Authentication with Azure Active Directory

Note:

This feature is available only for Azure-hosted VDAs.

Based on your needs, you can deploy two types of Linux VDAs in Azure:

• Azure AD DS-joined VMs. The VMs are joined to an Azure Active Directory (AAD) Domain Services (DS) managed domain. Users use their domain credentials to log on to the VMs.
• Non-domain-joined VMs. The VMs integrate with the AAD identity service to provide user authentication. Users use their AAD credentials to log on to the VMs.

For more information about AAD DS and AAD, see this Microsoft article.

This article shows you how to enable and configure the AAD identity service on non-domain-joined VDAs.

Supported distributions

• Ubuntu 20.04, 18.04
• RHEL 8.4, 7.9
• SUSE 15.x
• Debian 10

For more information, see this Microsoft article.

Known issues and workarounds

On Red Hat 8.3 and 7.9, PAM (Pluggable Authentication Module) pam_loginuid.so fails to set loginuid after AAD user authentication. This issue blocks AAD users from accessing VDA sessions.

To work around this issue, in /etc/pam.d/remote, comment out the line Session required pam_loginuid.so. See the following screenshot for an example.

Step 1: Create a template VM on the Azure portal

Create a template VM and install the Azure CLI on the VM.

1. On the Azure portal, create a template VM. Be sure to select Login with Azure AD on the Management tab before clicking Review + create.

   

2. Install the Azure CLI on the template VM. For more information, see this Microsoft article.

Step 2: Prepare a master image on the template VM

To prepare a master image, follow Step 3: Prepare a master image in Use MCS to create Linux VMs on Azure.

Step 3: Set the template VM to non-domain-joined mode

After you create a master image, follow these steps to set the VM to non-domain-joined mode:

1. Run the following script from the command prompt.

   Modify /var/xdl/mcs/mcs_util.sh
   <!--NeedCopy-->