Register Log in

Linking a Virtual Machine with Azure Active Directory

Comments 0

Share to social media

Microsoft included in the provisioning process of a Virtual Machine the possibility to create a link between a virtual machine and the Azure Active Directory. This happened some time ago.

This was a great improvement in security and management. Instead of having an isolated user management for each virtual machine, the login on the virtual machines would be controlled by Azure Active Directory.

But what if, for some reason we miss the opportunity to join the virtual machine with active directory when it’s being provisioned? How could we join it to Azure AD after it’s already created?

There is a set of configurations needed to use Azure Ad login in a Virtual Machine:

  • Install the Azure Ad Login Extension
  • Enable a Managed Identity
  • Define the RBAC permissions
  • Register the source machine with Azure Ad

Install the Azure Ad Login Extension

On the portal, you can use the Extensions left menu item to install this extension. It’s very straightforward, no special configuration needed during the installation.

  1. Open the virtual machine page in Azure Portal
  2. Click Extensions + Applications on the left menu

 

  1. Click the Add button

  1. Select Azure Ad based Windows Login

  1. Click the Review + Create button
  2. Click the Create button

Enable a Managed Identity

The Virtual Machine needs a Managed Identity. You need to enable it

  1. Open the virtual machine page in Azure Portal
  2. On the left menu, under Settings, select Identity
  3. Turn the System assigned identity On

Define RBAC permissions

The Virtual Machine has RBAC roles to define the administrators and regular users for it.

You need to add the users to these roles before trying the login. I recommend to use Azure Ad groups. Because we may be talking about many users and many VMs to manage.

 

Register the source machine with Azure Ad

The login only works if the source machine is a registered device on Azure Ad.

You can register the source machine by using Accounts in the source machine. Once you add a work account from your Azure Ad, the machine will be registered in it.

 

 

Once you made a login you will receive a successful registration message.

 

 

You can open Azure Active Directory in the portal and take a look on devices. Your machine should be there.

 

 

Login

The login on the virtual machine requires a special syntax. You need to use AzureAD\<UserUPN> for the login. It will only work with native accounts from the Azure tenant. It will not work with external/guest accounts.

 

 

Summary

Integrating the Virtual Machines with Azure AD is a great way to manage virtual machine users in a large scale.

Article tags

Load comments

Recommended

About the author

Dennes Torres

See Profile

Dennes Torres is a Data Platform MVP and Software Architect living in Malta who loves SQL Server and software development and has more than 20 years of experience. Dennes can improve Data Platform Architectures and transform data in knowledge. He moved to Malta after more than 10 years leading devSQL PASS Chapter in Rio de Janeiro and now is a member of the leadership team of MMDPUG PASS Chapter in Malta organizing meetings, events, and webcasts about SQL Server. He is an MCT, MCSE in Data Platforms and BI, with more titles in software development. You can get in touch on his blog https://dennestorres.com or at his work https://dtowersoftware.com

Dennes's contributions
Dennes's latest contributions: