How do I use Azure AD users and groups with RealVNC Server's System Authentication?

Follow

SystemAuth - Legacy.png
SystemAuth.png

Summary

This article provides the steps to follow to allow you to use Azure AD (AAD) users and groups to authenticate to RealVNC Server on Azure AD joined devices.

Populating local security groups with Azure AD users and groups

To use AAD users and groups with RealVNC Server's SystemAuth, the AAD user/group must be added to a local security group on the RealVNC Server computer. You can use either Intune or Powershell to perform the configuration.

  • AAD users must be added using format: AzureAD\upn , e.g. AZUREAD\jacksmith@mycorp.onmicrosoft.com
  • AAD groups must be added using their SID, which you can determine by converting the group object ID using the Powershell script at the bottom of this page.

AAD groups must be added to a "built-in" security group for RealVNC Server to allow authentication, e.g. Administrators or Remote Desktop users. Custom security groups will not work with AAD groups. Please see bullet point 2 of this page which explains this limitation.

Intune

Intune can be leveraged to populate the local security groups with AAD users and groups using Device Configuration Profiles, as shown below.

  1. Log in to https://endpoint.microsoft.com/#home
  2. Click Devices on left menu, then Configuration
  3. Click Create, New Policy
  4. Select Platform - Windows 10 and later, Templates, Custom
  5. Click Create
  6. Enter a name (e.g. VNC Security Group Configuration), click Next
  7. Click Add, then populate the fields as below:
    • Name: The name of the setting, e.g. Local Security Groups for VNC Connect
    • Description: An optional extended description
    • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure 
    • Data Type: String
    • Value:
      <GroupConfiguration>
          <accessgroup desc = "VNC Users">
              <group action = "U"/>
                  <add member = "AzureAD\jacksmith@mycorp.onmicrosoft.com"/>
          </accessgroup>
          <accessgroup desc = "Remote Desktop Users">
              <group action = "U"/>
                  <add member = "S-1-12-1-420474827-1261262987-2980144026-3233195354"/>
          </accessgroup>
      </GroupConfiguration>

      The above example is adding the AAD user AZUREAD\jacksmith@mycorp.onmicrosoft.com to the local group VNC Users, and is adding the AAD group with SID S-1-12-1-420420627-1261603987-2980144026-3227595354 to the local group Remote Desktop Users.

  8. Click Next
  9. Configure Assignments: Configure which group(s) to apply the policy to e.g. All devices, click Next
  10. Applicability Rules: Configure any rules to use when determining whether to apply the policy to a device or leave blank, click Next
  11. Review + create: Click Create

Powershell

Powershell commands can be run on the RealVNC Server computer to create groups and add AAD users and groups as members.

New-LocalGroup -Name "VNC Users"
Add-LocalGroupMember -Group "VNC Users" -Member "AzureAD\jacksmith@mycorp.onmicrosoft.com"
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "S-1-12-1-420420627-1261603987-2980144026-3227595354"

The above example is adding the AAD user AZUREAD\jacksmith@mycorp.onmicrosoft.com to the local group VNC Users, and is adding the AAD group with SID S-1-12-1-420420627-1261603987-2980144026-3227595354 to the local group Remote Desktop Users.

Verifying local group membership

Run lusrmgr.msc on the RealVNC Server computer, and go to Groups. Double click on a group name to view the members and you should see the users and/or groups you added.

Configuring RealVNC Server's Users & Permissions

RealVNC Server can be configured as normal by adding the local groups as shown here.

Authenticating to RealVNC Server

When you attempt to connect to a RealVNC Server and see the prompt for your username and password, complete it as below:

Username: AZUREAD\upn (e.g. AzureAD\jacksmith@mycorp.onmicrosoft.com)
Password: Your AzureAD password

Powershell script to convert Azure AD Object IDs to Windows Security Identifiers (SIDs)

### Powershell script to convert AAD Object ID to SID ###

### usage ./objectIDToSID.ps1 -objectID XXXyyyyZZZ

param ($objectId)

function Convert-AzureAdObjectIdToSid {
  <#
    Adapted from a script originally authored by:
    Oliver Kieselbach (oliverkieselbach.com)
    The script is provided "AS IS" with no warranties.

    .PARAMETER ObjectID
    The Object ID to convert
  #>

  param([String] $ObjectId)

  $bytes = [Guid]::Parse($ObjectId).ToByteArray()
  $array = New-Object 'UInt32[]' 4

  [Buffer]::BlockCopy($bytes, 0, $array, 0, 16)
  $sid = "S-1-12-1-$array".Replace(' ', '-')

  return $sid
}

$sid = Convert-AzureAdObjectIdToSid -ObjectId $objectId
Write-Output $sid

### End Powershell script ###
Was this article helpful?
3 out of 5 found this helpful

Comments

5 comments
  • Hi Jack,

    I try follow the steps to add AAD group into Intune PC VNC server. But it not successful, because of conflict with ADMX policy.
    Do you have any advice?

    Cheers

    Jacky

    0
    Comment actions Permalink
  • Hi,

    Thanks for your message. Please submit a ticket at https://help.realvnc.com/hc/en-us/requests/new and we'll be happy to look into this for you!

    Thanks,

    Jack

    0
    Comment actions Permalink
  • Hi Jack. Do you have a walk-thru video showing how this is all done?

    0
    Comment actions Permalink
  • on checking the guideline the method probably has been changed since original publication as you can't leave configuration settings blank and have to use settings, and the admx, but found best solution for our off site autopiloted machines to use a LAPS account policy, for one the fact LAPS admin account password changes frequently and is more secure but secondly our own users details don't risk leaking possibility, I've also found to add certain accounts Detection/remediation script was so much easier to work with. Once I've finished here will draft some notes and share them hopefully helping others.

    0
    Comment actions Permalink
  • Hi Eugene,

    Thanks for your comment. I've updated the Intune steps to reflect that the setting cannot be left blank and we'll look to update the OMA-URI approach with the updated group membership on offer in Intune in the future.

    0
    Comment actions Permalink

Article is closed for comments.