RDP of Azure AD Joined Device MS-Organization-P2P-Access Certificate

by

Taking RDP of Azure AD joined devices are always painful. Let’s learn about MS-Organization-P2P-Access Certificates. The P2P access certificates provide RDP access to Azure AD joined devices. I have a post on how to take RDP of AAD Join Windows 10 Azure Virtual Machines. Another one is Intune enrollment of the AADJ Azure VM.

Special thanks to Joy to help me out to understand this scenario better.

What is MS-Organization-P2P-Access Certificate

The MS-Organization-P2P-Access certificates are issued by Azure AD to both, Azure AD joined and hybrid Azure AD joined devices. The list of P2P certificates are listed down:

  • One certificate is issued to the device (computer certificate)
  • The second Certificate is issued to the user (I couldn’t track down the user certificate in my lab).
  • The Third certificate is AAD Token Issuer

This issuer, computer, and user certificates help to gain RDP access for AADJ Azure VM.

NOTE! – MS-Organization-P2P-Access is a SERVER Certificate

Computer Certificate

This “MS-Organization-P2P-Access [2020]” certificate is used to enable trust between devices in the same tenant for remote desktop (RDP) scenarios.

  • The device certificate is present in Local Computer\ Personal\ Certificates and is valid for one day.
  • This certificate is renewed (by issuing a new certificate) if the device is still active in Azure AD.
Computer Certificate - MS-Organization-P2P-Access [2020] RDP of Azure AD Joined Device MS-Organization-P2P-Access Certificate
Computer Certificate – MS-Organization-P2P-Access [2020] RDP of Azure AD Joined Device MS-Organization-P2P-Access Certificate

User Certificates

As I mentioned above, I don’t see the user certificate under “Current User\ Personal\ Certificates.” But, as per the Microsoft FAQ here, the user should be present.

  • The User P2P certificate is also valid for one day.
  • This certificate is issued on-demand when a user attempts a remote desktop session to another Azure AD joined device.
  • This Certificate is not renewed on expiry.

AAD Token Issuer Certificate

Both these user and computer certificates are issued using the MS-Organization-P2P-Access certificate.

NOTE! – This certificate is present in the Local Computer\AAD Token Issuer\Certificates.

AAD Token Issuer Certificate RDP of Azure AD Joined Device MS-Organization-P2P-Access Certificate
AAD Token Issuer Certificate – MS-Organization-P2P-Access RDP of Azure AD Joined Device MS-Organization-P2P-Access Certificate

Resources

Leave a Comment