You may have faced the same Issue in the past. While using Linux machines you have some ways to authenticate to them for management purpose. There is the possibility to use a Local Account or maybe also Logon with SSH Keys. If you want to make it a bit more Enterprise Scale and more admin-friendly, you may have used LDAP for Login, what might mean a bigger effort to implement.
When you have a Linux Virtual Machine in Azure, there might also be another possibility to manage access to your server. Currently in Public Preview, is the Azure AD Login Extension for Linux and Windows. With this Extension, you can grant Access to the virtual Server while using your Azure AD Credentials and grant the Users RBAC Access to the VM. There are two RBAC Roles that can be assigned on Resource Group or also Virtual Machine Level:
- Virtual Machine Administrator Login
- Virtual Machine User Login
So let’s have a look on how to enable this on a Linux Server, but for Windows it is almost the same.
There are two Ways to enable this Extension. The one is right when you create the VM, you can choose to Login with AAD credentials.
This will grant the Users, that have one of the Roles from above assigned, to login to the VM with their AAD credentials.
You can also, cause maybe you have decided later to use this Feature, enable it with CLI. For this you need to establish a connection to the Tenant and right Subscription. When this is done, you need to run the following Command:
az vm extension set –publisher Microsoft.Azure.ActiveDirectory.LinuxSSH –name AADLoginForLinux –resource-group ResourceGroupName –vm-name VMName
When it was successful, you will see the Output like in the Screenshot above. So, now when the extension is enabled and User Role Assignments have been done, you can connect to the VM with your AAD Credentials. Open the Virtual Machine Overview Menu, select Connect and open a SSH Connection with for example Putty.
When the Connection is established, you will be asked for Username, use your Azure Username for example: firstname.lastname@example.org
After you did this, there will be a message to open a browser to enter the site: https://microsoft.com/devicelogin and enter the given code for authentication. When this is done, the Browser will tell it was successful and you need to press enter in the SSH Session. Then you are connected to the machine and can get your stuff done.
For Windows the Steps to create the Extension and grant the Access are the same, only the Commands are a bit different.
az vm extension set –publisher Microsoft.Azure.ActiveDirectory –name AADLoginForWindows –resource-group ResourceGroupName –vm-name VMName
You can also use Conditional Access Policies like MFA or user risk sign-in checks. This will also increase the Security of Access to the specific VM and Environment.