Log in to a Linux VM in Azure using AAD authentication
1. Log in to a Linux virtual
machine in Azure using
AAD authentication
Takayoshi Tanaka, Software Maintenance Engineer
tatanaka@redhat.com
2. What’s this?
Log in to the RHEL server with a user authenticated by Azure
AD
Azure Administrator can also manage who can login to Linux
server in Azure.
This authentication is not “Kerberos” integration.
This is a Preview feature. See detail for the doc:
https://docs.microsoft.com/ja-jp/azure/virtual-machines/linux/login-
using-aad
3. Benefits
Improved security
◦ No need to create a local administrator
◦ Centralize the authentication to AAD, world-level secure IDP
◦ You can configure a multi factor authentication
Seamless collaboration
◦ You can specify who can sign in to a given VM as a regular user or with
administrator privileges
◦ Their user account is disabled or removed from Azure AD, they no
longer have access to your resources
4. Supported Azure regions and
Linux distributions
Distribution Version
CentOS CentOS 6.9 and CentOS 7.4
RedHat Enterprise Linux RHEL 7
Ubuntu Server Ubuntu 14.04 LTS, Ubuntu Server 16.04, and
Ubuntu Server 17.10
5. How to use?
1. Create a VM as a usual step. Be sure to install the latest WALinuxAgent.
2. Install the Azure AD login VM extension
$ az vm extension set --publisher Microsoft.Azure.ActiveDirectory.LinuxSSH
--name AADLoginForLinux --resource-group myResourceGroup --vm-name myVM
6. How to use?
3. Configure role assignments for the VM
$ username=<your_ms_accounr_name_for_azure>
$ vm=$(az vm show --resource-group myResourceGroup --name myVM --query id -o tsv)
$ az role assignment create --role "Virtual Machine Administrator Login"
--assignee $username --scope $vm
7. NOTE
If your MS account is the same domain of AAD,
you can use email for username.
If not, you should use Object ID which you can see in AAD portal.
email
Object ID
8. Login to VM
$ ssh -l <user_account> <public_ip_or_host>
Type ssh with specifying user account (=your Microsoft account) as usual.
Then the console ask you to visit the Microsoft device login URL and enter the specified code.
9. Login to VM
Open a browser and visit the device login URL and input the code.
If you haven’t logged in as your Microsoft Account, please login.
10. Login to VM
Now you can log in as a user.
If your account has “Virtual Machine Administrator Login” role,
you can “sudo” with the same way.
When you try “sudo”, the same login flow will be executed.
11. Inside VM Login
The VM extension manages the authentication.
It also creates the home directory and makes required configuration.