Microsoft this month announced a preview of the ability to log into a Linux-based virtual machine (VM) running on its Azure public cloud service using Azure Active Directory credentials.
It’s apparently a new capability, which perhaps is surprising because the ability to run Linux-based VMs on Azure infrastructure has been possible for several years. Organizations might consider using Azure AD with Linux VMs to get better control over the access keys used in IT departments, argued Alex Simons, director of program management at the Microsoft Identity Division, in the announcement.
To access Linux VMs on Azure, organizations typically have been creating local administrator accounts and using Secure Shell (SSH) or passwords. However, that approach can lead to security issues since the accounts may stick around, even as IT personnel shift their roles or leave an organization, he suggested.
Instead, organizations can now try the “Azure Active Directory log in VM extension,” which is currently available in preview for use with particular Linux distros, according to Microsoft’s documentation. The supported distros are:
- CentOS 6.9 and CentOS 7.4
- Red Hat Enterprise Linux 7
- Ubuntu 14.04 LTS, Ubuntu Server 16.04 and Ubuntu Server 17.10
The advantage of using Azure AD is that access to the Linux VM account gets eliminated as people leave the organization and their Azure AD account gets deleted.
Microsoft also is touting the ability to use other security measures when using Azure AD for access to Linux VMs. For instance, it’s possible to use role-based access control to control which IT personnel have access to the Linux VMs.
However, some of those added security measures typically require having an Azure AD Premium subscription in place. For instance, the Premium option provides access to Azure AD Privileged Identity Management, which can be used to set so-called “just-in-time” access limits to Linux VMs, where the access will expire after a set period of time. It’s also possible to use “multifactor authentication,” or MFA, an access scheme that requires a secondary ID, such as a response to a text message or a phone call, for verification. Multifactor authentication comes with Azure AD Premium subscriptions or it’s possible to buy MFA licenses, according to this Microsoft document.
Despite getting better control using Azure AD, the actual log-in experience to Linux VMs on Azure seems kind of bumpy. Users have to open Azure Cloud Shell or Azure CLI version 2.0.31 or later. They have to log into their Azure AD account and use a one-time-use code. Then they have to return to the SSH command-line prompt and hit the ENTER key for access, Microsoft’s documentation explains.
This feature for Linux VMs is still at the preview stage, so it’s not designed for use in production environments. Microsoft also plans to bring Azure AD access to Windows VMs running on Azure infrastructure sometime this year.
“We are working to enable you to login to Windows Server VMs in Azure using Azure AD and expect to have it in preview later this year,” Simons indicated.