Microsoft Previews Azure AD for Linux Virtual Machines Extension

Microsoft this month announced a preview of the ability to log into a Linux-based virtual machine (VM) running on its Azure public cloud service using Azure Active Directory credentials.

It's apparently a new capability, which perhaps is surprising because the ability to run Linux-based VMs on Azure infrastructure has been possible for several years. Organizations might consider using Azure AD with Linux VMs to get better control over the access keys used in IT departments, argued Alex Simons, director of program management at the Microsoft Identity Division, in the announcement.

To access Linux VMs on Azure, organizations typically have been creating local administrator accounts and using Secure Shell (SSH) or passwords. However, that approach can lead to security issues since the accounts may stick around, even as IT personnel shift their roles or leave an organization, he suggested.

Instead, organizations can now try the "Azure Active Directory log in VM extension," which is currently available in preview for use with particular Linux distros, according to Microsoft's documentation. The supported distros are:

  • CentOS 6.9 and CentOS 7.4
  • Red Hat Enterprise Linux 7
  • Ubuntu 14.04 LTS, Ubuntu Server 16.04 and Ubuntu Server 17.10

The advantage of using Azure AD is that access to the Linux VM account gets eliminated as people leave the organization and their Azure AD account gets deleted.

Microsoft also is touting the ability to use other security measures when using Azure AD for access to Linux VMs. For instance, it's possible to use role-based access control to control which IT personnel have access to the Linux VMs.

However, some of those added security measures typically require having an Azure AD Premium subscription in place. For instance, the Premium option provides access to Azure AD Privileged Identity Management, which can be used to set so-called "just-in-time" access limits to Linux VMs, where the access will expire after a set period of time. It's also possible to use "multifactor authentication," or MFA, an access scheme that requires a secondary ID, such as a response to a text message or a phone call, for verification. Multifactor authentication comes with Azure AD Premium subscriptions or it's possible to buy MFA licenses, according to this Microsoft document.

Despite getting better control using Azure AD, the actual log-in experience to Linux VMs on Azure seems kind of bumpy. Users have to open Azure Cloud Shell or Azure CLI version 2.0.31 or later. They have to log into their Azure AD account and use a one-time-use code. Then they have to return to the SSH command-line prompt and hit the ENTER key for access, Microsoft's documentation explains.

This feature for Linux VMs is still at the preview stage, so it's not designed for use in production environments. Microsoft also plans to bring Azure AD access to Windows VMs running on Azure infrastructure sometime this year.

"We are working to enable you to login to Windows Server VMs in Azure using Azure AD and expect to have it in preview later this year," Simons indicated.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Microsoft Nabs IoT Platform Provider Express Logic

    As part of its plan to invest $5 billion in IoT technologies, Microsoft this week acquired Express Logic, which provides real-time operating systems for industrial embedded and IoT devices.

  • Dealing with Broken Dependencies in SCVMM

    Brien shows you how to resolve some broken, template-related dependencies in Microsoft's System Center Virtual Machine Manager.

  • AzCopy Preview Adds AWS S3 Data Transfer Improvements

    Microsoft announced this week that it has improved the preview version of its AzCopy tool to better handle Amazon Web Services (AWS) S3 data.

  • Microsoft Adding Google G Suite Migration in Exchange Admin Center

    Microsoft's Exchange Admin Center will be getting the ability to move Google G Suite calendar, contacts and e-mail data over to the Office 365 service "in the coming weeks."

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.