Background
If you are running a Cloud Service Worker Role, it's best to have Remote Desktop enabled so you can go onto the running instance of the server and see files, configuration and other aspects of the deployment. It helps in debugging and should be available for all Cloud Services. If you are deploying through automation, you will have to do some extra steps to get it working.
Steps
There are different ways to set it up. One of the fastest ways is to use Visual Studio to make the certificate for you. Open up the solution in Visual Studio, right click the Azure project and click Publish and select the subscription.
On the next page, select "Enable Remote Desktop for all roles" and click Settings next to it. You want to create a new certificate, type in a friendly name and press OK. You will need to set a username and password, use something other than "Administrator" as the username because it could be taken.
What this process does is modify your .csdef and .cscfg files. This is what will be added to the .csdef:
This is what will be added to the .cscfg file:
Now, once those values are there, it means that the certificate was created with the information you wanted to use. You could publish through Visual Studio but that is a manual job each time. If you want to automate this, which you should, you need to get the certificate and add it to your Cloud Service during deployment.
To get the certificate, you need to go into your store. You need to run mmc.exe. After that launches, you need to add the Certificate snap in, choose Current user, go into your Personal\Certificates folder and then you will see the Remote Desktop connection certificate. You need to export it with the private key (as a .pfx file) by right clicking it.
Once exported, you can use it in PowerShell through the Azure cmdlets. What you want to do is specify the path to the file, the service you want to use the RDP cert with and the password you used for the .pfx file. Once you have all of that, you can easily automate adding the certificate to an existing Cloud Service. You get to be setup to make requests to your subscription before this will work.
Using It
To connect with Remote Desktop, all you need to do is go into the Azure portal and go to your Worker Role for the Cloud Service. You will see a "Connect" button at the bottom, click that and it will download an RDP connection file. When promoted, enter the same username and password that you used at the beginning to set up the cert. From there, you will be logged into the running instance.
Warning!
If you have an existing deployment and you add these changes, it will break with the exception: "Windows Azure cannot perform a VIP swap between deployments that have a different number of endpoints". You can see some details about that here. In that case, it's best to completely delete the service or at least the one in production (if downtime can be tolerated). If downtime cannot be tolerated, you will need to route your traffic to a new service through DNS.
Additional Resources
Windows Azure certificate with thumbprint ... is missing
Define and Configure a Remote Desktop Connection
Using Remote Desktop with Windows Azure Roles
