avatarBill WANG

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

2747

Abstract

we need to follow three main steps:</p><ol><li>Enable the “system assigned” identity on VMs.</li></ol><p id="7e3b">Sample command for reference: <code>az vmss identity assign -g myResourceGroup -n myVMSS</code></p><p id="8a11">2. Install the AAD extension in it.</p><p id="d36e">Sample command for reference: <code>az vm extension set --publisher Microsoft.Azure.ActiveDirectory --name AADSSHLoginForLinux --resource-group AzureADLinuxVM --vm-name myVM</code></p><p id="8e95">3. Assign the IAM role of “Virtual Machine Administrator Login” on it (or its resource group).</p><p id="8b75">Sample command for reference: <code>az role assignment create --assignee "{assignee}" --role "{roleNameOrId}" --resource-group "{resourceGroupName}"</code></p><p id="6ac2">Confirmed with AzureAD support team:</p><ul><li>There is no way to enable and install AAD Extension in golden images directly.</li><li>There is no option to set “System assigned” Identity on Azure Portal, when create VMSS</li></ul><h1 id="647d">Prerequsite</h1><ul><li>Azure Bastion with <b>Standard tier</b> is ready in the VNET.</li><li>VMSS’s resource group has been created.</li><li>You have assigned the role of “<b>Virtual Machine Administrator Login</b>” to specific users or groups (preferably) on the above resource group.</li><li>Azure VMSS has been created.</li></ul><h1 id="7678">Environment I run the test:</h1><p id="9a6b"><b>subscription</b>: <code>dev01-nonprod</code></p><p id="ac6a"><b>bastion name</b>: <code>dev01-nonprod-VNET-bastion</code></p><p id="b85b"><b>bastion resource group name</b> : <code>Shared-RG</code></p><p id="a2cd"><b>VMSS name</b>: <code>test-aad-vmss</code></p><p id="f4e5"><b>VMSS resource group name</b>: <code>test-1234</code></p><h1 id="d911">Post-steps</h1><ul><li>set AAD extension on Azure VMSS</li></ul><p id="3fe8">Reference: <a href="https://learn.microsoft.com/en-us/cli/azure/vmss/extension?view=azure-cli-latest#az-vmss-extension-set">az vmss extension</a></p><div id="b52f"><pre>az account <span class="hljs-keyword">set</span> <span class="hljs-operator">-</span>s dev01<span class="hljs-operator">-</span>nonprod

az vmss extension <span class="hljs-keyword">set</span> <span class="hljs-operator">-</span>n AADSSHLoginForLinux <span class="hljs-comment">--publisher Microsoft.Azure.ActiveDirectory --vmss-name test-aad-vmss -g test-1234</span></pre></div><p id="1bba">Confirmed on Azure Portal</p><figure id="afdb"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*Fe4ajNhanpDxXWazxKM61A.png"><figcaption></figcaption></figure><ul><li>Enable Identity</li></ul><p id="3775">There is no way to confirm this VMSS identity setting from the Azure Portal. From my test results, by default, <b>Managed Assigned </b>Identi

Options

ty is enabled on instances created by VMSS already. You can confirm this on these running instances:</p><p id="5528">Virtual machine -> Security -> Identity -> System assigned should be “<b>ON</b>.” If they are not identity-enabled, you can still manually enable it.</p><ul><li>Sample command for reference: <code>az vmss identity assign -g test-1234 -n test-aad-vmss</code></li></ul><figure id="cd9a"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*VHMBshotqeXzFW03pTWX1w.png"><figcaption></figcaption></figure><ul><li><b>Terminate running instances</b>. Existing running instances can’t get the AAD extension installed after you set it. The easy way is to scale down VMSS to 0; it will terminate all running instances. Then scale VMSS up to 2 or 3. With new instances created, they will have the AAD extension installed automatically.</li></ul><h1 id="978b">Connect the VMSS instances</h1><p id="9090">Currently, there is no way to log in with an AAD account via the Azure Portal. So I wrote a script to log in.</p><div id="1080"><pre>$ <span class="hljs-built_in">cat</span> test-vmss.sh

<span class="hljs-comment"># replace these variables with your environment</span> subscription=dev01-nonprod bastionName=<span class="hljs-string">"<span class="hljs-variable">${subscription}</span>-VNET-bastion"</span> bastionRG=<span class="hljs-string">"Shared-RG"</span> vmName=<span class="hljs-string">"test-aad-vmss_8a3a19b6"</span> vmRG=<span class="hljs-string">"test-1234"</span>

az account <span class="hljs-built_in">set</span> -s <span class="hljs-variable">${subscription}</span> az account show

vmId=(az vm list --resource-group <span class="hljs-variable">{vmRG}</span> --query <span class="hljs-string">"[?name=='<span class="hljs-variable">vmName</span>'].id"</span> --output tsv) <span class="hljs-built_in">echo</span> <span class="hljs-variable">vmId</span>

az network bastion ssh --name <span class="hljs-string">"<span class="hljs-variable">{bastionName}</span>"</span> --resource-group <span class="hljs-string">"<span class="hljs-variable">{bastionRG}</span>"</span> --target-resource-id <span class="hljs-string">"<span class="hljs-variable">${vmId}</span>"</span> --auth-type AAD</pre></div><p id="86fb">If everything is fine, you should be able to log in with your Microsoft Outlook account.</p><h1 id="f7af">Reference documents:</h1><p id="339a"><a href="https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/qs-configure-cli-windows-vmss">Configure managed identities on virtual machine scale set — Azure CLI</a></p><p id="421a"><a href="https://learn.microsoft.com/en-us/cli/azure/vmss/identity?view=azure-cli-latest">az vmss identity</a></p></article></body>

