Enable Virtual Machine Access using Microsoft Entra ID Authentication

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to show only the virtual machines available in the selected subscription.

05 Click on the name of the virtual machine (VM) that you want to examine.

06 In the navigation panel, under Settings, select Extensions to access the list of the extensions installed on selected Azure VM.

07 On the Extensions page, in the Name column, search for the VM extension required for authentication with Microsoft Entra ID, named AADLoginForWindows (Windows) or AADLoginForLinux (Linux). If the extension is not listed on this page, the software required for Microsoft Entra ID login is not installed, thus the selected Microsoft Azure virtual machine is not configured to use Microsoft Entra ID authentication for VMs.

08 Repeat steps no. 5 – 7 for each Azure virtual machine available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

01 Run vm list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group of each virtual machine provisioned in the current Azure subscription:

az vm list
    --output table
    --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested virtual machine (VM) identifiers:

Name                      ResourceGroup
-----------------------   ------------------------------
cc-project5-web-server    cloud-shell-storage-westeurope
cc-staging-web-server     cloud-shell-storage-westeurope

03 Run vm extension list command (Windows/macOS/Linux) using the name of the virtual machine that you want to examine and the associated resource group as identifier parameters, to list the names of the software extensions installed on the selected Azure VM:

az vm extension list
    --vm-name cc-project5-web-server
    --resource-group cloud-shell-storage-westeurope
    --query '[*].name'

04 The command output should return the names of the extensions installed on the specified server:

[
  "AzureNetworkWatcherExtension",
  "IaaSAntimalware"
]

05 Repeat step no. 3 and 4 for each Azure virtual machine available in the current subscription.

06 Repeat steps no. 2 – 6 for each subscription available within your Microsoft Azure cloud account.

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to list the virtual machines available in the selected subscription.

05 Click on the name of the virtual machine that you want to reconfigure (see Audit section part I to identify the right resource).

06 To be able to log in to your virtual machine with Microsoft Entra ID credentials, you need to install the Microsoft Entra login VM extension. Azure VM extensions are small applications that provide post-deployment configuration and automation tasks on virtual machines. To install the required extension, perform the following commands:

1. In the navigation panel, under Settings, select Extensions, then click Add to initiate the setup process.
2. On the New resource page, select AADLoginForLinux extension (Linux) or AADLoginForWindows (Windows) from the extensions list.
3. On the selected extension panel, click Create, then click Ok to install the VM extension. The installation process should take a few minutes to complete. Once the extension is successfully installed, its status should be set to Provisioning succeeded.

07 Now that the VM extension is installed, you need to configure the Azure Role-Based Access Control (RBAC) policy to determine who can log in to your virtual machine. To configure the role assignment for the selected VM, perform the following actions:

1. In the navigation panel, choose Access control (IAM), then select Add and Add role assignment to open the Add role assignment panel.
2. On the Add role assignment panel, perform the following:
   • From the Role dropdown list select one of the following RBAC roles depending on your requirements: Virtual Machine Administrator Login or Virtual Machine User Login. Users assigned with the Virtual Machine Administrator Login role can log in to your virtual machine with administrator privileges and those with the Virtual Machine User Login role can log in to your VM with regular user privileges.
   • From Assign access to dropdown list, select Microsoft Entra ID user, group, or service principal option as the type of security principal to assign the role to.
   • Select the user, the group, the service principal, or the managed identity that you want to assign the selected role to. If you cannot find the necessary principal in the list, use the Select search box to search the directory for display names, email addresses or object identifiers.
   • Click Save to assign the selected role. To check the new assignment, click on the Role assignments tab to see the assigned role.

08 Now you can connect to the selected Azure virtual machine using SSH (Linux) or RDP (Windows) using the User Principal Name (UPN) of your Microsoft Entra ID account.

09 Repeat steps no. 5 – 8 for each Azure virtual machine that you want to reconfigure in order to enable AAD-based authentication, available within the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

01 Run vm show command (Windows/macOS/Linux) using the name of the virtual machine that you want to reconfigure (see Audit section part II to identify the right resource) and the name of the associated resource group as identifier parameters, to obtain the ID of the selected VM:

az vm show
    --name cc-project5-web-server
    --resource-group cloud-shell-storage-westeurope
    --query 'id'

02 The command output should return the requested identifier. The virtual machine ID will be required later, when the role assignment will be created:

"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/virtualMachines/cc-project5-web-server"

03 To be able to log in to your virtual machine using Microsoft Entra ID credentials, you need to install the Microsoft Entra login extension named AADLoginForLinux (Linux) or AADLoginForWindows (Windows). To install the required extension, run vm extension set command (Windows/macOS/Linux) using the name and the associated resource group of the virtual machine that you want to reconfigure as identifier parameters. Replace --publisher and --name parameter values with Microsoft.Azure.ActiveDirectory and AADLoginForWindows if the operating system of your virtual machine is Windows (the command does not produce an output):

az vm extension set
    --publisher Microsoft.Azure.ActiveDirectory.LinuxSSH
    --name AADLoginForLinux
    --vm-name cc-project5-web-server
    --resource-group cloud-shell-storage-westeurope

04 Now that the VM extension is installed, you need to configure the Azure Role-Based Access Control (RBAC) policy to determine who can log in to your virtual machine. To create and configure a new role assignment for the user, group or service principal that will access selected VM, run role assignment create command (Windows/macOS/Linux) using one of the following RBAC roles, depending on your needs: Virtual Machine Administrator Login or Virtual Machine User Login. Users assigned with the Virtual Machine Administrator Login role can log in to your virtual machine with administrator privileges and those with the Virtual Machine User Login role can log in to your VM with regular user privileges. As example, the following command request is using the Virtual Machine Administrator Login role. The --assignee parameter value represent the user, group or service principal that you want to assign the role to and the --scope parameter value is the ID of the selected virtual machine, returned at step no. 2:

az role assignment create
    --role "Virtual Machine Administrator Login"
    --assignee "vm-admin@cloudconformity.onmicrosoft.com"
    --scope "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/virtualMachines/cc-project5-web-server"

05 The command output should return the metadata for the newly created role assignment:

{
  "canDelegate": null,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/virtualMachines/cc-project5-web-server/providers/Microsoft.Authorization/roleAssignments/1234abcd-1234-abcd-1234-abcd1234abcd",
  "name": "abcdabcd-1234-abcd-1234-abcd1234abcd",
  "principalId": "abcdabcd-1234-1234-1234-abcd1234abcd",
  "principalName": "vm-admin@cloudconformity.onmicrosoft.com",
  "principalType": "User",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "roleDefinitionId": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/providers/Microsoft.Authorization/roleDefinitions/1234abcd-1234-abcd-1234-abcd1234abcd",
  "roleDefinitionName": "Virtual Machine Administrator Login",
  "scope": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/virtualMachines/cc-project5-web-server",
  "type": "Microsoft.Authorization/roleAssignments"
}

06 Now you can connect to the selected Azure virtual machine using SSH (Linux) or RDP (Windows) using the User Principal Name (UPN) of your Microsoft Entra ID account.

07 Repeat steps no. 1 – 6 for each Azure virtual machine that you want to reconfigure in order to enable Microsoft Entra ID authentication, deployed in the current subscription.

08 Repeat steps no. 1 – 7 for each subscription available in your Microsoft Azure cloud account.