Home
%3CLINGO-SUB%20id%3D%22lingo-sub-638043%22%20slang%3D%22en-US%22%3EAdding%20Azure%20Active%20Directory%20to%20Linux%20Virtual%20Machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-638043%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F115827i83A787EC2689A049%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22AAD.png%22%20title%3D%22AAD.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EThere%20are%20many%20benefits%20of%20using%20Azure%20AD%20authentication%20to%20log%20in%20to%20Linux%20VMs%20in%20Azure%2C%20including%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CP%3E%3CSTRONG%3EImproved%20security%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EYou%20can%20use%20your%20corporate%20AD%20credentials%20to%20log%20in%20to%20Azure%20Linux%20VMs.%20There%20is%20no%20need%20to%20create%20local%20administrator%20accounts%20and%20manage%20credential%20lifetime.%3C%2FLI%3E%0A%3CLI%3EBy%20reducing%20your%20reliance%20on%20local%20administrator%20accounts%2C%20you%20do%20not%20need%20to%20worry%20about%20credential%20loss%2Ftheft%2C%20users%20configuring%20weak%20credentials%20etc.%3C%2FLI%3E%0A%3CLI%3EThe%20password%20complexity%20and%20password%20lifetime%20policies%20configured%20for%20your%20Azure%20AD%20directory%20help%20secure%20Linux%20VMs%20as%20well.%3C%2FLI%3E%0A%3CLI%3ETo%20further%20secure%20login%20to%20Azure%20virtual%20machines%2C%20you%20can%20configure%20multi-factor%20authentication.%3C%2FLI%3E%0A%3CLI%3EThe%20ability%20to%20log%20in%20to%20Linux%20VMs%20with%20Azure%20Active%20Directory%20also%20works%20for%20customers%20that%20use%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-fed-whatis%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-linktype%3D%22relative-path%22%3EFederation%20Services%3C%2FA%3E.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3E%3CSTRONG%3ESeamless%20collaboration%3A%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EWith%20Role-Based%20Access%20Control%20(RBAC)%2C%20you%20can%20specify%20who%20can%20sign%20in%20to%20a%20given%20VM%20as%20a%20regular%20user%20or%20with%20administrator%20privileges.%20When%20users%20join%20or%20leave%20your%20team%2C%20you%20can%20update%20the%20RBAC%20policy%20for%20the%20VM%20to%20grant%20access%20as%20appropriate.%20This%20experience%20is%20much%20simpler%20than%20having%20to%20scrub%20VMs%20to%20remove%20unnecessary%20SSH%20public%20keys.%20When%20employees%20leave%20your%20organization%20and%20their%20user%20account%20is%20disabled%20or%20removed%20from%20Azure%20AD%2C%20they%20no%20longer%20have%20access%20to%20your%20resources.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EFor%20more%20details%20see%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-machines%2Flinux%2Flogin-using-aad%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-machines%2Flinux%2Flogin-using-aad%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20AD%20login%20for%20Linux%20VMs%20enables%20you%20to%20use%20your%20institutional%20Azure%20AD%20accounts%20for%20SSH%20logins%20on%20your%20Azure%20VMs%2C%20you%20can%20also%20effectively%20utilise%20all%20the%20security%20features%20including%20RBAC%20and%20for%20the%20SSH%20login%20process%20on%20your%20Linux%20servers.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAll%20you%20need%20to%20do%20is%20to%20enable%20the%20AADLoginForLinux%20VM%20extension%20for%20your%20Azure%20VM%20and%20granting%20access%20rights%20to%20a%20user%20account%20using%20an%20RBAC%20role%20assignment.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EYou%20can%20enable%20AD%20support%20by%20using%20the%20following%20Azure%20CLI%20commands%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EInstall%20the%20AD%20Login%20Extension%26nbsp%3B%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3Eaz%20vm%20extension%20set%20%5C%3CBR%20%2F%3E--publisher%20Microsoft.Azure.ActiveDirectory.LinuxSSH%20%5C%3CBR%20%2F%3E--name%20AADLoginForLinux%20%5C%3CBR%20%2F%3E--resource-group%20myResourceGroup%20%5C%3CBR%20%2F%3E--vm-name%20myVM%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EConfigure%20role%20assignment%20for%20the%20users%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3Eusername%3D%24(%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-keyword%22%3Eaz%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-keyword%22%3Eaccount%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-keyword%22%3Eshow%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-parameter%22%3E%20--query%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-keyword%22%3Euser%3C%2FSPAN%3E%3CSPAN%3E.