Using Azure AD authentication on Linux VMs can give you a few benefits. It improves security by centralising authentication and enforce policies that give access to the VMs. This means a better access management. In this post you will learn how to create and configure an Azure Linux VM to use Azure AD authentication.
- Azure AD Tenant.
- An active Azure subscription.
- Azure CLI installed on your machine (How to here).
- Outbound access to Azure URLs (Documentation).
You need access to manage and deploy resources within Azure.
Support for servers outside of Azure
Microsoft only provides the extension in Azure. A third party is developing an extension for Debian based operating systems. Check out their project here.
Log into Azure and create a new resource group
Azure CLI is used for this tutorial.
- Open a terminal and login to Azure with your account.
- Create a new resource group. For this post we use linux as the name of the group.
Deploy a Linux VM in Azure
For this post I will be deploying a CentOS 7.5 virtual machine in Azure. I am using Azure CLI on my Free Trial subscription. Depending on your personal preferences, feel free to change any variable you like.
I do not have an SSH key pair yet. That means that Azure CLI will create a new public/private key pair automatically.
Verify the new deployment
Verify connectivity to the VM using a terminal and your private key. Because we use a private key there is no password needed to connect.
Configure Role Based Access Control for the virtual machine
One of the biggest benefits of Azure Active Directory login is that we can use Role Based Access Control (RBAC). Additionally, Conditional Access can be applied. In other words, Multi Factor Authentication is an option.
There are two RBAC roles by default:
- Virtual Machine Administrator Login: Users with this role assigned log in to an Azure virtual machine with root user privileges.
- Virtual Machine User Login: Users with this role assigned log in to an Azure virtual machine with normal user privileges.
When there is no role assigned to the user access will be denied.
Install Azure Active Directory plugin
Let’s get back to our terminal with Azure CLI. The plugin will be installed on the virtual machine that is just created. Make sure you change the resource group and name of the virtual machine to your own situation.
There is no additional configuration needed on our Azure VM. At this moment we are ready to verify if we can successfully authenticate on Linux with Azure Active Directory credentials.
Login with Azure AD
It is time to verify the VM extension by exiting our current session and to start a new one.
ssh -l email@example.com your.public.ip.address
You will now see a message from Microsoft prompting you to visit the URL login. Enter the code. After that, select your account. However, when you are not logged in, you are asked to authenticate with your Azure AD account first.
When signed in and authenticated press enter in the terminal to login to the VM. According to the RBAC role the user is assigned to, the user is logs in as a standard or administrator (root) account.
Using the AADLoginForLinux extension for Linux virtual machines might be something to think about for your organisation. In traditional environments it is very common that SSH keys are manually added and removed to servers by administrators. Often old SSH keys are left behind from users who left the company months ago.
With AADLoginForLinux you can guarantee that every account that tries to login is validated by Azure AD decreasing security risks and less administration for administrators.