One of the key challenges in IaaS workload management in Azure is Identity and Access management (IAM). While the common options opted are
- Extending the On-Premises Active Directory (AD) to Azure by deployed domain controllers in shared Virtual network.
- Using Active Directory Domain as a managed Service from Azure (This is not same as extending OnPrem AD to cloud)
The above two options are not available out of the box and it takes efforts and cost to implement and manage. Also in many cases we shall have non routable Virtual networks or DMZ networks in Azure in which local accounts are used for VM logins.
To avoid local logins, We have a great saviour now in the form of using Azure AD accounts to login to Windows and Linux VMs in Azure cloud. This is currently in public preview as of March 2021.
It just works when enabled properly with no additional cost and infra needed.
Let us see the step-by-step guide to enable Azure AD based login for Windows VMs
Supported Windows version:
- Windows 10 1809 and above
- Windows Server 2019 Datacenter
In this lab, I am using my Windows 10 machine in my home network to connect to a Windows Server 2019 VM (Test-VM01) in Azure using Azure AD user account. Both are Azure AD joined machines to the same tenant
Note: The Server 2019 VM is in workgroup and is not joined to any Active Directory domain.
- Both the Windows 10 machine from which RDP connection is initiated should be Azure AD joined or registered or hybrid join (both the host machine and the machine to be connected via RDP should be present in same Azure AD tenant)
Using the command dsregcmd /status (Check for IsDeviceJoined: Yes)
- Port 443 to be opened to below URLs
- Installing the VM extensions in Azure
Use Azure CLI to run the below command
az vm extension set –publisher Microsoft.Azure.ActiveDirectory –new AADLoginforWindows –resource-group RESOURCEGROUPNAME –vm-name VMNAME
- If MFA is enabled for the account, create an exception for Azure AD VM login (Example given below)
- While creating the VM in the Azure portal, select the highlighted option of “System Assigned managed identity and “Login with AAD credentials” under “Management” tab
- Create role assignment in the VM properties page (Select one of the roles – Virtual Machine User Login or Virtual machine Administrator Login)
- Add the Azure AD user (Dinesh.NR@mscloudpro.in is my test account for this exercise) to the remote desktop users list in the Windows Server 2019 VM with below command
Net localgroup “remote desktop users” /add “AzureAD\email@example.com”
- Open the shortcut sysdm.cpl and Click on “Remote” tab à Uncheck the option “Allow connections only from computers running remote desktop with Network Level Authentication (Recommended)” and ensure that the user added in previous step is added to remote desktop users by clicking “Select Users” button
- Before connecting to the Azure VM, download the RDP file and append the below highlighted text
We are all good now 😊
Now while connecting to the Windows Server 2019 VM from my Windows 10 machine using RDP, we must use AzureAD\UserName as a login ID and the password for the account. The Azure AD account can be a cloud only account or the account synced from OnPrem AD.
- As an optional, you can add the Azure AD account as a work account in the Windows 10 source machine
- We need to ensure that the Windows 10 source machine is Azure AD registered or joined or Hybrid join
- All the other steps given in the guide are needed to performed either on Azure portal or the target Windows server 2019 VM
- If MFA is enabled on Azure AD account, one of the options is to use strong authentication method like Windows Hello for Business
- Azure Bastion host does not support Azure AD based login (As on March 2021)
Microsoft Documentation – https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows