Linux Azure AD authentication options

April 26, 2023 
There is a myriad of ways to login to Linux systems using Azure AD credentials. Photo credit: https://pixabay.com/vectors/bash-command-line-linux-shell-148836.
There are a myriad of ways to login to Linux systems using Azure AD credentials. Photo credit.

Introduction

There are several ways to do Linux Azure AD authentication. Note that Azure AD was renamed "Microsoft Entra ID" recently, but in this article we'll use its old name, at least for now. In other words you can log in to your Linux hosts Azure Active Directory ("Azure AD") credentials in various ways. Azure, Microsoft's public Cloud, builds on top of Azure AD. In fact, your Azure users, groups, roles and role assignments are stored in Azure AD.

The challenge with Linux Azure AD authentication is that Azure AD does not support "legacy protocols", LDAP and Kerberos. These protocols are used to allow Linux logins using centralized identities. It is also important to distinguish between Azure AD and classic Active Directory ("AD DS"). While their names are similar, they are completely different beasts. That said, Azure AD and Active Directory can be integrated together with Azure AD Connect. For more on this confusing terminology have a look at our earlier Windows domain in Azure blog post.

In the open source world the closest analogy to Azure AD is probably Keycloak on which Red Hat's commercially supported Red Hat Single Sign-On is based. Keycloak is an open source identity and access management application. While we know and love Keycloak, it is impossible to avoid Azure AD due to its huge marketshare.

This article tries to outline the options you have for logging in to your Linux hosts with Azure AD credentials. The Linux hosts can be located in Azure or elsewhere, depending on the authentication method.

LDAP authentication via Active Directory connected to Azure AD

As I mentioned above, Azure AD can be connect to classic Active Directory with Azure AD Connect. This allows you to join your Linux VMs to Active Directory using LDAP and Kerberos. So, you essentially circumvent native Azure AD authentication. That said, this approach only makes sense if you don't already have an Active Directory instance. If not, the maintenance overhead is probably too much. That said, if you do have Active Directory integrated with Azure AD, you can throw Red Hat IdM/FreeIPA in the mix. This will get you the best of all worlds at the cost of fairly high level of complexity.

LDAP authentication via Azure AD Domain Services

Azure AD can support LDAP and Kerberos with help from Azure AD Domain Services ("AAD DS"). AAD DS is a managed service that has nothing to do with classic Active Directory. With AAD DS you get the LDAP and Kerberos endpoints. Those then allow you to join Linux VMs indirectly to the Azure AD domain. Microsoft official supports this configuration: see the instructions for Red Hat and other Linux distributions here.

Azure AD authentication via OpenSSH

Azure AD has built-in support for logging in to Linux VMs using Azure AD authentication via OpenSSH. This approach has a number of downside and inconveniences:

  • It only supports logging in to Azure VMs because of the need for a special Azure VM extension.
  • It requires people logging in to have Azure CLI and an Azure CLI extension installed on their workstations.
  • The overall login workflow does not seem very intuitive nor easy.

This said, if all your Linux instances are in Azure this approach might be fairly reasonable and non-intrusive.

Azure Active Directory Authentication for Ubuntu

Canonical, the author of the popular Ubuntu distribution has developed native Azure AD authentication support for Ubuntu Desktop. It has three components:

  • A PAM module for authentication
  • An NSS module to query the password, group and shadow databases.
  • A command line tool to manage the local cache for offline authentication and the system’s configuration.

In order to use this authentication method you also need an application and service principal in Azure. The modules also support offline logins, which is a really nice feature.

The caveat with this approach is that it seems desktop centric. The use-case is essentially the same as when domain-joining Windows 10+ systems to Azure AD: your local Ubuntu desktop logins are authenticated from Azure AD instead of the local files. This means that using this approach for headless server logins may be challenging or impossible.

The source code for these components is available on GitHub. While the developers focus on Ubuntu, there is nothing particularly Ubuntu-specific about the code. The software they build on top of, namely PAM and NSS, is available in every Linux distribution. Therefore it is likely that the code will work just fine on distributions such as Red Hat Linux. You might encounter issues with old versions of PAM and NSS, though, but we have not tested that yet.

Himmelblau

Himmelblau is "an interoperability suite for Microsoft Azure AD and Intune". It integrates with PAM and NSS. It includes two systemd services which handle the Azure AD and Linux integration.

Himmelblau supports MFA with device authorization grant and Microsoft Authenticator app. Other MFA methods such as phone calls may work, but have not been tested. On the first login Himmelblau enrolls the device into Azure AD. Windows Hello PIN auth is available, but can be disabled for SSH logins.

You can use Himmelblau login using Azure AD credentials from a display manager (GDM) or with SSH. The SSH approach currently (May 2024) has a caveat, though: OpenSSH will reject any users that are not found from NSS. So, you first need to log in using some other means (e.g. a display manager), then SSH logins should work fine. This issue is caused by Azure's architecture. so other Linux + Azure AD projects are probably also affected. The Himmelblau project is working to resolve this issue.

AAD for Linux

AAD for Linux is a GitHub organization that seems focused on Linux Azure AD support. There are two relevant components that are very similar to what Azure Active Directory for Ubuntu includes:

You also need a OAuth2 client in Azure (i.e. an application) in Azure to make use of this login method.

When logging in you get a one-time token in email. You then pass the token to a special Azure authentication URL. After that you can login by just pressing enter. This process is not particularly user-friendly, but might be enough of your needs.

What about Red Hat IdM/FreeIPA?

Red Hat Identity Management and it's upstream, FreeIPA, allow you to create Linux domains. Essentially they are to Linux what classic Active Directory is for Windows. You can also create a so-called "trust relationship" between classic Active Directory and FreeIPA. That works because both of those applications use "legacy protocols" such as LDAP and Kerberos. However, Azure AD is based on OAuth2, OIDC and SAML 2.0 protocols.

The protocol incompatibility makes it impossible to link Red Hat IdM/FreeIPA directly with Azure AD. It is highly unlikely that such linking will ever be possible. However, there is an indirect way:

  1. Connect Azure AD to classic Active Directory with Azure AD Connect
  2. Connect FreeIPA to the classic Active Directory

This is the optimal solution, but also a fairly complex one, suitable mostly for larger organizations, that have the required expertise and automation capabilities available.

That said, if you have a large fleet of Linux instances you should seriously consider using Red Hat IdM/FreeIPA. It's a proven solution in global scale cloud computing. With it you get lots essential features for managing identities, authentication and authorization on Linux systems. It provides you with a wealth of useful features including, but not limited to:

  • Centralized management of users, groups, SSH keys
  • Automatic management of SSH host keys
  • Host-based access controls
  • Distribution of sudo and automount rules
  • DNS service
  • Private certificate authority

Other possible ways of integrating Linux systems with AAD via OAuth2 that might be of interest to the solution seekers are:

I hope you found this article informative. If you know other ways to login to Linux systems with Azure AD credentials please let us know.

Samuli Seppänen
Samuli Seppänen
Author archive
menucross-circle