TL;DR - If you're RDP-ing into an EntraID Joined machine, you either need to use a local account or connect from a device that's joined to the same EntraID Tenant.
I'm not sure if this will help anyone or not, but while I was recently working with a partner who was trying to RDP into a Virtual Machine (server) that was EntraID joined, and they kept getting the Your credentials did not work error despite verifying their credentials were correct and the account was granted the VM Machine Admin Login role.
At first, I thought this was a problem with the innovative Nerdio "Generate an RDP file" feature where a public IP address and NSG rules are temporarily added to an Azure VM for a limited amount of time (30min-24 hours), but it turns out that wasn't the problem.
It took some digging, but I found a forum post on stack overflow that talked about the very problem we were having.
In that post, they link to a Microsoft Learn article that further put the nail in the proverbial coffin with this little note in the Connect without Microsoft Entra authentication section.
What this means for MSPs is that if your partner tenant is @CoolestMSPAround.com and your customer tenant is @TheBestCustomerEver.com, you'll never be able to connect from your MSP computer that's joined to your EntraID Tenant even if you have a global admin account on the customer's tenant.
Luckily, all is not lost. 🙂
There are a few ways you can connect to the EntraID Joined VM from your non-customer tenant joined computer.
- Use local account credentials to RDP into the VM using the Nerdio "Generate an RDP file" feature
- RDP (from within windows) from a computer that's joined to the customer's EntraID Tenant
- Install your RMM/Remote Access tool (See Scripted Actions and/or Install ConnectWise ScreenConnect w/ a Scripted Action for some examples)
Feel free to comment below if you've noticed similar problem or have any other ways of getting around the issue of connecting to a device that's joined to another EntraID tenant.
Comments (0 comments)