Reputation: 1
Azure Active Directory Domain Services - Question on use of AAD DC Administrators group
Scenario: AADDS deployed, Azure hosted Windows servers are domain joined. Using Azure Bastion to RDP into the domain joined servers. However, it seems the only user accounts who are part of the AAD DC Administrators group can successfully RDP to the servers.
Question: Is it possible to add security groups other than AAD DC Administrators to the local administrators group on domain joined joined servers as to allow RDP access for remote administration?
TIA,
Matt
Upvotes: 0
Views: 836
Answers (2)
Reputation: 451
Once you join a machine to the AADDS domain, you can treat it like a standalone AD DS domain in regards to GPO's and login, etc..
I tested this scenario yesterday and verified that you can add both individual users and AAD groups to the local Administrators group (or any group that allows login to a server) and those users will be able to login with both RDP and via Bastion.
Upvotes: 0
Reputation: 623
Remote access to virtual machines (VMs) that run in an Azure Active Directory Domain Services (Azure AD DS) managed domain requires a user account that's a member of the Azure AD DC administrators group in your Azure AD tenant. This is one of the prerequisites.
Upvotes: 0
Related Questions
- Azure AD Group Membership vs Direct Members
- azure role : owner, global administrator AAD
- Azure AD Groups and its permissions to manage & operate the Azure Tenant
- Azure Active Directory Group - controlling user access
- Active Directory groups and roles
- Assign AAD administrative roles to AAD group
- Azure AD Self Service Group Management
- Trying to make sense of MS documentation on AAD development
- Azure ad group membership claims
- Clarification on the azure service administrator role