Microsoft included in the provisioning process of a Virtual Machine the possibility to create a link between a virtual machine and the Azure Active Directory. This happened some time ago.

This was a great improvement in security and management. Instead of having an isolated user management for each virtual machine, the login on the virtual machines would be controlled by Azure Active Directory.

But what if, for some reason we miss the opportunity to join the virtual machine with active directory when it’s being provisioned? How could we join it to Azure AD after it’s already created?

There is a set of configurations needed to use Azure Ad login in a Virtual Machine:

• Install the Azure Ad Login Extension
• Enable a Managed Identity
• Define the RBAC permissions
• Register the source machine with Azure Ad

Install the Azure Ad Login Extension

On the portal, you can use the Extensions left menu item to install this extension. It’s very straightforward, no special configuration needed during the installation.

1. Open the virtual machine page in Azure Portal
2. Click Extensions + Applications on the left menu

 

1. Click the Add button

1. Select Azure Ad based Windows Login

1. Click the Review + Create button
2. Click the Create button

Enable a Managed Identity

The Virtual Machine needs a Managed Identity. You need to enable it

1. Open the virtual machine page in Azure Portal
2. On the left menu, under Settings, select Identity
3. Turn the System assigned identity On

Define RBAC permissions

The Virtual Machine has RBAC roles to define the administrators and regular users for it.

You need to add the users to these roles before trying the login. I recommend to use Azure Ad groups. Because we may be talking about many users and many VMs to manage.

 

Register the source machine with Azure Ad

The login only works if the source machine is a registered device on Azure Ad.

You can register the source machine by using Accounts in the source machine. Once you add a work account from your Azure Ad, the machine will be registered in it.

 

 

Once you made a login you will receive a successful registration message.

 

 

You can open Azure Active Directory in the portal and take a look on devices. Your machine should be there.

 

 

Login

The login on the virtual machine requires a special syntax. You need to use AzureAD\<UserUPN> for the login. It will only work with native accounts from the Azure tenant. It will not work with external/guest accounts.

 

 

Summary

Integrating the Virtual Machines with Azure AD is a great way to manage virtual machine users in a large scale.