'Require Azure AD Login on Linux VM

I followed setup guide from MS document: https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux

Everything works except one thing, if I do ssh from different client (Azure requires CLI for AAD login) I can still log in to the Linux servers with a local account. The document above says: "Use Azure deploy and audit policies to require Azure AD login for Linux VMs and flag non-approved local accounts" but I am totally getting the runaround about how to REQUIRE logins be only through AAD credentials. I've had a support ticket open for 6 weeks and have gone through 4 different support groups with no success.

I need this for SOC2 compliance and given that Azure has documentation that their services are SOC2 compliant, I cant imagine this is not achievable. Does anyone know how to force Linux servers to only permit ADD credentials for login?

azure-active-directory


Solution 1:[1]

To force Linux servers to only permit ADD credentials for login, try the below mentioned solution to be implemented in your Azure subscription:

Kindly deploy the below Azure policy definitions with the resource group as the scope to disallow local login for Linux VM:

Go to Azure portal -> Search Azure policy -> Definition -> Select the appropriate scope -> select the definition type as policy -> select the category as guest configuration -> select the below policies

  • Linux machines should only have local accounts that are allowed

Assign the policy to the required scope and ensure to mention/do not mention the required local accounts in Linux VM for that scope under the parameters tab.

enter image description here

  • Authentication to Linux machine should require SSH keys

Assign the policy to the required scope and ensure to select the effect 'Auditifnotexists' under the parameters tab.

enter image description here

Note :

Ensure to uncheck the option for 'Only show parameters that need input or review'. So that you will be able to mention the allowed local accounts in parameters.

enter image description here

For more in detail, please refer below link:

Built-in policy definitions for Azure Virtual Machines - Azure Virtual Machines | Microsoft Docs.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 RukminiMr-MT

Related Questions

Synapse external table "Unauthorized"

How to redirect from VB.NET legacy web application login page to azure portal to validate azure ad with MFA

Receive a request when Azure AD User receive a call

Can I use SVG within a customized the Azure AD B2C user interface?

Connecting to Dynamics 365 TDS-enabled database with OLEDB Linked Server

How do I define the SignedOut page in Microsoft.Identity.Web?

Azure AD API request 401 Unauthorized

Using multiple authentication providers in C# .net core

Active directory check if user belongs to a group

Web API with Microsoft Identity Platform Authentication

azure ad authentication issue with razor handlers

How to open the file on browser instead of downloading in local that is stored in Azure Data lake Gen 2

Error - Intent filter for: BrowserTabActivity is missing. While using AzureAD MSAL Lilbary

Azure AD B2C - Supporting a daemon app along with B2C clients such as Web page and native mobile app

what is role of User did in Verifiable Credentials ? did:ion:username and when user did will generate?