Written By @nepeters
Using Azure AD credentials for accessing Azure Linux Virtual Machines improves security by:
- Centrally controlling and enforcing access policies on Azure AD credentials
- Reducing the reliance on local access accounts
- Integration with multi-factor authentication
In this blog post, I will quickly walk through the basic configuration steps for accessing Azure Linux virtual machines using Azure AD credentials. For detailed steps and documentation, see Log into a Linux Virtual machine in Azure using Azure Active Directory authentication.
First things first, you need an Azure Linux virtual machine. This blog uses the Azure CLI to create the virtual machine however any method for deploying virtual machine will work. If you already have an Azure Linux virtual machine, this section can be skipped.
Create a resource group using the az group create command.
az group create --name myResourceGroup --location eastus
Create a virtual machine using the az vm create command. Notice here that I have neither used the
--admin-username argument to create a local user account nor used any arguments to create or provide SSH keys.
az vm create --resource-group myResourceGroup --name linuxVM --image UbuntuLTS
Here is where the magic happens. Use the az vm extension set command to install the Active Directory Linux SSH extension. This extension is responsible for the configuration of the Azure AD integration.
az vm extension set --publisher Microsoft.Azure.ActiveDirectory.LinuxSSH --name AADLoginForLinux --resource-group myResourceGroup --vm-name linuxVM
Before logging into the virtual machine with an Azure AD account, the Azure AD access must be configured. To do so, we will create a role binding between the Azure AD account, the "Virtual Machines Administrators Login" AD role, and the virtual machine.
First, get the ID of the virtual machine using the az vm show command. In this example, the ID is stored in a variables name VMID.
VMID=$(az vm show --resource-group myResourceGroup --name linuxVM --query id -o tsv)
Create the role binding using the az role assignment create command. Notice here that the --assignee would be the Azure AD account or group for which the access is established.
az role assignment create --role "Virtual Machine Administrator Login" --assignee firstname.lastname@example.org --scope $VMID
az vm show -d --resource-group myResourceGroup --name linuxVM --query publicIps -o tsv
Now create the SSH connection. In this example, I am using SSH from a terminal. Take note that the Azure AD user account is specified in the command.
ssh email@example.com @126.96.36.199
Once completed, you are prompted to open up a browser and complete the authentication. Follow the instructions and press ENTER when done.
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code AJ9GDRXBQ to authenticate. Press ENTER when ready.
At this point, the SSH connection should have been successfully created. Feel free to reach out in comments or on Twitter at @nepeters.