Home
%3CLINGO-SUB%20id%3D%22lingo-sub-314020%22%20slang%3D%22en-US%22%3ERe%3A%20This%20is%20SO%20cool!%20Use%20Azure%20AD%20to%20login%20to%20Azure%20Linux%20virtual%20machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-314020%22%20slang%3D%22en-US%22%3E%3CP%3Eis%20this%20feature%20planed%20for%20hybrid%20Solutions%20(onprem%20vm's)%20in%20the%20future%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-294652%22%20slang%3D%22en-US%22%3ERe%3A%20This%20is%20SO%20cool!%20Use%20Azure%20AD%20to%20login%20to%20Azure%20Linux%20virtual%20machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-294652%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F53477%22%20target%3D%22_blank%22%3E%40Alex%20Simons%20(AZURE)%3C%2FA%3E%3C%2FP%3E%3CP%3EWe%20would%20like%20to%20use%20this%20feature%2C%20but%20is%20there%20any%20way%20to%20use%20AAD%20Login%20without%20signing-in%20on%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmicrosoft.com%2Fdevicelogin%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmicrosoft.com%2Fdevicelogin%3C%2FA%3E%20at%20EVERY%20CONNECTION%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESomething%20like%20the%20option%20for%20MFA%20you%20presented%20here%20%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-Identity%2FAzureAD-Remember-my-MFA-is-now-GA%2Fba-p%2F244255%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-Identity%2FAzureAD-Remember-my-MFA-is-now-GA%2Fba-p%2F244255%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20an%20option%20where%20we%20can%20remember%20users%20for%20some%20time%20%2F%20ideally%2C%20remember%20the%20user%20until%20the%20next%20AAD%20modification.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20in%20advance%2C%3C%2FP%3E%3CP%3EArnaud%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-279714%22%20slang%3D%22en-US%22%3ERe%3A%20This%20is%20SO%20cool!%20Use%20Azure%20AD%20to%20login%20to%20Azure%20Linux%20virtual%20machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-279714%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20feature%20is%20going%20to%20be%20available%20on%20Windows%20VM's%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-708298%22%20slang%3D%22en-US%22%3ERe%3A%20This%20is%20SO%20cool!%20Use%20Azure%20AD%20to%20login%20to%20Azure%20Linux%20virtual%20machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-708298%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20the%20same%20questing%20as%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F249319%22%20target%3D%22_blank%22%3E%40adur_cgi%3C%2FA%3E%26nbsp%3B.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIs%20there%20any%20way%20to%20use%20AAD%20Login%20without%20signing-in%20on%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fmicrosoft.com%2Fdevicelogin%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmicrosoft.com%2Fdevicelogin%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bat%20EVERY%20CONNECTION%20%3F%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-713908%22%20slang%3D%22en-US%22%3ERe%3A%20This%20is%20SO%20cool!%20Use%20Azure%20AD%20to%20login%20to%20Azure%20Linux%20virtual%20machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-713908%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F363215%22%20target%3D%22_blank%22%3E%40tatianaterekhina%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20you%20and%20for%20posterity%2C%20here%20is%20our%20workaround%20solution.%3C%2FP%3E%3CP%3EWe%20never%20succeed%20to%20bypass%20this%20%22forced%202FA%22%2C%20but%20we%20needed%20to%20use%20Azure%20AD%20as%20Login.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20solution%20was%20to%20implement%20in%20our%20ResourceGroup%20an%20Azure%20AD%20Domain%20Service.%20This%20(paying)%20service%20provides%20you%20a%20domain%20controller%20linked%20with%20Azure%20AD.%3C%2FP%3E%3CP%3EThere%2C%20we%20created%20a%20LDAP%20(synced%20with%20AzureAD)%2C%20and%20had%20to%20add%20every%20linux%2FcentOS%20machine%20to%20the%20domain.%20We%20were%20then%20able%20to%20connect%20to%20our%20linux%20VM%20with%20our%20AD%20login.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20the%20overview%20of%20Azure%20ADDS%20%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Foverview%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20it%20will%20help%20some%20people%20arround%20here%20!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EArnaud%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-245415%22%20slang%3D%22en-US%22%3EThis%20is%20SO%20cool!%20Use%20Azure%20AD%20to%20login%20to%20Azure%20Linux%20virtual%20machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-245415%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3EFirst%20published%20on%20CloudBlogs%20on%20May%2C%2029%202018%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20Howdy%20folks!%3CP%3ELinux%20virtual%20machines%20are%20very%20popular%20in%20Azure.%20A%20challenge%20everyone%20faces%20is%20securely%20managing%20the%20accounts%20and%20credentials%20used%20to%20login%20to%20these%20VMs.%20Typically%2C%20people%20create%20local%20administrator%20accounts%20and%20use%20either%20SSH%20keys%20or%20passwords%20to%20login%20to%20the%20VM.%20As%20people%20join%20or%20leave%20teams%2C%20new%20local%20accounts%20need%20to%20be%20created%20or%20old%20ones%20removed%20from%20these%20VMs.%20Managing%20who%20has%20access%20to%20a%20given%20VM%20is%20hard%20and%20admins%20need%20to%20periodically%20remove%20unnecessary%20SSH%20public%20keys%20or%20reset%20administrator%20passwords%20to%20protect%20against%20unauthorized%20access.%20To%20make%20things%20simple%20people%20often%20follow%20the%20risky%20practice%20of%20sharing%20admin%20account%20passwords%20among%20big%20groups%20of%20people.%20This%20makes%20it%20very%20hard%20to%20protect%20your%20production%20Linux%20VMs%20and%20collaborate%20with%20your%20team%20when%20using%20shared%20Linux%20VMs.%3C%2FP%3E%0A%20%20%3CP%3EAt%20the%20Build%20conference%20a%20few%20weeks%20back%2C%20we%20announced%20the%20public%20preview%20of%20a%20cool%20new%20Azure%20AD%20capability%20to%20make%20it%20easier%20to%20securely%20manage%20Azure%20Linux%20VMs.%20Using%20Azure%20AD%20login%20for%20Linux%20VMs%2C%20you%20can%3C%2FP%3E%0A%20%20%3CUL%3E%0A%20%20%20%3CLI%3ELogin%20to%20your%20Azure%20Linux%20VMs%20using%20your%20Azure%20AD%20credentials.%20Basically%2C%20you%20can%20login%20to%20a%20VM%20using%20the%20same%20account%20you%20use%20to%20sign%20in%20to%20the%20Azure%20portal!%3C%2FLI%3E%0A%20%20%20%3CLI%3ERevoke%20access%20to%20Azure%20Linux%20VMs%20when%20employees%20leave%20your%20organization%20by%20disabling%20their%20account%20in%20Azure%20AD.%3C%2FLI%3E%0A%20%20%20%3CLI%3ERequire%20multiple%20factor%20authentication%20(MFA)%20for%20login%20to%20Azure%20Linux%20VMs.%3C%2FLI%3E%0A%20%20%20%3CLI%3ECentrally%20control%20access%20to%20Azure%20Linux%20VMs%20using%20Azure%20Role%20Based%20Access%20Control%20(RBAC).%20You%20can%20make%20role%20assignments%20to%20grant%20regular%20user%20privileges%20or%20root%20(admin)%20user%20privileges%20when%20logging%20into%20Azure%20Linux%20VMs.%3C%2FLI%3E%0A%20%20%20%3CLI%3EIf%20you%20have%20Azure%20AD%20Premium%2C%20you%20can%20also%20use%20Azure%20AD%20Privileged%20Identity%20Management%20(PIM)%20to%20configure%20just-in-time%2C%20time-bound%20access%20to%20Linux%20VMs.%3C%2FLI%3E%0A%20%20%3C%2FUL%3E%0A%20%20%3CP%3ELet's%20look%20at%20the%20login%20experience.