Using Azure AD authentication on Linux VMs gives you extra benefits. It improves security by centralising authentication and enforce policies that give access to the VMs. This means a better access management. In this post you will learn how to create and configure an Azure Linux VM to use Azure AD authentication.
How does it work
Azure Active Directory provides a virtual machine (VM) extension for Linux-based systems that run on Azure. It also provides a client extension that integrates with the Azure CLI and the OpenSSH client.
You can use SSH authentication with Active Directory when you’re:
- Working with Linux-based VMs that require remote command-line sign-in.
- Running remote commands in Linux-based systems.
- Securely transferring files in an unsecured network.
You need access to manage and deploy resources within Azure. Therefore you need:
- An Azure AD Tenant.
- An active Azure subscription.
- Azure CLI installed on your machine (How to here).
- Outbound access to Azure URLs (Documentation).
Before we start it is good to mention that Azure AD authentication for VM’s is currently only supported within Microsoft Azure. However, a third party developer is working on an extension for Debian-based operating system that looks promising. Check out their project here.
Log into Azure and create a new resource group
- Open a terminal and login to Azure with your account.
- Create a new resource group. For this post we use linux as the name of the group.
Deploy a Linux VM in Azure
We are deploying a CentOS 7.5 virtual machine in Azure. I am using Azure CLI on my Free Trial subscription. Depending on your personal preferences, feel free to change any variable you like.
Since I do not have an SSH key pair yet, that means that Azure CLI will create a new public/private key pair automatically without any extra effort.
Verify the new deployment
Verify connectivity to the VM using a terminal and your private key. Because we use a private key there is no password needed to connect.
Configure Role Based Access Control for the virtual machine
One of the biggest benefits of Azure Active Directory login is that we can use Role Based Access Control (RBAC). Additionally, Conditional Access is applied which means that Multi-factor authentication is available to use.
There are two RBAC roles by default:
- Virtual Machine Administrator Login: Users with this role assigned log in to an Azure virtual machine with root user privileges.
- Virtual Machine User Login: Users with this role assigned log in to an Azure virtual machine with normal user privileges.
Access is denied when no roles where assigned. Configure your roles accordingly to prevent any issues.
Install Azure Active Directory plugin
Let’s get back to our terminal with Azure CLI. The plugin installs itself on the virtual machine while it’s deploying. Make sure you change the resource group and name of the virtual machine to your own situation.
There is no additional configuration needed on our Azure VM. At this moment we are ready to verify if we can successfully authenticate on Linux with Azure Active Directory credentials.
Login with Azure AD
It is time to verify the VM extension by exiting our current session and to start a new one.
ssh -l email@example.com your.public.ip.address
You will now see a message from Microsoft prompting you to visit the URL login. Enter the code. After that, select your account. However, when you are not logged in, you are asked to authenticate with your Azure AD account first.
When signed in and authenticated press enter in the terminal to login to the VM. According to the RBAC role the user is assigned to, the user is logs in as a standard or administrator (root) account.
Using the AADLoginForLinux extension for Linux virtual machines might be something to think about for your organisation. For the most part, organisations are still manually managing SSH keys on Linux servers. This leads often to old SSH keys who are left behind from users who left the company months ago.
With AADLoginForLinux you can guarantee that every account that tries to login is validated by Azure AD decreasing security risks and less administration for administrators.
Do you have any questions? Feel free to comments or send me a message.