Forum Discussion
Custom Script Extensions and Session Host Configuration
Currently the Custom Script Extensions functionality definable in the Session Host Configuration only allows to define a script URL.
CSE URL in the Session Host Configuration as seen from the Azure Portal
What is the intended mechanism of authentication for this solution?
Currently it seems that its only possible to use an anonymous access level Blob. Defining a token within the script URL is not great due to the fact that the URL is viewable in plain text via the Azure Portal. Neither of those will satisfy.
CSE configuration by the Session Host Configuration during deployment.
Key vault references are used when defining credentials for domain join and local admin accounts for the Session Hosts.
Would it be possible to have key vault references for CSE Storage Account Name/Key or SAS token or the possibility to define a Managed Identity instead?
Available methods of CSE for authentication
These can be defined when deploying the CSEs manually.
Please guide me as to what the best solution would be to this topic.
1 Reply
Session Host configuration today only allows a script URL and does not support Key Vault references, SAS tokens, or Managed Identity authentication directly in the UI. The portal expects the script to be anonymously accessible.
If you want to secure the script:
- Deploy the CSE manually using ARM/Bicep/CLI, where you can specify protected settings (storage account key, SAS, etc.).
- Alternatively, use a Managed Identity and a CSE command that downloads the script from a protected source from inside the VM (PowerShell Invoke-WebRequest with MSI auth).
- Another option is hosting the script in a storage account with a short-lived SAS generated programmatically when deploying hosts.
Today the Session Host blade does not support secure authentication parameters, so ARM deployment is the recommended method when sensitive scripts are involved.