%20After%20you%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-machines%2Flinux%2Flogin-using-aad%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%20enable%20Azure%20AD%20authentication%20%3C%2FA%3E%20%2C%20you%20can%20connect%20to%20the%20VM%20using%20your%20favorite%20SSH%20client%20and%20specify%20the%20UPN%20of%20your%20Azure%20AD%20account.%3C%2FP%3E%0A%20%20%3CP%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F46634iA1A93DB124BB0E78%22%20%2F%3E%3C%2FP%3E%0A%20%20%3CP%3EA%20one-time%20use%20code%20and%20a%20URL%20to%20login%20are%20displayed%20by%20the%20virtual%20machine.%20Enter%20the%20code%20on%20the%20Azure%20AD%20device%20authentication%20page%20(%20%3CA%20href%3D%22https%3A%2F%2Fmicrosoft.com%2Fdevicelogin%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%20https%3A%2F%2Fmicrosoft.com%2Fdevicelogin%20%3C%2FA%3E%20)%20to%20sign%20in.%3C%2FP%3E%0A%20%20%3CP%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F46635i4BAA4D97CBA8C4E2%22%20%2F%3E%3C%2FP%3E%0A%20%20%3CP%3EIf%20you're%20already%20signed%20into%20the%20Azure%20portal%20or%20Office%20365%2C%20you%20will%20not%20be%20prompted%20for%20credentials.%20If%20you%20have%20configured%20a%20policy%20to%20require%20MFA%20to%20login%20to%20Azure%20Linux%20VMs%2C%20you%20will%20be%20prompted%20to%20perform%20MFA.%3C%2FP%3E%0A%20%20%3CP%3EOnce%20you%20are%20logged%20in%2C%20return%20to%20the%20SSH%20client%20and%20hit%20%3CSTRONG%3E%20Enter%20%3C%2FSTRONG%3E%20.%20You%20will%20be%20logged%20into%20the%20VM!%3C%2FP%3E%0A%20%20%3CP%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F46636i11594759327DDADF%22%20%2F%3E%3C%2FP%3E%0A%20%20%3CP%3EIf%20your%20user%20account%20has%20been%20assigned%20the%20'Virtual%20Machine%20Administrator%20Login'%20role%2C%20you%20will%20be%20able%20to%20escalate%20to%20'root'%20user%20privileges%20using%20the%20'sudo'%20command.%3C%2FP%3E%0A%20%20%3CP%3EWant%20to%20try%20it%20out%20for%20yourself%3F%3C%2FP%3E%0A%20%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-machines%2Flinux%2Flogin-using-aad%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ECheck%20out%20our%20docs%20for%20step-by-step%20instructions%20to%20enable%20Azure%20AD%20login%2C%20assign%20roles%20and%20log%20in%20to%20a%20Linux%20virtual%20machine%20in%20Azure%20using%20Azure%20Active%20Directory%20authentication%20%3C%2FA%3E%20.%3C%2FP%3E%0A%20%20%3CP%3EWe%20are%20working%20to%20enable%20you%20to%20login%20to%20Windows%20Server%20VMs%20in%20Azure%20using%20Azure%20AD%20and%20expect%20to%20have%20it%20in%20preview%20later%20this%20year.%3C%2FP%3E%0A%20%20%3CP%3EAs%20always%2C%20we'd%20love%20to%20receive%20any%20feedback%20or%20suggestions%20you%20have!%20Head%20over%20to%20our%20%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%3Fcategory_id%3D166032%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20Azure%20AD%20feedback%20forum%20%3C%2FA%3E%20or%20share%20comments%20on%20this%20blog%20post.%3C%2FP%3EBest%20Regards%2C%20Alex%20Simons%20(Twitter%3A%20%3Ca%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F283126%22%3E%40Alex_A%3C%2Fa%3E_Simons%20)%20Director%20of%20Program%20Management%20Microsoft%20Identity%20Division%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-245415%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20CloudBlogs%20on%20May%2C%2029%202018%20Howdy%20folks!%20Linux%20virtual%20machines%20are%20very%20popular%20in%20Azure.%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-245415%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EProduct%20Announcements%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
First published on CloudBlogs on May, 29 2018
Howdy folks!

