Taking RDP of Azure AD joined devices are always painful. Let’s learn about MS-Organization-P2P-Access Certificates. The P2P access certificates provide RDP access to Azure AD joined devices. I have a post on how to take RDP of AAD Join Windows 10 Azure Virtual Machines. Another one is Intune enrollment of the AADJ Azure VM.
Special thanks to Joy to help me out to understand this scenario better.
What is MS-Organization-P2P-Access Certificate
The MS-Organization-P2P-Access certificates are issued by Azure AD to both, Azure AD joined and hybrid Azure AD joined devices. The list of P2P certificates are listed down:
- One certificate is issued to the device (computer certificate)
- The second Certificate is issued to the user (I couldn’t track down the user certificate in my lab).
- The Third certificate is AAD Token Issuer
This issuer, computer, and user certificates help to gain RDP access for AADJ Azure VM.
NOTE! – MS-Organization-P2P-Access is a SERVER Certificate
This “MS-Organization-P2P-Access ” certificate is used to enable trust between devices in the same tenant for remote desktop (RDP) scenarios.
- The device certificate is present in Local Computer\ Personal\ Certificates and is valid for one day.
- This certificate is renewed (by issuing a new certificate) if the device is still active in Azure AD.
As I mentioned above, I don’t see the user certificate under “Current User\ Personal\ Certificates.” But, as per the Microsoft FAQ here, the user should be present.
- The User P2P certificate is also valid for one day.
- This certificate is issued on-demand when a user attempts a remote desktop session to another Azure AD joined device.
- This Certificate is not renewed on expiry.
AAD Token Issuer Certificate
Both these user and computer certificates are issued using the MS-Organization-P2P-Access certificate.
NOTE! – This certificate is present in the Local Computer\AAD Token Issuer\Certificates.
- Public Key Cryptography Based User-to-User Authentication – (PKU2U)
- What is the Azure AD service principal “P2P Server” for?
- What are the certificates present on our Windows 10 devices?
- How To Take RDP Of Azure AD Joined Azure VM Using Bastion