Azure-VirtualMachines-VM-Active-Directory-(AD)-Authentication-Enabled

Severity : High

Description: This control ensures that virtual machines uses Azure Active Directory for authentication. Azure Active Directory Domain Services provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication. Azure AD managed domain can provide domain join features and management to virtual machines (VMs) in Azure. Azure AD for virtual machines allows access policies management to allow or deny access, eliminate need for local administrator, enforce password policies and MFA for login, assign Role-Based access control policies.

Remediation Steps:

Perform following to Remove all non-required guest users :

  1. Login to Azure Portal using https://portal.azure.com.

  2. Navigate to Resources and filter Virtual Machines to select the virtual machine reported.

  3. Select the virtual machine name reported.

Install AAD extension on the VM

  1. Under Settings, Select Extensions + application.

  2. Select Add button.

  3. Select Azure Ad based Login extension, like Azure Ad based Windows Login or Azure Ad based Linux Login.

  4. Select the Review + Create.

  5. Select Click the Create.

Enable Managed Identity

  1. Under Settings, Select Identity.

  2. Select System assigned identity and Select the Status to On.

Assign a role for the VM

  1. Navigate to Access Control (IAM).

  2. Select Add, and Add role assignment.

  3. Select roles Virtual Machine Administrator Login and Virtual Machine User Login.

  4. On the Members, Select one or more of the Azure AD users, groups, or Service principal.

  5. In the Select managed identities, select System-assigned managed Identity, and Select the VM’s ID enabled above.

  6. Select Select.

  7. Click Next.

  8. Click Review + assign to assign the role.

Important:

Reference:

Blue Hexagon Proprietary