Starting in October 2022, there is a new method that uses Conditional Access, allows passwordless authentication methods, and enables SSO or at least storing the login token. You basically just go to the Advanced Tab of the RDP client and check "Use a web account to sign in to the remote computer". There are some caveats, however.
You cannot connect to the remote computer using an IP address, but must use the hostname matching exactly the Entra device name. In my case, I used an Azure VM and the name of the Azure VM had more than the 15 characters allowed for Entra devices (?) and therefore the hostname was truncated to 15 characters. So I had to define a DNS entry with the truncated name pointing to the VM's Public IP.
However, that still showed the error with error code CAA20002 with the server message "AADSTS293004: The target-device identifier in the request {targetDeviceId} was not found in the tenant {tenantId}" in the RDP client and the Entra sign-in logs.
Luckily, Tyler Sherman found out what is missing: You have to add the domain to the Domain
registry key (for me on a W11 remote machine, it was not NV Domain
, contrary to what Tyler says) in the registry key HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
.