Connecting Non-Azure AD Joined Devices to Azure Virtual Desktop (AVD): Adding RDP Properties for Seamless Access

In a typical Azure Virtual Desktop (AVD) setup, Windows and non-Windows clients need specific configurations to connect successfully if they aren’t Azure AD joined to the same tenant as the AVD virtual machines. For Windows clients that aren’t joined to the same AAD tenant or any non-Windows clients (such as Android, iOS, or macOS), you must add the RDP property targetisaadjoined:i:1 to the AVD host pool. This setting instructs the client to use the RDSTLS protocol rather than PKU2U, ensuring secure and successful connections for all device types.

Why Add targetisaadjoined:i:1?

This RDP property is essential for two main reasons:

1. Protocol Requirement: The web client and all non-Windows clients (Android, iOS, macOS) require the RDSTLS protocol to establish a secure connection. The RDSTLS protocol, when enabled by targetisaadjoined:i:1, overrides the PKU2U protocol, which is used in AAD-joined environments.
2. Non-AAD Joined Devices: If a device is not Azure AD joined to the same tenant as the AVD VM, the targetisaadjoined:i:1 property must be set to facilitate the connection. This includes:
   • Windows devices using the Windows client not joined to the same AAD tenant
   • Any non-Windows devices, such as Android, macOS, and iOS clients
   • Web client users

Adding this property is straightforward and only takes a few steps within the Azure Portal.

Step-by-Step: Adding targetisaadjoined:i:1 to Your Host Pool RDP Properties

1. Sign In to the Azure Portal: Go to Azure Portal and navigate to the Azure Virtual Desktop section.
2. Select Your Host Pool: Open the host pool where you want to add the RDP property.
3. Access the RDP Properties Pane: Choose the RDP Properties pane.
4. Navigate to the Advanced Tab: In the Advanced tab, look for targetisaadjoined:i:1 under RDP properties.
5. Add the Property if Missing:
   • If targetisaadjoined:i:1 is not present, add it by entering it into the RDP properties section.
   • Click Save to confirm changes.

Refresh Your Connection Feed

After making these changes, it’s essential to refresh your connection feed to apply the updates:

• Web Client: Close and reopen your browser, then sign in again.
• Non-Windows Clients: For Android, iOS, and macOS devices, refresh your feed through the AVD client to update the connection settings.

Summary

Configuring the targetisaadjoined:i:1 property is a critical step for connecting non-Azure AD joined devices to your AVD host pool securely. This straightforward addition within the Azure Portal enables devices outside of your primary AAD-joined environment to connect using RDSTLS, providing seamless and secure access for all clients, regardless of their operating system.

By following these steps, you ensure that users can access Azure Virtual Desktop from any device, achieving secure connections and maintaining a smooth user experience. Remember, whether on a Windows PC, Android, iOS, or through the web client, setting up the RDP property simplifies and secures the connection for every AVD user.

About the Author

Shaun Hardneck is a Microsoft Cloud Infrastructure Specialist and Security Architect with expertise in Azure, Microsoft 365, and Entra ID. With a practical, security-focused approach, Shaun frequently shares insights on cloud technologies to help others make the most of their Microsoft environments. If you’re looking for guidance or have questions about similar setups, Shaun is available to provide assistance.

Sharing is caring!