Login to Azure VM with Azure AD credentials

Hi folks,

some of my customers are waiting for that feature. It’s currently in preview but for my point of view for some reasons production ready. First of all, I want to explain a use case for that solution.

This BlogPost is splited into 6 sections

  1. Use Case
  2. Possible solutions
  3. Install new VMs
  4. Install on existing VMs
  5. Grant permission to login
  6. Limitations

1.) Use Case

Your company wan’t to migrate to the Cloud (Cloud Native). Your Clients will be managed by Microsoft InTune. The most (not all) services will be placed on PaaS Services but some applications should be placed in IaaS VMs.

Is it possible to connect to the Azure VM with the same credentials?

The answer is “YES”. There are different ways available. I will explain each one

2.) Possible solutions

Solution 1:

You install two Windows Server in Azure into an Azure availability Group/Zone and install the Azure Active Directory Feature. Install AD-Connect and sync that users to the Azure AD. Your primary user management is on that Domain.

Fazit:

Most expensive and for my point of view not the best solution


Solution 2:

Install Azure Active Directory Domain Services (AADDS) and sync the cloud users to the AADDS service. The AADDS service is a PaaS based service, you don’t get access to the azure VMs and there are different pricing levels available.

Solution looks like the following (Azure AD DS for cloud-only organizations):

Azure Active Directory Domain Services for a cloud-only organization with no on-premises synchronization

Fazit:

Good solution, because you have a full managed Active Directory Solution. Your main management point is Azure Active Directory. The bad thing. It’s not the cheapest solution and sometimes an overhead.

Solution 3:

Microsoft implement a new possible solution (in preview). In that use case it’s a possible solution, but it depends on the customer needs. In that solution we activate the possibility to login to the VM with the Azure AD account. Another goody in that solution, you don’t have to manage local admin right on the machine and you can configure Conditional Access, MFA and Sign-In risky policies for that VM!

The prerequisites for that solutions are:

  • Windows Server 2019 Datacenter Edition or Windows 10 1809 or later
  • The source client is AzureAD or hybrid joined into the same AzureAD Tenant
  • Outgoing port 443 to the following URLS are allowed:
    • https://enterpriseregistration.windows.net
    • https://login.microsoftonline.com
    • https://device.login.microsoftonline.com
    • https://pas.windows.net
  • A managed identity was assigned to the VM
  • The Azure extension (AADLoginForWindows) was installed on the VM
  • The correct Azure RBAC role was defined to login

Great, here is a short implementation documentation. I’ve split it into two parts

  • Install new VMs
  • Activate on existing VMs

3.) Install new VMs

To activate that feature on new VMs is really simple. Install a VM based on a Windows 10 (1809 or later) template or Windows Server 2019 DataCenter and activate in the Management section the options

  • Azure Active Directory
  • Identity

The activation enabled a system assigned managed identity and also installed the Azure VM extension “AADLoginForWindows”.

BAD NEWS, at the moment the extension installation will only works on windows 10. When you install a Windows Server 2019 Datacenter VM, you have to install the extension manually. The procedure is the same when you install the extension on an existing Azure VM (see you in the next steps)

4.) Install on existing VMs

Okay, we have an Azure VM and want to add the ability to login with an Azure AD account. The first step is to activate an Azure Managed Identity. Open the Azure VM object and go to the “Identity” section on the left side:

Activate the System assigned identity and click on “Save

Now install the extension on the exist Azure VM (this is same process for new Azure VMs)

Open the Azure CloudShell and select the Bash:

Add the following command and change the

  • myResourceGroup
  • myVM

variable based on your environment:

az vm extension set \
    --publisher Microsoft.Azure.ActiveDirectory \
    --name AADLoginForWindows \
    --resource-group myResourceGroup \
    --vm-name myVM

Execute the script. You get the following information, when everything was successfully installed on your Azure VM:

At the “Extension” section of your Azure VM object you can see the following:

Great, everything is now in place. Another point to check if everything was in place, please open the Azure Active Directory service and go to the “Devices” section:

In that section you should find the computer where you have installed the extension before. The join type should be “Azure AD joined“.

But the Login will not work why? See in the next section.

5.) Grant permission to login

On important part is to grant permission to login on the VM. Important, an Owner or Contributor doesn’t have automatically permissions to login. There are two separate Permissions available:

  • Virtual Machine Administrator Login
  • Virtual Machine User Login

I guess the name will explain everything what you have to know.

Okay in my case I will add an Azure AD group to the Azure VM object with the ” Virtual Machine Administrator Login” RBAC permission.

Now it’s possible to login to the Azure VM with the Azure AD credentials. Important part here, the “source” VM must joined (AzureAD or Hybrid) into the same Azure AD domain!


6.) Limitations

At the moment we have the following limitations:

  • The login with Azure Bastion isn’t possible
  • You cannot join it to other domain like on-premises AD or Azure AD DS