1. Overview

In this tutorial, you will learn how to use Azure Active Directory (Azure AD) to manage SSH logins for Ubuntu virtual machines (VMs) on Azure.

We will use Ubuntu Pro VMs, as these are normally the most appropriate starting point for somebody who would be interested in managing their logins with Azure AD, but what we will learn would also apply to Ubuntu Server LTS VMs.

What you’ll learn

  • How to find your Azure subscription name
  • How to create a VM through the Azure Portal that uses Azure AD to manage the SSH login details
  • How to give a user Administrative/sudo access to VMs within the Resource Group
  • How to log into the VM (using az ssh)
  • How to create a VM using the Azure CLI that uses Azure AD to manage the SSH login details
  • How to restrict the access of a VM to user-only (non-sudo)
  • How to delete the test Resource Groups that we created

What you’ll need

  • A Microsoft Azure account with Azure AD
  • Sufficient privileges to launch VMs within that Azure account
  • Version 2.22.1 or later of the Azure CLI. Run az --version to see the version of az you already have installed or see here for installation or upgrade instructions.

2. Find your Azure subscription name

First we will find out the subscription name for the subscription we are going to use for this tutorial. You can see your subscriptions in the Subscriptions Blade of the Portal.

I have created a new subscription called “For_AzureAD_tutorial”, but you can use one you already have. Take note of your subscription name.


3. Create a VM that uses Azure AD for SSH logins

First we will go to the Create a VM screen in the Azure Portal:

In the “Subscription” box, we will select the subscription from the earlier step, so “For_AzureAD_tutorial” in my case:

For “Resource group”, we will click “Create new”, type the Resource Group name “AzureADUbuntuVMLoginTest” and click “OK”:

For the “Virtual machine name” we will type “First-Ubuntu-VM-with-sudo-AzureAD-login”.

Let’s use North Europe for the Region.

For the Image, we are going to use Ubuntu Pro 20.04 LTS. So first we are going to click “See all images”:

Search the Marketplace for “Canonical Ubuntu Pro 20.04”. Choose Ubuntu Pro 20.04 LTS:

image

Click the “Select” in the bottom left and choose “Ubuntu Pro 20.04 LTS - Gen1”. We are now back in the “Create a virtual machine” screen with the correct image. Your screen should look like the below:

The size of the VM does not matter much for our purposes, so let’s choose something small – a Standard_DS1_v2 1vcpu, 3.5 GiB memory:

For the Administrator account section, we want to use Azure AD to manage our logins, but while the functionality is in preview, we must still set up a “normal” authentication option as well. We will select “Password”, make the Username “azureuser” and set a password of your choosing – though if all goes well, we should not need to use it again.

Leave the Inbound ports as allowing SSH (22).

Next, we click the “Management” tab at the top:

We can deselect “Enable basic plan for free” on Azure Security Center and “Disable” Boot diagnostics.

Select “Login with Azure AD (Preview)”. We see that “System assigned managed identity” is also automatically selected.

Our selections should look like this:

Click Review + create, make sure you are happy with the “TERMS”, fill in any fields about you that you need to fill in and click “Create”.

We should see a “Deployment is in progress” screen:

image

And finally, a “Your deployment is complete”:

image

Congratulations! We have created a VM with Azure AD SSH login capability.


4. Allocate Administrator access to VMs within the Resource Group

First, we need to find our Resource Group, so we will visit the Resource Groups blade in the Portal.

Our “AzureADUbuntuVMLoginTest” is there in the list, so we will click on that.

On the left-hand side, click “Access control (IAM)”:

Click “Add”, “Add role assignment”:

add

A pane appears that has “Role”, “Assign access to” and “Select”, with a list of users in the Azure AD.

image

Start typing “Virtual Machine Administrator Login” in the Role box and the role should appear, letting us select it. We will leave the “Assign access to” box as it is. Then we will select ourselves in the “Select” box and click “Save”.

Well done, we have assigned ourselves the relevant role.


5. Log into the VM using our Azure AD login

Let’s try logging into our new VM. We will open our Terminal (Ctrl+Alt t on Ubuntu).

First, let’s log out of the Azure CLI so that we know we are starting from a clean slate:

az logout

The next thing we are going to do is to set the subscription we are using as a variable. This means that if you are using a different subscription name, you only need to change that in this command below, rather than every time I use “For_AzureAD_tutorial”:

UBUNTU_AZURE_AD_TEST_SUBSCRIPTION="For_AzureAD_tutorial"

The above will work if you are working through this tutorial on Ubuntu or most other Linux variants, but on other platforms you may need to replace $UBUNTU_AZURE_AD_TEST_SUBSCRIPTION in any commands below with your subscription name manually.

Then we can login again:

az login

This will likely take you to a web browser that will let you log into your Azure account. We are now logged into the Azure CLI, so can type:

az ssh vm -n First-Ubuntu-VM-with-sudo-AzureAD-login -g AzureADUbuntuVMLoginTest --subscription "$UBUNTU_AZURE_AD_TEST_SUBSCRIPTION"

Accept the host authenticity by typing “yes”, and ta-da:

We have successfully logged into our VM without using the password that we set up when creating it (or knowing the Public IP address of the VM). Azure AD is managing the ssh certificates behind the scenes so that you only need to use your Microsoft login.

We can test our sudo (administrative/superuser) privileges by typing:
sudo ua status --wait

Let’s exit out of the SSH session:
exit


6. Creating a VM with Azure AD ssh login from the Azure CLI

Create a second VM from the Azure CLI

Now we are going to create a second VM in the same Resource Group, also allowing Azure AD login, but this time using the Azure CLI.

We go back to our terminal again and type:

az vm create --subscription "$UBUNTU_AZURE_AD_TEST_SUBSCRIPTION" --resource-group AzureADUbuntuVMLoginTest --name Second-Ubuntu-VM --image Canonical:0001-com-ubuntu-pro-focal:pro-20_04-lts:latest --assign-identity --admin-username azureuser --admin-password "VeryInsecure-OnlyForTesting!" --public-ip-sku Basic

The CLI will print out information about the new VM:

We now have another VM in the same Resource Group. We need to enrol this VM into Azure AD SSH Logins with the following:

az vm extension set --publisher Microsoft.Azure.ActiveDirectory --name AADSSHLoginForLinux --subscription "$UBUNTU_AZURE_AD_TEST_SUBSCRIPTION" --resource-group AzureADUbuntuVMLoginTest --vm-name Second-Ubuntu-VM

Check access to the VM

As the VM is in the same Resource Group as our first VM and we gave ourselves Virtual Machine Administrator Login access to the Resource Group (as opposed to just the first VM), we can log into this VM without specifically assigning ourselves a role for it.

You can see this by going to the Virtual Machines section of the Portal, clicking the new VM (Second-Ubuntu-VM), clicking Access control (IAM) and “Role assignments”:

We can see that we have the “Virtual Machine Administrator” role because the Scope is “Inherited” from the Resource Group.

Log into the new VM

As we have access to the VM, we can log in without changing anything:

az ssh vm -n Second-Ubuntu-VM -g AzureADUbuntuVMLoginTest --subscription "$UBUNTU_AZURE_AD_TEST_SUBSCRIPTION"

Approve the host authenticity warning by typing “yes” and we are in! We can exit back out of that again with:
exit


7. Creating a non-Administrator VM

Create a third VM

Let’s create a new Resource Group for a third VM:

az group create --name AzureADUbuntuVMLoginTest2 --location northeurope --subscription "$UBUNTU_AZURE_AD_TEST_SUBSCRIPTION" 

And we will create a third VM, as we did in the last step (but in the new Resource Group):

az vm create --subscription "$UBUNTU_AZURE_AD_TEST_SUBSCRIPTION" --resource-group AzureADUbuntuVMLoginTest2 --name Third-Ubuntu-VM-no-sudo --image Canonical:0001-com-ubuntu-pro-focal:pro-20_04-lts:latest --assign-identity --admin-username azureuser --admin-password "VeryInsecure-OnlyForTesting!" --public-ip-sku Basic

And we enrol this VM into Azure AD SSH Logins as we did before:

az vm extension set --publisher Microsoft.Azure.ActiveDirectory --name AADSSHLoginForLinux --subscription "$UBUNTU_AZURE_AD_TEST_SUBSCRIPTION" --resource-group AzureADUbuntuVMLoginTest2 --vm-name Third-Ubuntu-VM-no-sudo

Set Access Control for the VM

If we go back to the Virtual Machines screen of the portal:

Click on the “Third-Ubuntu-VM-no-sudo”, then “Access Control (IAM)”, “Role assignments”, as we did before.

You will see that there is no role assignment giving Virtual Machine Administrator access to this VM, as this VM is not in the same Resource Group and therefore does not inherit the permissions we granted in the earlier step.

Let’s add a role.

Add Virtual Machine User Login permission

Click “Add”, “Add Role Assignment” and the “Add Role Assignment” pane will appear. In Role, choose “Virtual Machine User Login” (not Administrator, as we did last time). This is an account without sudo superuser privileges. Select yourself in the bottom box and click “Save”.

Click onto the “Check access” tab:

Click “View my access”. We see that we have “Virtual Machine User Login” access to this VM:

image

Login to the VM

az ssh vm -n Third-Ubuntu-VM-no-sudo -g AzureADUbuntuVMLoginTest2 --subscription "$UBUNTU_AZURE_AD_TEST_SUBSCRIPTION"

Say “yes” to the host authenticity. And we are logged in again!

Now let’s test out sudo:
sudo ua status --wait

Unlike before, this does not work. First, we are normally asked to authenticate our device by entering a code into a web browser, but even after that we are greeted with a:
[username] is not in the sudoers file. This incident will be reported.

So we can see that restricting the settings worked as expected.

And we can exit back out of that again with:
exit


8. Cleaning up

We are all done, so we need to delete the two Resource groups that we created. Let’s delete the first:

az group delete --name AzureADUbuntuVMLoginTest --subscription "$UBUNTU_AZURE_AD_TEST_SUBSCRIPTION" 

This will delete AzureADUbuntuVMLoginTest Resource group and all VMs in there, but all the ones we have created in this tutorial are disposable ones for testing, so we can type “y”. This normally takes a little while.

Then let’s delete the second:

az group delete --name AzureADUbuntuVMLoginTest2 --subscription "$UBUNTU_AZURE_AD_TEST_SUBSCRIPTION" 

And again we can press “y” and wait.


9. That’s all folks!

Congratulations, that is the end of the tutorial!

We have learnt:

  • How to find your Azure subscription name
  • How to create a VM through the Azure Portal that uses Azure AD to manage the SSH login details
  • How to give a user Administrative/sudo access to VMs within the Resource Group
  • How to log into the VM (using az ssh)
  • How to create a VM using the Azure CLI that uses Azure AD to manage the SSH login details
  • How to restrict the access of a VM to user-only (non-sudo)
  • How to delete the test Resource Groups that we created

I hope that you have found this useful and enjoyed working through this together.

For further reference, see the Microsoft documentation here:
https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux