![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 26%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERG%3C/text%3E%3C/svg%3E)
Hi Ray German,
Thanks for posting your question in the Microsoft Q&A forum.
The most secure and practical way to allow RDP access to Azure AVD session hosts especially for testing or troubleshooting, is to use JIT VM access through Microsoft Defender for Cloud. By default, AVD doesn’t expose RDP ports to the internet because it uses a secure Reverse Connect method, so users connect safely through the AVD client.
When you do need direct RDP, JIT temporarily opens port 3389 only for a limited time and only from specific IPs. This keeps the VMs protected from constant exposure and attacks. It works in both test and production environments as long as Defender for Cloud is enabled.
Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful