Forum Discussion
Custom Script Extensions and Session Host Configuration
Currently the Custom Script Extensions functionality definable in the Session Host Configuration only allows to define a script URL. What is the intended mechanism of authentication for this ...
Session Host configuration today only allows a script URL and does not support Key Vault references, SAS tokens, or Managed Identity authentication directly in the UI. The portal expects the script to be anonymously accessible.
If you want to secure the script:
- Deploy the CSE manually using ARM/Bicep/CLI, where you can specify protected settings (storage account key, SAS, etc.).
- Alternatively, use a Managed Identity and a CSE command that downloads the script from a protected source from inside the VM (PowerShell Invoke-WebRequest with MSI auth).
- Another option is hosting the script in a storage account with a short-lived SAS generated programmatically when deploying hosts.
Today the Session Host blade does not support secure authentication parameters, so ARM deployment is the recommended method when sensitive scripts are involved.