%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-keyword%22%3Ename%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-parameter%22%3E%20--output%3C%2FSPAN%3E%3CSPAN%3E%20tsv)%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-keyword%22%3Evm%3C%2FSPAN%3E%3CSPAN%3E%3D%24(%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-keyword%22%3Eaz%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-keyword%22%3Evm%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-keyword%22%3Eshow%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-parameter%22%3E%20--resource-group%3C%2FSPAN%3E%3CSPAN%3E%20myResourceGroup%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-parameter%22%3E%20--name%3C%2FSPAN%3E%3CSPAN%3E%20myVM%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-parameter%22%3E%20--query%3C%2FSPAN%3E%3CSPAN%3E%20id%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-parameter%22%3E%20-o%3C%2FSPAN%3E%3CSPAN%3E%20tsv)%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-keyword%22%3Eaz%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-keyword%22%3Erole%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-keyword%22%3Eassignment%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-keyword%22%3Ecreate%3C%2FSPAN%3E%3CSPAN%3E%20%5C%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-parameter%22%3E%20--role%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-string%22%3E%22Virtual%20Machine%20Administrator%20Login%22%3C%2FSPAN%3E%3CSPAN%3E%20%5C%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-parameter%22%3E%20--assignee%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-variable%22%3E%24username%3C%2FSPAN%3E%3CSPAN%3E%20%5C%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-parameter%22%3E%20--scope%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-variable%22%3E%24vm%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ETo%20enable%20the%20extension%20for%20an%20existing%20VM%20you%20can%20use%20the%20following%20PowerShell%20command%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3ESet-AzureRmVMExtension%20%60%3CBR%20%2F%3E-Publisher%20Microsoft.Azure.ActiveDirectory.LinuxSSH%20%60%3CBR%20%2F%3E-Name%20AADLoginForLinux%20%60%3CBR%20%2F%3E-ResourceGroupName%20myResourceGroup%20%60%3CBR%20%2F%3E-VMName%20myVM%20%60%3CBR%20%2F%3E-Location%20WestEurope%20%60%3CBR%20%2F%3E-ExtensionType%20AADLoginForLinux%20%60%3CBR%20%2F%3E-TypeHandlerVersion%201.0%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20allowed%20users%20to%20login%20into%20the%20VMs%20using%20Azure%20AD%20credentials%20the%20user%20account%20must%20be%20assigned%20either%20to%20the%20Virtual%20Machine%20Administrator%20Login%20or%20Virtual%20Machine%20User%20Login%20RBAC%20role.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAn%20Azure%20user%20with%20the%20Owner%20or%20Contributor%20roles%20assigned%20for%20a%20VM%20do%20not%20automatically%20have%20privileges%20to%20log%20in%20to%20the%20VM%20over%20SSH.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EUsing%20Powershell%20to%20add%20users%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%24scope%20%3D%20(Get-AzureRmVM%20-ResourceGroupName%20LinuxSecurity%20-Name%20UbuntuVm01).id%3CBR%20%2F%3ENew-AzureRmRoleAssignment%20%60%3CBR%20%2F%3E-SignInName%20user%40domain.com%20%60%3CBR%20%2F%3E-RoleDefinitionName%20%22Virtual%20Machine%20Administrator%20Login%22%20%60%3CBR%20%2F%3E-Scope%20%24scope%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESSH%20Command%20for%20user%20connecting%20to%20the%20virtual%20machines%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3Essh%20user%40domain.com%40yourVM'sExternalIPAddress%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUsers%20are%20prompted%20to%20open%20the%20following%20web%20page%20%3CA%20href%3D%22https%3A%2F%2Fmicrosoft.com%2Fdevicelogin%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmicrosoft.com%2Fdevicelogin%3C%2FA%3E%2C%20They%20need%20enter%20a%20code%20you%20are%20shown%20in%20the%20session%2C%20and%20then%20to%20authenticate%20with%20your%20Azure%20AD%20credentials.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EThe%20users%20simply%20then%20close%20the%20browser%20window%2C%20return%20to%20the%20SSH%20prompt%2C%20and%20press%20the%20Enter%20key.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThey%20are%20now%20signed%20in%20to%20the%20Azure%20Linux%20virtual%20machine%20with%20the%20role%20permissions%20as%20assigned%2C%20such%20as%20VM%20User%20or%20VM%20Administrator.%20If%20the%20user%20account%20is%20assigned%20the%20Virtual%20Machine%20Administrator%20Login%20role%2C%20you%20can%20use%20the%20sudo%20to%20run%20commands%20that%20require%20root%20privileges.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-638043%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EAdding%20Single%20Sign%20On%20using%20your%20institutions%20Active%20Directory%20to%20Linux%20virtual%20machines%20(VMs)%20hosted%20in%20Azure%2C%20You%20can%20now%20integrate%20with%20Azure%20Active%20Directory%20(AD)%20authentication.%20When%20you%20use%20Azure%20AD%20authentication%20for%20Linux%20VMs%2C%20you%20centrally%20control%20and%20enforce%20policies%20that%20allow%20or%20deny%20access%20to%20the%20VMs.%20This%20article%20shows%20you%20how%20to%20create%20and%20configure%20a%20Linux%20VM%20to%20use%20Azure%20AD%20authentication%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Microsoft

