MS-Organization-P2P-Access Certificate Provides Azure AD Join RDP Access

Let’s learn about MS-Organization-P2P-Access Certificates. The P2P access certificates provide RDP access to Azure AD joined devices.

I have a post on how to take RDP of AAD Join Windows 10 Azure Virtual Machines. Another one Intune enrollment of the AADJ Azure VM.

Special thanks to Joy to help me out to understand this scenario better.

What is MS-Organization-P2P-Access Certificate

The MS-Organization-P2P-Access certificates are issued by Azure AD to both, Azure AD joined and hybrid Azure AD joined devices. The list of P2P certificates are listed down:

  • One certificate is issued to the device (computer certificate)
  • The second Certificate is issued to the user (I couldn’t track down the user certificate in my lab).
  • The Third certificate is AAD Token Issuer

These issuer, computer, and user certificates help to gain RDP access for AADJ Azure VM.

NOTE! – MS-Organization-P2P-Access is a SERVER Certificate

Computer Certificate

This “MS-Organization-P2P-Access [2020]” certificate is used to enable trust between devices in the same tenant for remote desktop (RDP) scenarios.

  • The device certificate is present in Local Computer\ Personal\ Certificates and is valid for one day.
  • This certificate is renewed (by issuing a new certificate) if the device is still active in Azure AD.
 Computer Certificate -  MS-Organization-P2P-Access [2020]
Computer Certificate – MS-Organization-P2P-Access [2020]

User Certificates

As I mentioned above, I don’t see the user certificate under “Current User\ Personal\ Certificates.” But, as per the Microsoft FAQ here, the user should be present.

  • The User P2P certificate is also valid for one day.
  • This certificate is issued on-demand when a user attempts a remote desktop session to another Azure AD joined device.
  • This Certificate is not renewed on expiry.

AAD Token Issuer Certificate

Both these user and computer certificates are issued using the MS-Organization-P2P-Access certificate.

NOTE! – This certificate is present in the Local Computer\AAD Token Issuer\Certificates.

AAD Token Issuer Certificate
AAD Token Issuer Certificate – MS-Organization-P2P-Access


Leave a Comment

Your email address will not be published. Required fields are marked *