Home Azure Virtual Machines Connect to VM via RDP
Last updated: May 2026
Azure Virtual Machines Beginner AZ-104 ⏱ 12 min read

Connect to Azure VM via RDP

RDP (Remote Desktop Protocol) is the standard way to connect to Windows VMs in Azure. It gives you a full graphical desktop session — exactly like sitting in front of a Windows computer, but running in Azure's data centre. This page covers connecting from any platform, security hardening, and using Azure Bastion as a safer alternative.

What you'll learn How RDP works · Connecting from Windows, Mac, and Linux · Downloading the RDP file from Azure Portal · Security risks of open port 3389 · Restricting RDP access to your IP · Using Azure Bastion for RDP · Troubleshooting common connection issues
Table of Contents
  1. How RDP Works
  2. Before You Connect
  3. Connect from Windows
  4. Connect from Mac
  5. Connect from Linux
  6. Using the RDP File from Azure Portal
  7. Security — Hardening RDP Access
  8. Azure Bastion for RDP
  9. Troubleshooting RDP Issues
  10. Practice Questions

How RDP Works

RDP is a Microsoft protocol that transmits a live graphical desktop session over the network. When you connect via RDP:

  1. Your RDP client connects to port 3389 on the VM's public IP
  2. The connection is encrypted using TLS
  3. You authenticate with the VM's administrator username and password
  4. The Windows desktop renders on your screen — input goes to the VM, display comes back to you
ℹ️
RDP vs SSH RDP provides a full graphical desktop — Windows Explorer, Task Manager, all GUI apps. SSH provides a text-only terminal. RDP is used for Windows VMs. SSH is used for Linux VMs (though Linux VMs can also be configured with a desktop and VNC, this is uncommon on Azure).

Before You Connect

  • VM is running (not deallocated)
  • Port 3389 is open in the VM's Network Security Group
  • You have the VM's public IP address
  • You have the administrator username and password
Azure CLI Get VM public IP 
az vm show \
  --resource-group myResourceGroup \
  --name myWindowsVM \
  --show-details \
  --query publicIps \
  --output tsv

Connect from Windows

Windows has Remote Desktop Connection built in — no installation needed.

Method 1 — Run Dialog (Fastest)

  1. Press Win + R
  2. Type mstsc and press Enter
  3. In the "Computer" field, enter the VM's public IP address
  4. Click Connect
  5. Enter your administrator username and password
  6. Click Yes on the certificate warning

Method 2 — Command Line

PowerShell / CMD Launch RDP from command line 
# Open RDP to a specific IP
mstsc /v:4.188.23.45

# Open RDP in full screen
mstsc /v:4.188.23.45 /f

# Open RDP with specific screen resolution
mstsc /v:4.188.23.45 /w:1920 /h:1080

Connect from Mac

Download Microsoft Remote Desktop from the Mac App Store — it's free and maintained by Microsoft.

  1. Open the App Store and search for Microsoft Remote Desktop
  2. Install and open it
  3. Click Add PC
  4. Enter the VM's public IP in "PC Name"
  5. Under "User account", click the dropdown → Add User Account
  6. Enter your administrator username and password
  7. Click Add, then double-click the PC to connect
💡
Mac Tip You can also use the RDP file downloaded from the Azure Portal directly on Mac — Microsoft Remote Desktop will open it automatically.

Connect from Linux

Linux doesn't have a built-in RDP client, but several open-source options are available:

Bash Install Remmina RDP client on Ubuntu 
# Install Remmina (popular Linux RDP client)
sudo apt update
sudo apt install -y remmina remmina-plugin-rdp

# Or use FreeRDP (command-line RDP client)
sudo apt install -y freerdp2-x11

# Connect via FreeRDP
xfreerdp /v:4.188.23.45 /u:azureuser /p:YourPassword /f

Using the RDP File from Azure Portal

The easiest way to connect — the Azure Portal generates a pre-configured .rdp file:

  1. Go to your VM in the Azure Portal
  2. Click Connect in the top menu
  3. Select RDP
  4. Verify the IP address and port (3389)
  5. Click Download RDP File
  6. Open the downloaded file — your RDP client launches automatically
  7. Enter your administrator credentials when prompted
ℹ️
Certificate Warning You'll see a warning that the remote computer's identity can't be verified. This is normal for Azure VMs — the VM uses a self-signed certificate. Click Yes (or Connect Anyway on Mac) to proceed. This is safe for VMs you created yourself.

