Is it supported or working when adding AAD Security group to Local Remote Desktop Users group?

[TommyXingSZ]

Is it supported or working when adding AAD Security group to local Remote Desktop Users group? I worked with a customer that trying to grant bulk of users with RDP rights, by adding Azure AD Security group to local Remote Desktop Users group. However, the result is not as expected. *The AAD Security Group is added to the local Remote Desktop Users by Intune>Endpoint Security>Account Protection> the "Local user group membership" policy

• When Network Level Authentication is enabled, RDP fails with "The connection was denied because the user account is not authorized for remote login". User token is not getting the Remote Desktop Users membership.
• When Network Level Authentication is disabled. User can enter the credential at WinLogon window and is able to RDP.

From link, it seems the 4th point is saying AAD group is not expected. "Azure AD groups deployed to a device with this policy don't apply to remote desktop connections. To control remote desktop permissions for Azure AD joined devices, you need to add the individual user's SID to the appropriate group."

So for the current documentation "To allow additional users or groups to connect to the PC, you must allow remote connections for the specified users or groups.", is AAD group actually supported, or it there a specific method/condition to make AAD group working?

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 72e1cc18-3fc2-d7fa-7ff3-20fc9a3596d4
• Version Independent ID: 8ed24664-ce8c-7c08-654a-d3ef267f274f
• Content: Connect to remote Azure Active Directory-joined PC (Windows) - Windows Client Management
• Content Source: windows/client-management/connect-to-remote-aadj-pc.md
• Product: w10
• Technology: windows
• GitHub Login: @Dansimp
• Microsoft Alias: dansimp

[MaratMussabekov]

Hello, @TommyXingSZ , According to https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups it is supported. (Please see the Note section)

When Network Level Authentication is enabled, RDP fails - can they try to edit the RDP file and set following vaules: enablecredsspsupport:i:0 authentication level:i:2

Also, they need to make sure that LocalUsersAndGroups policy is used instead of RestrictedGroups, and that the correct SID of the group is specified. Thank you

[denisebmsft]

Opened a work item (6401150) which is being reviewed to update the docs.

[zm1868179]

Hello, @TommyXingSZ , According to https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups it is supported. (Please see the Note section)

When Network Level Authentication is enabled, RDP fails - can they try to edit the RDP file and set following vaules: enablecredsspsupport:i:0 authentication level:i:2

Also, they need to make sure that LocalUsersAndGroups policy is used instead of RestrictedGroups, and that the correct SID of the group is specified. Thank you

I wanted to commit on this According to the Docs Azure AAD devices should support Azure AD Groups assigned to Remote desktop Users Group using the Intune LocalUsersAndGroups CSP however in practice this does not work and results in a message stating the User does not have Authorization to access this PC. when trying to access the PC via RDP as a user who is in direct membership of the group that is added to remote desktop users

so I'm not sure if this is an error in the Docs stating that it is supported when currently it appears not to be or if it should be supported and this appears to be bugged.

[Zwen89x]

Hi Guys, i stuck with the same problem. i found this articel:

https://learn.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview

Azure AD groups deployed to a device with this policy don't apply to remote desktop connections. To control remote desktop permissions for Azure AD joined devices, you need to add the individual user's SID to the appropriate group.

in our environment we set it via Custom OMA-URI Settings. Users with local admin rights works fine. But nun admins via azure ad group do not work. If i add manuell the user it works, but my MDM policy will kick the user after the next sync. So i have to modfiy every time the omi-url setting with the SID from the new user.