AzureAD support for Azure VMSS (virtual machine scale set)

Follow up on my blogs regarding Azure AD (Microsoft Entra ID) login to Azure Virtual Machines

Several series for the topic:

  • Stage 1 — Login to a Azure Virtual Machine (VM) using Azure AD Account on Linux (in this blog)
  • Stage 2 — AzureAD support for Azure VMSS (virtual machine scale set), in this blog

Background

To avoid to setup local accounts or share with SSH private keys, my team requires the ability to log in to Azure VMSS (virtual machine scale sets) instances using Azure AD (AAD) accounts. While we have documentation on setting up AAD on Azure Virtual Machines, but not sure how to do that on instances created by VMSS

It’s important to note that instances created by VMSS are generated automatically and do not involve human interactions.

Scopes

  • Linux/RHEL instances only.
  • Do not allow public IPs for access.
  • Login with Azure AD (AAD) accounts only, and these should be your Microsoft Outlook accounts.

If the solution works well for Linux VMSS, I will follow a similar solution for Windows VMSS later.

Research

To make a virtual machine ready for AAD login, we need to follow three main steps:

  1. Enable the “system assigned” identity on VMs.

Sample command for reference: az vmss identity assign -g myResourceGroup -n myVMSS

2. Install the AAD extension in it.

Sample command for reference: az vm extension set --publisher Microsoft.Azure.ActiveDirectory --name AADSSHLoginForLinux --resource-group AzureADLinuxVM --vm-name myVM

3. Assign the IAM role of “Virtual Machine Administrator Login” on it (or its resource group).

Sample command for reference: az role assignment create --assignee "{assignee}" --role "{roleNameOrId}" --resource-group "{resourceGroupName}"

Confirmed with AzureAD support team:

  • There is no way to enable and install AAD Extension in golden images directly.
  • There is no option to set “System assigned” Identity on Azure Portal, when create VMSS

Prerequsite

  • Azure Bastion with Standard tier is ready in the VNET.
  • VMSS’s resource group has been created.
  • You have assigned the role of “Virtual Machine Administrator Login” to specific users or groups (preferably) on the above resource group.
  • Azure VMSS has been created.

Environment I run the test:

subscription: dev01-nonprod

bastion name: dev01-nonprod-VNET-bastion

bastion resource group name : Shared-RG

VMSS name: test-aad-vmss

VMSS resource group name: test-1234

Post-steps

  • set AAD extension on Azure VMSS

Reference: az vmss extension

az account set -s dev01-nonprod

az vmss extension set -n AADSSHLoginForLinux --publisher Microsoft.Azure.ActiveDirectory --vmss-name test-aad-vmss -g test-1234

Confirmed on Azure Portal

  • Enable Identity

There is no way to confirm this VMSS identity setting from the Azure Portal. From my test results, by default, Managed Assigned Identity is enabled on instances created by VMSS already. You can confirm this on these running instances:

Virtual machine -> Security -> Identity -> System assigned should be “ON.” If they are not identity-enabled, you can still manually enable it.

  • Sample command for reference: az vmss identity assign -g test-1234 -n test-aad-vmss
  • Terminate running instances. Existing running instances can’t get the AAD extension installed after you set it. The easy way is to scale down VMSS to 0; it will terminate all running instances. Then scale VMSS up to 2 or 3. With new instances created, they will have the AAD extension installed automatically.

Connect the VMSS instances

Currently, there is no way to log in with an AAD account via the Azure Portal. So I wrote a script to log in.

$ cat test-vmss.sh

# replace these variables with your environment
subscription=dev01-nonprod
bastionName="${subscription}-VNET-bastion"
bastionRG="Shared-RG"
vmName="test-aad-vmss_8a3a19b6"
vmRG="test-1234"

az account set -s ${subscription}
az account show

vmId=$(az vm list --resource-group ${vmRG} --query "[?name=='$vmName'].id" --output tsv)
echo $vmId

az network bastion ssh --name "${bastionName}" --resource-group "${bastionRG}" --target-resource-id "${vmId}" --auth-type AAD

If everything is fine, you should be able to log in with your Microsoft Outlook account.

Reference documents:

Configure managed identities on virtual machine scale set — Azure CLI

az vmss identity

Azure
Azure Ad
Security
DevOps
Best Practices
Recommended from ReadMedium