Lab 10 - Microsoft Entra Authentication for Windows and Linux Virtual Machines

Note - This lab requires an Azure Pass. Please see lab 00 for directions.

Lab scenario

The company has decided that Microsoft Entra ID should be used to login to virtual machines for remote access. This lab will show how this can be setup for Windows and Linux virtual machines.

Estimated time: 30 minutes

Exercise 1 - Login to Windows Virtual Machines in Azure with Microsoft Entra ID

Task 1 - Create a Windows Virtual Machine with Microsoft Entra ID login enabled

  1. Browse to the https://portal.azure.com

  2. Select + Create a resource.

  3. Type Windows 11 in Search the Marketplace search bar.

  4. From the Windows 11 box, choose Windows 11 Enterprise 22H2 from Select a software plan dropdown.

  5. You will have to create an administrator username and password for the VM on the basics tab.
    • Use a username you will remember and a secure password.

  6. On the Management tab, check the box to Login with Microsoft Entra ID under the Microsoft Entra ID section.

     NOTE: You will notice that the **System assigned managed identity** under the Identity section is automatically checked and turned grey. This action should happen automatically once you enable Login with Microsoft Entra ID.

  7. Go through the rest of the experience of creating a virtual machine.

  8. Select Create.

Task 2 - Microsoft Entra ID login for existing Azure Virtual Machines

  1. Browse to Virtual Machines in the https://portal.azure.com.

  2. Select the newly created Virtual Machine from Task 1.

  3. Select Access control (IAM).

  4. Select + Add, then Add role assignment to open the Add role assignment page.

  5. Assign the following settings:
    • Assignment type: Job function roles
    • Role: Virtual Machine Administrator Login
    • Members: Choose User, group, or service principal. Then use + Select members to add Joni Sherman as a specific user for the VM.
  6. Select Review + assign to complete the process

Task 3 - Update the Server VM to support the Microsoft Entra ID login

  1. Select the Connect menu item.

  2. On the RDP tab select the Download RDP File. If prompted choose the Keep option for the file. It will be saved into your Downloads folder.

  3. Open the Downloads folder in File Manager.

  4. Open the RDP.

  5. Choose to log in as Alternate User.

  6. Use the Admin username and Password you create when setting up the virtual machine.
    • If prompted, say yes to allow access to the virtual machine or RDP session.

  7. Wait for the server is open and all the software to load, like the Server Manager Dashboard.

  8. Select the Start button in the virtual machine.

  9. Type Control Panel and launch the control panel app.

  10. Select System and Security from the list of settings.

  11. From the System setting, select the Allow remote access option.

  12. At the bottom of the dialog box that opens you will see a Remote Desktop section.

  13. Uncheck the box labeled Allow connections only from computers running Remote Desktop with Network Level Authentication.

  14. Select Apply and then OK.

  15. Exit the virtual machine RDP session.

Task 4 - Modify your RDP file to support the Microsoft Entra ID login

  1. Open the Downloads folder in file manager.

  2. Make a copy of the RDP file and add -EntraID to the end of the filename.

  3. Edit the new version of the RDP file you just copied using Notepad. Add the these two lines of text to the bottom of the of the file: 
         enablecredsspsupport:i:0
     authentication level:i:2
  4. Save the RDP file. You should now have two versions of the file:
    • «virtual machine name».RDP
    • «virtual machine name»-EntraID.RDP

Task 5 - Connect to the Windows virtual machine using Microsoft Entra ID login

  1. Open the **«virtual machine name»-EntraID.RDP

  2. Select Connect when the dialog opens.

  3. Instead of getting prompted on what User Account to log in with, you should get a message prompting on whether you want to connect to the remote computer.

  4. Select Yes from the bottom of the screen.

  5. The Remote Desktop session should open; and show the Windows Server login screen. Other User with an OK button should be displayed.

  6. Select OK.

  7. In the login dialog enter the following information:
    • Username = **AzureAD\JoniS@«your lab domainname»
    • Password = Enter the password provided by your lab provider

    NOTE: JoniS is the user we granted access to log in as administrator during Task 1.

  8. Windows Server should confirm the login and open to the normal Server Manager Dashboard.

Task 6 – Optional testing to explore the Microsoft Entra ID login

  1. Check to see that JoniS was the only user added to the Administrators group.

  2. Use the secondary mouse click on the START button, then select Computer Management in the popup menu.

  3. Open Local Users and Groups then navigate to Groups, Administrators.

  4. You should see Azure\JoniSherman…. in the list.

  5. Check to see if other Microsoft Entra ID members can log in.

  6. Exit out of the remote desktop session.

  7. Launch the «server name»-AzureAD.RDP file again.

  8. Try to log in as other Azure AD members like AdeleV or AlexW or DiegoS.

  9. You should notice that each of these users are denied access.

Optional Exercise 2 - Login to Linux Virtual Machines in Azure with Azure AD

Task 1 - Create a Linux VM with system assigned managed identity

  1. Browse to the https://portal.azure.com

  2. Select + Create a resource.

  3. Search for Ubuntu.

  4. Select on Create under Ubuntu Server 22.04 LTS. You may use other Linux servers for this test lab.

  5. On the Management tab, check the box to enable Login with Azure Active Directory (Preview).

  6. Ensure System assigned managed identity is checked.

  7. Go through the rest of the experience of creating a virtual machine. During this preview, you’ll have to create an administrator account with username and password or SSH public key.

Task 2 - Azure AD login for existing Azure Virtual Machines

  1. Browse to Virtual Machines in the https://portal.azure.com.

  2. Select Access control (IAM).

  3. Select Add > Add role assignment to open the Add role assignment page.

  4. Assign the following role.
    • Role: Virtual Machine Administrator Login or Virtual Machine User Login
    • Assign access to: User, group, service principal, or managed identity
  5. For detailed steps, see Assign Azure roles using the Azure portal.