Linux VM has been able to authenticate to Active Directory via SSSD (System Security Services Daemon), and there has been many articles talking about this. With the infrastructure going towards cloud, the on-premises domain controller is losing its shine and relevance.
Microsoft’s alternative is to enable AD Domain Services, and there are articles readily available on the web to teach you how to do that. This requires the tenant administrator to enable AD Domain Services, which may not be available to you.
Over the last year, Microsoft has released another capability for Linux VM to integrate with Azure Active Directory, and this capability is now generally available. Do note that there are some differences with joining to a domain controller:
- It uses OpenSSH certificate-based authentication to log in to Linux VM, and hence Putty based clients cannot be used to login to the VM
- The SSH authentication is via Azure AD authentication and through the use of short-lived keys which (in my opinion) is more secured. Details of it is found here.
- Although it uses the RBAC way to configure sudo users, but it is an option for all or none, i.e. If the user is allowed to sudo, it gets administrator rights, if not, then otherwise. In sudo, there are options to sudo to a service account, but that is not available here.
Having stated the differences, let’s jump into how to configure an Azure hosted VM to authenticate to Azure AD. Although the link shared above do state the steps, I do find some difficulty in following them, so I am sharing what are some of the steps that I have taken.
Ensure that System assigned managed identity is selected
In the VM properties section, select Identity, then ensure that the Status is On. If it is not on, then turn it on.
Enable AADSSHLoginForLinux extension on the VM
To enable this extension, select Extensions + applications, then Add
The type in ssh, in the search box, and the Azure AD based SSH Login will be presented. Click on the box, and Next will be able to click. Click Next to continue.
Click on Review + create
After the review is completed, you may click on Create to add the extension.
Once that is completed, you will be able to assign roles to the VM and assign groups of users who are administrators or users.
I hope this has helped you.