AAD.png

There are many benefits of using Azure AD authentication to log in to Linux VMs in Azure, including:

  • Improved security:

    • You can use your corporate AD credentials to log in to Azure Linux VMs. There is no need to create local administrator accounts and manage credential lifetime.
    • By reducing your reliance on local administrator accounts, you do not need to worry about credential loss/theft, users configuring weak credentials etc.
    • The password complexity and password lifetime policies configured for your Azure AD directory help secure Linux VMs as well.
    • To further secure login to Azure virtual machines, you can configure multi-factor authentication.
    • The ability to log in to Linux VMs with Azure Active Directory also works for customers that use Federation Services.
  • Seamless collaboration: With Role-Based Access Control (RBAC), you can specify who can sign in to a given VM as a regular user or with administrator privileges. When users join or leave your team, you can update the RBAC policy for the VM to grant access as appropriate. This experience is much simpler than having to scrub VMs to remove unnecessary SSH public keys. When employees leave your organization and their user account is disabled or removed from Azure AD, they no longer have access to your resources.

For more details see https://docs.microsoft.com/en-us/azure/virtual-machines/linux/login-using-aad

 

Azure AD login for Linux VMs enables you to use your institutional Azure AD accounts for SSH logins on your Azure VMs, you can also effectively utilise all the security features including RBAC and for the SSH login process on your Linux servers.

 

All you need to do is to enable the AADLoginForLinux VM extension for your Azure VM and granting access rights to a user account using an RBAC role assignment.

 

You can enable AD support by using the following Azure CLI commands

 

Install the AD Login Extension 

az vm extension set \
--publisher Microsoft.Azure.ActiveDirectory.LinuxSSH \
--name AADLoginForLinux \
--resource-group myResourceGroup \
--vm-name myVM

 

Configure role assignment for the users 

username=$(az account show --query user.name --output tsv) vm=$(az vm show --resource-group myResourceGroup --name myVM --query id -o tsv) az role assignment create \ --role "Virtual Machine Administrator Login" \ --assignee $username \ --scope $vm

 

To enable the extension for an existing VM you can use the following PowerShell command:


Set-AzureRmVMExtension `
-Publisher Microsoft.Azure.ActiveDirectory.LinuxSSH `
-Name AADLoginForLinux `
-ResourceGroupName myResourceGroup `
-VMName myVM `
-Location WestEurope `
-ExtensionType AADLoginForLinux `
-TypeHandlerVersion 1.0

 

To allowed users to login into the VMs using Azure AD credentials the user account must be assigned either to the Virtual Machine Administrator Login or Virtual Machine User Login RBAC role.

 

An Azure user with the Owner or Contributor roles assigned for a VM do not automatically have privileges to log in to the VM over SSH.

 

Using Powershell to add users 

 

$scope = (Get-AzureRmVM -ResourceGroupName LinuxSecurity -Name UbuntuVm01).id
New-AzureRmRoleAssignment `
-SignInName user@domain.com `
-RoleDefinitionName "Virtual Machine Administrator Login" `
-Scope $scope

 

SSH Command for user connecting to the virtual machines


ssh user@domain.com@yourVM'sExternalIPAddress

 

Users are prompted to open the following web page https://microsoft.com/devicelogin, They need enter a code you are shown in the session, and then to authenticate with your Azure AD credentials.


The users simply then close the browser window, return to the SSH prompt, and press the Enter key.

 

They are now signed in to the Azure Linux virtual machine with the role permissions as assigned, such as VM User or VM Administrator. If the user account is assigned the Virtual Machine Administrator Login role, you can use the sudo to run commands that require root privileges.