Linux virtual machines are very popular in Azure. A challenge everyone faces is securely managing the accounts and credentials used to login to these VMs. Typically, people create local administrator accounts and use either SSH keys or passwords to login to the VM. As people join or leave teams, new local accounts need to be created or old ones removed from these VMs. Managing who has access to a given VM is hard and admins need to periodically remove unnecessary SSH public keys or reset administrator passwords to protect against unauthorized access. To make things simple people often follow the risky practice of sharing admin account passwords among big groups of people. This makes it very hard to protect your production Linux VMs and collaborate with your team when using shared Linux VMs.

At the Build conference a few weeks back, we announced the public preview of a cool new Azure AD capability to make it easier to securely manage Azure Linux VMs. Using Azure AD login for Linux VMs, you can

  • Login to your Azure Linux VMs using your Azure AD credentials. Basically, you can login to a VM using the same account you use to sign in to the Azure portal!
  • Revoke access to Azure Linux VMs when employees leave your organization by disabling their account in Azure AD.
  • Require multiple factor authentication (MFA) for login to Azure Linux VMs.
  • Centrally control access to Azure Linux VMs using Azure Role Based Access Control (RBAC). You can make role assignments to grant regular user privileges or root (admin) user privileges when logging into Azure Linux VMs.
  • If you have Azure AD Premium, you can also use Azure AD Privileged Identity Management (PIM) to configure just-in-time, time-bound access to Linux VMs.

Let's look at the login experience. After you enable Azure AD authentication , you can connect to the VM using your favorite SSH client and specify the UPN of your Azure AD account.

A one-time use code and a URL to login are displayed by the virtual machine. Enter the code on the Azure AD device authentication page ( https://microsoft.com/devicelogin ) to sign in.

If you're already signed into the Azure portal or Office 365, you will not be prompted for credentials. If you have configured a policy to require MFA to login to Azure Linux VMs, you will be prompted to perform MFA.

Once you are logged in, return to the SSH client and hit Enter . You will be logged into the VM!

If your user account has been assigned the 'Virtual Machine Administrator Login' role, you will be able to escalate to 'root' user privileges using the 'sudo' command.

Want to try it out for yourself?

Check out our docs for step-by-step instructions to enable Azure AD login, assign roles and log... .

We are working to enable you to login to Windows Server VMs in Azure using Azure AD and expect to have it in preview later this year.

As always, we'd love to receive any feedback or suggestions you have! Head over to our Azure AD feedback forum or share comments on this blog post.

Best Regards, Alex Simons (Twitter: @Alex_A_Simons ) Director of Program Management Microsoft Identity Division
5 Comments
Occasional Visitor

This feature is going to be available on Windows VM's?

Occasional Visitor

Hi @Alex Simons (AZURE)

We would like to use this feature, but is there any way to use AAD Login without signing-in on https://microsoft.com/devicelogin at EVERY CONNECTION ?

 

Something like the option for MFA you presented here : https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/AzureAD-Remember-my-MFA-is-no...

 

Is there an option where we can remember users for some time / ideally, remember the user until the next AAD modification.

 

Thank you in advance,

Arnaud

Senior Member

is this feature planed for hybrid Solutions (onprem vm's) in the future

Occasional Visitor

I have the same questing as @adur_cgi .

 

Is there any way to use AAD Login without signing-in on https://microsoft.com/devicelogin at EVERY CONNECTION ? 

Occasional Visitor

Hi @tatianaterekhina ,

 

For you and for posterity, here is our workaround solution.

We never succeed to bypass this "forced 2FA", but we needed to use Azure AD as Login.

 

Our solution was to implement in our ResourceGroup an Azure AD Domain Service. This (paying) service provides you a domain controller linked with Azure AD.

There, we created a LDAP (synced with AzureAD), and had to add every linux/centOS machine to the domain. We were then able to connect to our linux VM with our AD login.

 

Here is the overview of Azure ADDS : https://docs.microsoft.com/en-us/azure/active-directory-domain-services/overview

 

Hope it will help some people arround here !

 

Regards,

Arnaud