Azure Compute Security – Authentication

Overview

Azure Compute services (Virtual Machines, Scale Sets, and Azure Kubernetes Service) support multiple authentication mechanisms that enable secure, password‑less access to resources. This guide explains how to configure and use each method.

Azure AD Authentication

Integrate Azure AD with your VMs to allow users to sign in using corporate credentials.

Enable Azure AD login

  1. Assign the Azure AD Login role to the VM or resource group.
  2. Install the AADLoginForWindows or AADLoginForLinux extension.
  3. Configure Azure AD conditional access policies as needed.
az vm extension set \
  --publisher Microsoft.Azure.ActiveDirectory \
  --name AADLoginForLinux \
  --resource-group MyRG \
  --vm-name MyVM
Managed Identities

Managed Identities provide an automatically managed identity in Azure AD for your compute resource.

System‑assigned vs User‑assigned

  • System‑assigned: One identity per resource, lifecycle tied to the resource.
  • User‑assigned: Stand‑alone identity reusable across resources.

Example: Granting Storage Blob Reader

# Enable system-assigned identity
az vm identity assign -g MyRG -n MyVM

# Assign RBAC role
az role assignment create \
  --assignee $(az vm show -g MyRG -n MyVM --query identity.principalId -o tsv) \
  --role "Storage Blob Data Reader" \
  --scope /subscriptions/xxxx/resourceGroups/MyRG/providers/Microsoft.Storage/storageAccounts/mystorage
SSH Key Authentication

SSH keys are the recommended method for Linux VMs. Azure can store public keys in the VM metadata.

Deploy with a new key pair

ssh-keygen -t rsa -b 4096 -f ~/.ssh/azure_vm
az vm create \
  --resource-group MyRG \
  --name MyVM \
  --image UbuntuLTS \
  --admin-username azureuser \
  --ssh-key-values ~/.ssh/azure_vm.pub

Rotate keys

  • Upload a new public key via az vm user update.
  • Remove the old key from ~/.ssh/authorized_keys on the VM.
Role‑Based Access Control (RBAC)

RBAC governs what actions an identity can take on Azure resources.

Common Built‑in Roles

  • Virtual Machine Contributor – Manage VMs but not access their OS.
  • Virtual Machine Administrator Login – Log in to VM as admin via Azure AD.
  • Reader – View resources.

Custom Role Example

az role definition create --role-definition '{
  "Name": "CustomVMSSHAccess",
  "IsCustom": true,
  "Description": "Allows SSH login using Managed Identity",
  "Actions": [
    "Microsoft.Compute/virtualMachines/read",
    "Microsoft.Compute/virtualMachines/extensions/write"
  ],
  "NotActions": [],
  "DataActions": [],
  "AssignableScopes": ["/subscriptions/xxxx"]
}'

Best Practices

  1. Prefer Azure AD and Managed Identities over passwords.
  2. Enable MFA for all privileged accounts.
  3. Use Conditional Access policies to limit login locations.
  4. Rotate SSH keys every 90 days.
  5. Audit role assignments regularly with az role assignment list.