Security — Hardening RDP Access

Port 3389 open to the internet is a significant security risk. Automated bots constantly scan the internet for open RDP ports and attempt to brute-force credentials. Here's how to harden your setup:

Option 1 — Restrict NSG to Your IP Only

The simplest hardening — change the NSG rule so only your specific IP can reach port 3389.

Azure CLI Restrict RDP to your IP address only 
# First find your public IP
curl https://api.ipify.org

# Update the NSG rule to allow only your IP
az network nsg rule update \
  --resource-group myResourceGroup \
  --nsg-name myVM-nsg \
  --name RDP \
  --source-address-prefixes 103.45.67.89  # Replace with your IP

Option 2 — Use Azure Bastion (Best Practice)

Azure Bastion eliminates the need to open port 3389 entirely. Covered in detail in the next section.

Option 3 — Just-in-Time (JIT) VM Access

Microsoft Defender for Cloud's JIT feature keeps port 3389 closed by default. When you need to connect, you request access through the portal — it opens port 3389 for your IP for a limited time (e.g., 3 hours), then closes it automatically.

⚠️
Never Leave RDP Open to 0.0.0.0/0 An RDP port open to the entire internet will receive thousands of brute-force login attempts per day. Always restrict to your IP, use Bastion, or use JIT. This is one of the most common causes of Azure VM compromises.

Azure Bastion for RDP

Azure Bastion provides RDP access through your browser — no open port 3389, no public IP required on the VM.

  1. Deploy Azure Bastion to your VNet (one-time setup)
  2. In the Azure Portal, go to your VM → ConnectBastion
  3. Enter the administrator username and password
  4. Click Connect — an RDP session opens directly in your browser tab
Direct RDPAzure Bastion
Port 3389 open to internetYesNo
Requires public IP on VMYesNo
Connection viaRDP client appBrowser
CostFree~₹5,000–6,000/month
Security levelDepends on NSGHigh — no internet exposure

Troubleshooting RDP Issues

Can't connect — Connection refused or timeout

  • Is the VM running? Check in the portal — it may be deallocated
  • Is port 3389 open in the NSG? Check inbound rules
  • Is the NSG rule restricted to a specific IP that no longer matches yours? (ISPs sometimes change your IP)
  • Is the public IP correct? Dynamic IPs can change when a VM is deallocated and restarted

Wrong credentials — Login failed

  • Double-check your username — common mistake is typing "admin" (which Azure blocks)
  • If you forgot the password, reset it in the portal: VM → Reset password under Support + Troubleshooting

Certificate error / Remote desktop can't connect

  • This is normal — accept the self-signed certificate warning
  • If the error persists, the VM's RDP service may need restarting — use the Azure Serial Console
Azure CLI Reset VM administrator password 
az vm user update \
  --resource-group myResourceGroup \
  --name myWindowsVM \
  --username azureuser \
  --password "NewSecureP@ssword123!"
💡
AZ-104 Exam Tip Know that RDP uses port 3389, that you need NSG inbound rule for port 3389 to connect, that Azure Bastion provides browser-based RDP without port 3389, and that JIT VM Access can restrict access to specific time windows.
📝 Practice Questions
Click an option to check your answer. AZ-104 style questions.
Q1. Which port does RDP use by default?
A Port 22
B Port 443
C Port 3389
D Port 8080
Q2. A security administrator wants to connect to a Windows VM via RDP without opening port 3389 to the internet. What is the best solution?
A Change the RDP port from 3389 to a custom port
B Use Azure Bastion for browser-based RDP without exposing port 3389
C Remove the Network Security Group from the VM
D Open port 3389 to all internet traffic for easy access
Q3. An administrator forgot the password for a Windows VM in Azure. What is the correct way to recover access?
A Delete the VM and create a new one
B Connect via RDP and change the password from inside the VM
C Use the Azure Portal Reset password feature or Azure CLI to set a new password
D Contact Microsoft support to reset the password
Q4. What built-in Windows command opens the Remote Desktop Connection client?
A rdp
B remote
C mstsc
D winrdp
Q5. What is Microsoft Defender for Cloud's Just-in-Time (JIT) VM Access used for?
A To create automatic VM backups just before a connection
B To keep port 3389 closed by default and open it temporarily only when needed
C To optimise VM performance during peak hours
D To automatically scale the VM when high load is detected
Related Topics
Azure Virtual Machines Connect to VM via SSH Azure Virtual Machines Azure Bastion Azure Virtual Machines Create a Windows VM
← Previous Connect to VM via SSH
Comments
Disclaimer: RedKite Cloud is an independent educational resource and is not affiliated with, endorsed by, or officially connected to Microsoft Corporation. All product names, logos, and trademarks are property of their respective owners. Content is written independently for educational purposes only.