Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Virtual Machine Access using Microsoft Entra ID Authentication

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Microsoft Azure virtual machines (VMs) are configured to use Microsoft Entra ID credentials for secure SSH/RDP access. Once enabled, you can use your corporate Microsoft Entra ID credentials to log in to your virtual machines, enforce Multi-Factor Authentication (MFA), or enable access via RBAC roles.

Security

When you use Microsoft Entra ID authentication for virtual machines, you can create and enforce policies that allow or deny access to your VMs from one central location, simplifying the access permission management. For example, you can easily revoke SSH access to your VMs when an employee leave your organization by just disabling its Microsoft Entra ID account. Other important benefits of using Microsoft Entra ID authentication to log in to your Azure virtual machines are:

Eliminating the need for creating and managing local administrator accounts. The only access credentials required will be your Microsoft Entra ID credentials (i.e. Single Sign-On authentication).

Using password complexity and password lifetime policies created for your Microsoft Entra ID to help secure your virtual machines.

Reducing further your dependence on local administrator accounts as you don't have to worry anymore about credential loss/theft or users that configure weak and non-compliant credentials.

Using Role-Based Access Control (RBAC) policies to determine who can log in to your Azure VMs.

Allowing enabling Multi-Factor Authentication (MFA) for an additional layer of protection during VM login.


Audit

To determine if your Microsoft Azure virtual machines are configured to use Microsoft Entra ID authentication, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to show only the virtual machines available in the selected subscription.

05 Click on the name of the virtual machine (VM) that you want to examine.

06 In the navigation panel, under Settings, select Extensions to access the list of the extensions installed on selected Azure VM.

07 On the Extensions page, in the Name column, search for the VM extension required for authentication with Microsoft Entra ID, named AADLoginForWindows (Windows) or AADLoginForLinux (Linux). If the extension is not listed on this page, the software required for Microsoft Entra ID login is not installed, thus the selected Microsoft Azure virtual machine is not configured to use Microsoft Entra ID authentication for VMs.

08 Repeat steps no. 5 – 7 for each Azure virtual machine available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run vm list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group of each virtual machine provisioned in the current Azure subscription:

az vm list
    --output table
    --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested virtual machine (VM) identifiers:

Name                      ResourceGroup
-----------------------   ------------------------------
cc-project5-web-server    cloud-shell-storage-westeurope
cc-staging-web-server     cloud-shell-storage-westeurope

03 Run vm extension list command (Windows/macOS/Linux) using the name of the virtual machine that you want to examine and the associated resource group as identifier parameters, to list the names of the software extensions installed on the selected Azure VM:

az vm extension list
    --vm-name cc-project5-web-server
    --resource-group cloud-shell-storage-westeurope
    --query '[*].name'

04 The command output should return the names of the extensions installed on the specified server:

[
  "AzureNetworkWatcherExtension",
  "IaaSAntimalware"
]

If the list returned by the vm extension list command output does not include the VM extension necessary for authentication with Microsoft Entra ID, i.e. "AADLoginForWindows" for Windows or "AADLoginForLinux" for Linux operating system, the software required for Microsoft Entra ID login is not installed, therefore the selected Microsoft Azure virtual machine is not configured to use Microsoft Entra ID authentication for virtual machines.

05 Repeat step no. 3 and 4 for each Azure virtual machine available in the current subscription.

06 Repeat steps no. 2 – 6 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To enable Microsoft Entra ID authentication for existing virtual machines (VMs), perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to list the virtual machines available in the selected subscription.

05 Click on the name of the virtual machine that you want to reconfigure (see Audit section part I to identify the right resource).

06 To be able to log in to your virtual machine with Microsoft Entra ID credentials, you need to install the Microsoft Entra login VM extension. Azure VM extensions are small applications that provide post-deployment configuration and automation tasks on virtual machines. To install the required extension, perform the following commands:

  1. In the navigation panel, under Settings, select Extensions, then click Add to initiate the setup process.
  2. On the New resource page, select AADLoginForLinux extension (Linux) or AADLoginForWindows (Windows) from the extensions list.
  3. On the selected extension panel, click Create, then click Ok to install the VM extension. The installation process should take a few minutes to complete. Once the extension is successfully installed, its status should be set to Provisioning succeeded.

