The Redmond company announced their preview of remote authentication into Azure VMs on Windows using Azure AD credentials.
The capability allows IT pros to use their managed or federated Azure login credentials to access VMs and this is the first time it has been made available. The preview does require setup and is, right now, limited to those who use VMs on Windows 10 1809 or later or Windows Server 2019 Datacenter and is available across every Azure region but not Azure Government tenancies.
The preview is likely to result in tighter IT security practices, eliminating the need for IT pros to share admin passwords for Azure VMs. Add to that local accounts most likely created to access them, and the level of security isn’t great, especially when personnel leave.
It also allows for Azure AD Conditional Access rules to be used for even more security. For example, before being given access to a VM, a user can be automatically checked to make sure they are not a sign-in risk. Plus organizations can now enforce multifactor authentication.
Setting Up
Setting up the Azure AD access is done via a toggle in the Azure Portal when a new VM is created, or via the Azure Cloud Shell solution. According to Microsoft’s documentation, the latter is the tool for existing Windows VMs.
Role assignments must be made during the setup process. Under their RBAC policy, Microsoft only allows two roles for access to Azure VM – a VM administrator with admin privileges, and a VM User, with normal privileges.
Authentication into the Azure VM is done by an RDP (Remote Desktop Protocol) connection and, if MFA is enforced, it must be part of the Windows 10 RDP client authentication process. At the moment Windows Hello is used to enable that.
RDP connections must be using, Microsoft says, “Windows 10 PCs that are Azure AD joined or hybrid Azure AD joined to the same directory as the VM.”
It is possible that, with the next feature update in Windows 10, the process will be simplified and Microsoft has hinted as much in their documentation:
Windows 10 20H1 will add support for Azure AD Registered PC to initiate remote desktop connection to your VM. Join the Windows Insider Program to try this out and explore new features of Windows 10.
Windows 10 20H1 is expected in spring 2020.
