I have a Windows Server 2016 VM running on Azure. It is joined to an Azure Active Directory. Remote Desktop Services are installed and seem to be working properly.
I am trying to allow users from Azure AD to log into the server. The problem is that only users that are in the 'AAD DC Administrators' group can log in. All other users get this error message 'The requested session access is denied'
I've made sure that the AAD users are in the 'Remote Desktop Users' local group. I've also added those users to the Session Collection properties user groups in Remote Desktop Services.
I'm not really sure what other permissions user need to be able to log into the server. I obviously can't keep all of the users in the AAS DC Admins group.
Best Answer
Not sure if its documentation somewhere or supported (NOT TO BE DONE ON PRODUCTION) but i have been able to create my own group to manage RDP on Azure AD Domain service.
Steps
Created group in Azure AD and added members (MyRDPGroup), waited about 15 - 20 mins for replication.
On a already Azure AD Domain Service Joined VM using Group Policy management added the newly created group (MyRDPGroup) to the GPO policy that adds accounts to the Local Administrator group.
When added the GPO looked like below.
Waited about 15 - 20 mins for replication. Did a 'gpupdate /force' on member VM and reboot.
I was then able to login to any Azure AD Domain Service joined VM with credential for member of group (MyRDPGroup).
Just test right now and it still work. Hope this helps.