How to access Azure Linux virtual machines with Azure Active Directory

This post has been republished via RSS; it originally appeared at: ITOps Talk Blog articles.

Using Azure AD credentials for accessing Azure Linux Virtual Machines improves security by:


  • Centrally controlling and enforcing access policies on Azure AD credentials
  • Reducing the reliance on local access accounts
  • Integration with multi-factor authentication


In this blog post, I will quickly walk through the basic configuration steps for accessing Azure Linux virtual machines using Azure AD credentials. For detailed steps and documentation, see Log into a Linux Virtual machine in Azure using Azure Active Directory authentication.


Create a Virtual Machine


First things first, you need an Azure Linux virtual machine. This blog uses the Azure CLI to create the virtual machine however any method for deploying virtual machine will work. If you already have an Azure Linux virtual machine, this section can be skipped.


Create a resource group using the az group create command.


az group create --name myResourceGroup --location eastus


Create a virtual machine using the az vm create command. Notice here that I have neither used the --admin-username argument to create a local user account nor used any arguments to create or provide SSH keys.


az vm create --resource-group myResourceGroup --name linuxVM --image UbuntuLTS


Here is where the magic happens. Use the az vm extension set command to install the Active Directory Linux SSH extension. This extension is responsible for the configuration of the Azure AD integration.


az vm extension set --publisher Microsoft.Azure.ActiveDirectory.LinuxSSH --name AADLoginForLinux --resource-group myResourceGroup --vm-name linuxVM


Configure Role-Based Access


Before logging into the virtual machine with an Azure AD account, the Azure AD access must be configured. To do so, we will create a role binding between the Azure AD account, the "Virtual Machines Administrators Login" AD role, and the virtual machine.


First, get the ID of the virtual machine using the az vm show command. In this example, the ID is stored in a variables name VMID.


VMID=$(az vm show --resource-group myResourceGroup --name linuxVM --query id -o tsv)


Create the role binding using the az role assignment create command. Notice here that the --assignee would be the Azure AD account or group for which the access is established.


az role assignment create --role "Virtual Machine Administrator Login" --assignee --scope $VMID


Access the VM


With the VM created, and the access established, you can now access the VM using SSH. First, get the public IP address of the virtual machine. This can be done with the az vm show command.


az vm show -d --resource-group myResourceGroup --name linuxVM --query publicIps -o tsv


Now create the SSH connection. In this example, I am using SSH from a terminal. Take note that the Azure AD user account is specified in the command.


ssh @


Once completed, you are prompted to open up a browser and complete the authentication. Follow the instructions and press ENTER when done.


To sign in, use a web browser to open the page and enter the code AJ9GDRXBQ to authenticate. Press ENTER when ready.


At this point, the SSH connection should have been successfully created. Feel free to reach out in comments or on Twitter at @nepeters.

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.