07 Now that the VM extension is installed, you need to configure the Azure Role-Based Access Control (RBAC) policy to determine who can log in to your virtual machine. To configure the role assignment for the selected VM, perform the following actions:

  1. In the navigation panel, choose Access control (IAM), then select Add and Add role assignment to open the Add role assignment panel.
  2. On the Add role assignment panel, perform the following:
    • From the Role dropdown list select one of the following RBAC roles depending on your requirements: Virtual Machine Administrator Login or Virtual Machine User Login. Users assigned with the Virtual Machine Administrator Login role can log in to your virtual machine with administrator privileges and those with the Virtual Machine User Login role can log in to your VM with regular user privileges.
    • From Assign access to dropdown list, select Microsoft Entra ID user, group, or service principal option as the type of security principal to assign the role to.
    • Select the user, the group, the service principal, or the managed identity that you want to assign the selected role to. If you cannot find the necessary principal in the list, use the Select search box to search the directory for display names, email addresses or object identifiers.
    • Click Save to assign the selected role. To check the new assignment, click on the Role assignments tab to see the assigned role.

08 Now you can connect to the selected Azure virtual machine using SSH (Linux) or RDP (Windows) using the User Principal Name (UPN) of your Microsoft Entra ID account.

09 Repeat steps no. 5 – 8 for each Azure virtual machine that you want to reconfigure in order to enable AAD-based authentication, available within the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure Portal

01 Run vm show command (Windows/macOS/Linux) using the name of the virtual machine that you want to reconfigure (see Audit section part II to identify the right resource) and the name of the associated resource group as identifier parameters, to obtain the ID of the selected VM:

az vm show
    --name cc-project5-web-server
    --resource-group cloud-shell-storage-westeurope
    --query 'id'

02 The command output should return the requested identifier. The virtual machine ID will be required later, when the role assignment will be created:

"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/virtualMachines/cc-project5-web-server"

03 To be able to log in to your virtual machine using Microsoft Entra ID credentials, you need to install the Microsoft Entra login extension named AADLoginForLinux (Linux) or AADLoginForWindows (Windows). To install the required extension, run vm extension set command (Windows/macOS/Linux) using the name and the associated resource group of the virtual machine that you want to reconfigure as identifier parameters. Replace --publisher and --name parameter values with Microsoft.Azure.ActiveDirectory and AADLoginForWindows if the operating system of your virtual machine is Windows (the command does not produce an output):

az vm extension set
    --publisher Microsoft.Azure.ActiveDirectory.LinuxSSH
    --name AADLoginForLinux
    --vm-name cc-project5-web-server
    --resource-group cloud-shell-storage-westeurope

04 Now that the VM extension is installed, you need to configure the Azure Role-Based Access Control (RBAC) policy to determine who can log in to your virtual machine. To create and configure a new role assignment for the user, group or service principal that will access selected VM, run role assignment create command (Windows/macOS/Linux) using one of the following RBAC roles, depending on your needs: Virtual Machine Administrator Login or Virtual Machine User Login. Users assigned with the Virtual Machine Administrator Login role can log in to your virtual machine with administrator privileges and those with the Virtual Machine User Login role can log in to your VM with regular user privileges. As example, the following command request is using the Virtual Machine Administrator Login role. The --assignee parameter value represent the user, group or service principal that you want to assign the role to and the --scope parameter value is the ID of the selected virtual machine, returned at step no. 2:

az role assignment create
    --role "Virtual Machine Administrator Login"
    --assignee "vm-admin@cloudconformity.onmicrosoft.com"
    --scope "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/virtualMachines/cc-project5-web-server"

05 The command output should return the metadata for the newly created role assignment:

{
  "canDelegate": null,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/virtualMachines/cc-project5-web-server/providers/Microsoft.Authorization/roleAssignments/1234abcd-1234-abcd-1234-abcd1234abcd",
  "name": "abcdabcd-1234-abcd-1234-abcd1234abcd",
  "principalId": "abcdabcd-1234-1234-1234-abcd1234abcd",
  "principalName": "vm-admin@cloudconformity.onmicrosoft.com",
  "principalType": "User",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "roleDefinitionId": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/providers/Microsoft.Authorization/roleDefinitions/1234abcd-1234-abcd-1234-abcd1234abcd",
  "roleDefinitionName": "Virtual Machine Administrator Login",
  "scope": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/virtualMachines/cc-project5-web-server",
  "type": "Microsoft.Authorization/roleAssignments"
}

06 Now you can connect to the selected Azure virtual machine using SSH (Linux) or RDP (Windows) using the User Principal Name (UPN) of your Microsoft Entra ID account.

07 Repeat steps no. 1 – 6 for each Azure virtual machine that you want to reconfigure in order to enable Microsoft Entra ID authentication, deployed in the current subscription.

08 Repeat steps no. 1 – 7 for each subscription available in your Microsoft Azure cloud account.

References

Publication date Nov 8, 2019