Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Log in to a Linux VM in Azure using AAD authentication

407 views

Published on

Quick Note for Log in to a Linux VM in Azure using AAD authentication

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Log in to a Linux VM in Azure using AAD authentication

  1. 1. Log in to a Linux virtual machine in Azure using AAD authentication Takayoshi Tanaka, Software Maintenance Engineer tatanaka@redhat.com
  2. 2. What’s this? Log in to the RHEL server with a user authenticated by Azure AD Azure Administrator can also manage who can login to Linux server in Azure. This authentication is not “Kerberos” integration. This is a Preview feature. See detail for the doc: https://docs.microsoft.com/ja-jp/azure/virtual-machines/linux/login- using-aad
  3. 3. Benefits Improved security ◦ No need to create a local administrator ◦ Centralize the authentication to AAD, world-level secure IDP ◦ You can configure a multi factor authentication Seamless collaboration ◦ You can specify who can sign in to a given VM as a regular user or with administrator privileges ◦ Their user account is disabled or removed from Azure AD, they no longer have access to your resources
  4. 4. Supported Azure regions and Linux distributions Distribution Version CentOS CentOS 6.9 and CentOS 7.4 RedHat Enterprise Linux RHEL 7 Ubuntu Server Ubuntu 14.04 LTS, Ubuntu Server 16.04, and Ubuntu Server 17.10
  5. 5. How to use? 1. Create a VM as a usual step. Be sure to install the latest WALinuxAgent. 2. Install the Azure AD login VM extension $ az vm extension set --publisher Microsoft.Azure.ActiveDirectory.LinuxSSH --name AADLoginForLinux --resource-group myResourceGroup --vm-name myVM
  6. 6. How to use? 3. Configure role assignments for the VM $ username=<your_ms_accounr_name_for_azure> $ vm=$(az vm show --resource-group myResourceGroup --name myVM --query id -o tsv) $ az role assignment create --role "Virtual Machine Administrator Login" --assignee $username --scope $vm
  7. 7. NOTE If your MS account is the same domain of AAD, you can use email for username. If not, you should use Object ID which you can see in AAD portal. email Object ID
  8. 8. Login to VM $ ssh -l <user_account> <public_ip_or_host> Type ssh with specifying user account (=your Microsoft account) as usual. Then the console ask you to visit the Microsoft device login URL and enter the specified code.
  9. 9. Login to VM Open a browser and visit the device login URL and input the code. If you haven’t logged in as your Microsoft Account, please login.
  10. 10. Login to VM Now you can log in as a user. If your account has “Virtual Machine Administrator Login” role, you can “sudo” with the same way. When you try “sudo”, the same login flow will be executed.
  11. 11. Inside VM Login The VM extension manages the authentication. It also creates the home directory and makes required configuration.

×