You can use the Windows app to connect to an Entra-joined Windows device. If you’re reading this you have most likley hit a variety of errors with different combinations of settings such as:
- Code: -51410
- AADSTS293004
- Something went wrong
- The User Account Did Not Work
You may have tried things like disabling NLA, using azuread\username@domain.com, etc etc and they haven’t worked. Here’s what worked for me:
- You MUST connect to the PC using its short hostname.
- Short hostname can be retrieved by opening a command prompt and running the command hostname. The output from that command is the short hostname
- That means in whatever is your default search domain for your Mac you need an A record of shortname.homedomain.com pointing to the private IP of your Windows device
- In my case, I run a recursive resolver on my firewall and added an entry there.
- You will know you have gotten this to work by opening a Terminal on the Mac and executing a ping against the short name. It must resolve to the IP of the Windows device.
- You need create an RDP file manually that has two lines added to it
- enablerdsaadauth:i:1
- targetisaadjoined:i:1
You will get a modern auth prompt when connecting and you can do full MFA. Use the full UPN of the user you login to the Windows device with.
Bear in mind – This means these logins are subject to CA policies so some fiddling may be required depending on your All Cloud Apps policies (Think: Device Compliance).
Here is what my RDP file looks like (You’ll want to swap <shortname> for the correct short hostname of your Windows device):
redirectwebauthn:i:1
redirectlocation:i:0
smart sizing:i:1
armpath:s:
enablerdsaadauth:i:1
targetisaadjoined:i:1
hubdiscoverygeourl:s:
redirected video capture encoding quality:i:0
camerastoredirect:s:*
gatewaybrokeringtype:i:0
use redirection server name:i:0
alternate shell:s:
disable themes:i:0
geo:s:
disable cursor setting:i:1
remoteapplicationname:s:
resourceprovider:s:
disable menu anims:i:1
remoteapplicationcmdline:s:
promptcredentialonce:i:0
gatewaycertificatelogonauthority:s:
audiocapturemode:i:1
prompt for credentials on client:i:1
allowed security protocols:s:*
gatewayhostname:s:
remoteapplicationprogram:s:
gatewayusagemethod:i:2
screen mode id:i:1
use multimon:i:0
authentication level:i:2
desktopwidth:i:0
desktopheight:i:0
redirectsmartcards:i:1
redirectclipboard:i:1
forcehidpioptimizations:i:1
full address:s:<shortname>
drivestoredirect:s:*
loadbalanceinfo:s:
networkautodetect:i:1
enablecredsspsupport:i:1
redirectprinters:i:1
autoreconnection enabled:i:1
session bpp:i:32
administrative session:i:0
audiomode:i:0
bandwidthautodetect:i:1
authoring tool:s:
connection type:i:7
remoteapplicationmode:i:0
disable full window drag:i:0
gatewayusername:s:
dynamic resolution:i:1
shell working directory:s:
wvd endpoint pool:s:
remoteapplicationappid:s:
username:s:
allow font smoothing:i:1
AllowRelativeMouseMode:i:0
connect to console:i:0
disable wallpaper:i:0
gatewayaccesstoken:s:
AllowRelativeMouseMode:i:0
AllowRelativeMouseMode:i:0
AllowRelativeMouseMode:i:0
AllowRelativeMouseMode:i:0
alternate full address:s:<shortname>
disableremoteappcapscheck:i:1
prompt for credentials:i:1
redirectcomports:i:1
span monitors:i:1