra ID is allowed only from Windows 10 or later PCs that are [Microsoft Entra registered, Microsoft Entra joined, or Microsoft Entra hybrid joined](/entra/identity/devices/overview) to the *same* directory as the virtual machine.
225
-
226
223
### [Native client: SSH](#tab/native-ssh)
227
224
228
225
Connect to a Linux virtual machine using the Azure CLI native client with Entra ID authentication. The [Standard SKU](bastion-sku-comparison.md) or higher is required, and Bastion must be configured for [native client support](native-client.md).
@@ -237,9 +234,6 @@ az network bastion ssh \
237
234
--auth-type "AAD"
238
235
```
239
236
240
-
> [!NOTE]
241
-
> Microsoft Entra ID authentication isn't supported for [IP-based](connect-ip-address.md) SSH connections (using `--target-ip-address`).
0 commit comments