Let’s learn about MS-Organization-P2P-Access Certificates. The P2P access certificates provide RDP access to Azure AD joined devices.
Special thanks to Joy to help me out to understand this scenario better.
What is MS-Organization-P2P-Access Certificate
The MS-Organization-P2P-Access certificates are issued by Azure AD to both, Azure AD joined and hybrid Azure AD joined devices. The list of P2P certificates are listed down:
- One certificate is issued to the device (computer certificate)
- The second Certificate is issued to the user (I couldn’t track down the user certificate in my lab).
- The Third certificate is AAD Token Issuer
These issuer, computer, and user certificates help to gain RDP access for AADJ Azure VM.
NOTE! – MS-Organization-P2P-Access is a SERVER Certificate
This “MS-Organization-P2P-Access ” certificate is used to enable trust between devices in the same tenant for remote desktop (RDP) scenarios.
- The device certificate is present in Local Computer\ Personal\ Certificates and is valid for one day.
- This certificate is renewed (by issuing a new certificate) if the device is still active in Azure AD.
As I mentioned above, I don’t see the user certificate under “Current User\ Personal\ Certificates.” But, as per the Microsoft FAQ here, the user should be present.
- The User P2P certificate is also valid for one day.
- This certificate is issued on-demand when a user attempts a remote desktop session to another Azure AD joined device.
- This Certificate is not renewed on expiry.
AAD Token Issuer Certificate
Both these user and computer certificates are issued using the MS-Organization-P2P-Access certificate.
NOTE! – This certificate is present in the Local Computer\AAD Token Issuer\Certificates.
- Public Key Cryptography Based User-to-User Authentication – (PKU2U)
- What is the Azure AD service principal “P2P Server” for?
- What are the certificates present on our Windows 10 devices?
- How To Take RDP Of Azure AD Joined Azure VM Using Bastion