Cloud Computing

4 Mins Read

Login to Azure VMs using Azure Active Directory Credentials

Voiced by Amazon Polly

Introduction to How to Connect to Azure VM

Organizations can now improve the security of Windows virtual machines (VMs) in Azure by integrating them with Azure Active Directory (AAD) authentication. You can now use Azure AD as the primary authentication service to RDP into a Windows Server 2019 Datacenter edition and later on Windows 10 1809 and so on. Also, you will be able to centrally manage and enforce Azure RBAC and Conditional Access policies that allow or block access to the VMs. This blog shows you how to create and configure a Windows VM with Azure-AD-based authentication.

Customized Cloud Solutions to Drive your Business Success

  • Cloud Migration
  • Devops
  • AIML & IoT
Know More

Prerequisites

  • A Virtual Network
  • Azure AD Tenant

Configuring Virtual Machine

  1. Open the Azure Portal by visiting azure.com
  2. Go to Virtual Machine Service and fill in the relevant information to create Virtual Machine (VM)
  3. While creating a virtual machine under the Management tab, select the checkbox for two options to install the Azure AD login extension.
    -> Login with Azure AD
    -> System assigned managed identity (automatically gets chosen on selecting the above option)
  4. To check AADLoginForWindows extension is installed. Once VM gets created, go to the virtual machine. Select Extensions + applications from the Settings tab, and Under Extensions Tab, the AADLoginForWindows extension will be visible.

Configuring Access Control (IAM)

  1. Created a Group in Azure AD with an appropriate naming convention and added members to it based on the role like I have created group GRP-Application-VM-RD-FullAccess
    (To provide the users of the group an Azure AD login)
  2. Now go to the VM and click on Access Control (IAM). After that, Click on Add role assignment under the Check access tab
  3. Under the Add role assignment page, select Virtual Machine Administrator Login role and click on

    -> Virtual Machine User Login: Users with this role can login to Azure VM with Azure AD credentials
    -> Virtual Machine Administrator Login: Users with this role can log in to an Azure VM with administrator access.

  4. After that, click on +Select members and search for group GRP-Application-VM-RD-FullAccess, which we have created in previous steps, and click on Select to add group or user for that role on VM. And click on Next and then Review + assign.
  5. Now that group users will have the admin access

     

Configuring Conditional Access Policy

  1. If MFA is required for all other Apps except Azure VM sign in
  2. If MFA is required for all other Apps except Azure VM sign in
  3. Create a new policy to Exclude MFA for VM Login. Click on New Policy, and then Select Create new policy.
  4. Select Users and groups which we want to include inside the policy
  5. Next step In Include section, select all apps, and under Exclude section, select Azure Windows VM Sign-in
  6. Next step In Include section, select all apps, and under Exclude section, select Azure Windows VM Sign-in
  7. This policy group will allow users to log in to Windows VM without MFA, and MFA will be required for all other apps logins like office 365, Azure AD Join, etc.
  8. NOW RDP into the VM using its public IP and try login with the Azure AD credentials if you are a member of group GRP-Application-VM-RD-FullAccess

Conclusion

In this blog, we have learned how to sign in to Azure windows VM with RDP in Azure using Azure AD credentials. It will provide an additional layer of security to the VM; you can centrally create and manage users across your hybrid enterprise, keeping users, groups, and devices in synchronization.

One of the significant benefits of using Azure AD to log in to Windows VM is that the password complexity password lifetime policies configured for your Azure AD directory will also be applicable to your Windows VMs. Any time an employee leaves the organization, their user account can be disabled by updating the Azure RBAC policy. They will no longer have access to the resources. With Role-Based access control, you can easily grant access to a user or an administrator as required.

Hence most corporate organizations are leveraging the power of Azure Policies to ensure standard and access compliance as an added security measure to safeguard their resources.

Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.

  • Cloud Training
  • Customized Training
  • Experiential Learning
Read More

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 850k+ professionals in 600+ cloud certifications and completed 500+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training PartnerAWS Migration PartnerAWS Data and Analytics PartnerAWS DevOps Competency PartnerAWS GenAI Competency PartnerAmazon QuickSight Service Delivery PartnerAmazon EKS Service Delivery Partner AWS Microsoft Workload PartnersAmazon EC2 Service Delivery PartnerAmazon ECS Service Delivery PartnerAWS Glue Service Delivery PartnerAmazon Redshift Service Delivery PartnerAWS Control Tower Service Delivery PartnerAWS WAF Service Delivery PartnerAmazon CloudFront Service Delivery PartnerAmazon OpenSearch Service Delivery PartnerAWS DMS Service Delivery PartnerAWS Systems Manager Service Delivery PartnerAmazon RDS Service Delivery PartnerAWS CloudFormation Service Delivery PartnerAWS ConfigAmazon EMR and many more.

WRITTEN BY Mayank Bharawa

Share

Comments

  1. Charles Hanekom

    Aug 29, 2022

    Reply

    Great follow through! Thanks! What licenses are required for this? Will P1 be enough? And do we need Azure ADDS for this to work?

    • Mayank Bharawa

      Aug 30, 2022

      Reply

      Yes P1 will work and Azure ADDS is not required

    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!