DEV Community

Anthony Bartolo for Microsoft Azure

Posted on • Originally published at techcommunity.microsoft.com on

How to access Azure Linux virtual machines with Azure Active Directory

Written By @nepeters

Using Azure AD credentials for accessing Azure Linux Virtual Machines improves security by:

  • Centrally controlling and enforcing access policies on Azure AD credentials
  • Reducing the reliance on local access accounts
  • Integration with multi-factor authentication

In this blog post, I will quickly walk through the basic configuration steps for accessing Azure Linux virtual machines using Azure AD credentials. For detailed steps and documentation, see Log into a Linux Virtual machine in Azure using Azure Active Directory authentication.

Create a Virtual Machine

First things first, you need an Azure Linux virtual machine. This blog uses the Azure CLI to create the virtual machine however any method for deploying virtual machine will work. If you already have an Azure Linux virtual machine, this section can be skipped.

Create a resource group using the az group create command.

az group create --name myResourceGroup --location eastus

Create a virtual machine using the az vm create command. Notice here that I have neither used the --admin-username argument to create a local user account nor used any arguments to create or provide SSH keys.

az vm create --resource-group myResourceGroup --name linuxVM --image UbuntuLTS

Here is where the magic happens. Use the az vm extension set command to install the Active Directory Linux SSH extension. This extension is responsible for the configuration of the Azure AD integration.

az vm extension set --publisher Microsoft.Azure.ActiveDirectory.LinuxSSH --name AADLoginForLinux --resource-group myResourceGroup --vm-name linuxVM

Configure Role-Based Access

Before logging into the virtual machine with an Azure AD account, the Azure AD access must be configured. To do so, we will create a role binding between the Azure AD account, the "Virtual Machines Administrators Login" AD role, and the virtual machine.

First, get the ID of the virtual machine using the az vm show command. In this example, the ID is stored in a variables name VMID.

VMID=$(az vm show --resource-group myResourceGroup --name linuxVM --query id -o tsv)

Create the role binding using the az role assignment create command. Notice here that the --assignee would be the Azure AD account or group for which the access is established.

az role assignment create --role "Virtual Machine Administrator Login" --assignee user@contoso.com --scope $VMID

Access the VM

With the VM created, and the access established, you can now access the VM using SSH. First, get the public IP address of the virtual machine. This can be done with the azvm show command.

az vm show -d --resource-group myResourceGroup --name linuxVM --query publicIps -o tsv

Now create the SSH connection. In this example, I am using SSH from a terminal. Take note that the Azure AD user account is specified in the command.

ssh user@contoso.com @137.117.88.113

Once completed, you are prompted to open up a browser and complete the authentication. Follow the instructions and press ENTER when done.

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code AJ9GDRXBQ to authenticate. Press ENTER when ready.

At this point, the SSH connection should have been successfully created. Feel free to reach out in comments or on Twitter at @nepeters.

Top comments (0)