1
00:00:00,440 --> 00:00:01,550
In this demonstration,

2
00:00:01,550 --> 00:00:04,690
we'll start by my showing you how to configure Azure AD

3
00:00:04,690 --> 00:00:06,750
sign‑in for a Windows virtual machine.

4
00:00:06,750 --> 00:00:08,320
Here we are in the Azure portal,

5
00:00:08,320 --> 00:00:12,990
looking at a Windows Server 2022 Datacenter box that I've got in Azure,

6
00:00:12,990 --> 00:00:14,490
it's called rootdc3.

7
00:00:14,490 --> 00:00:15,770
If I go over to Networking,

8
00:00:15,770 --> 00:00:18,470
we can inspect its networking. It's in a VNet called

9
00:00:18,470 --> 00:00:20,710
cloud‑vnet on subnet named server.

10
00:00:20,710 --> 00:00:24,540
And I am not going to involve this rootdc3 at this

11
00:00:24,540 --> 00:00:27,580
time in a local on‑premises Azure AD.

12
00:00:27,580 --> 00:00:31,900
Instead, I want to be able to sign in using not a local account,

13
00:00:31,900 --> 00:00:36,590
or even install AD DS on the VM and login in a domain account; I want

14
00:00:36,590 --> 00:00:40,510
to sign in with my tim@timw.info Azure AD account.

15
00:00:40,510 --> 00:00:41,460
Well, how do I do that?

16
00:00:41,460 --> 00:00:44,440
Well, what we want to do, since the VM is already created,

17
00:00:44,440 --> 00:00:48,040
is install the AADLoginForWindows extension.

18
00:00:48,040 --> 00:00:51,500
And I'm going to do that with Azure command line interface.

19
00:00:51,500 --> 00:00:54,950
Again, I give you this AZ CLI script file in the course files.

20
00:00:54,950 --> 00:00:58,340
What you'll want to do in Visual Studio Code is you'll want

21
00:00:58,340 --> 00:01:01,190
to install the Azure CLI Tools extension,

22
00:01:01,190 --> 00:01:05,820
and you'll also want to install the Azure CLI Binaries on your local system.

23
00:01:05,820 --> 00:01:07,220
It's a Python application,

24
00:01:07,220 --> 00:01:11,090
and it gives you that cross‑platform shell that some people really,

25
00:01:11,090 --> 00:01:11,710
really like.

26
00:01:11,710 --> 00:01:15,090
As you see here, we run az login to sign into Azure,

27
00:01:15,090 --> 00:01:19,180
and I did an az account set to set my proper subscription context,

28
00:01:19,180 --> 00:01:23,600
and now to inject that extension that enables Azure AD log on,

29
00:01:23,600 --> 00:01:26,960
I'm going to do az vm extension set, as you can see,

30
00:01:26,960 --> 00:01:28,410
the publisher, the name,

31
00:01:28,410 --> 00:01:31,980
and then the resource group and name of my virtual machine.

32
00:01:31,980 --> 00:01:35,530
Let me select this code, right‑click, and Run Line in Terminal.

33
00:01:35,530 --> 00:01:35,810
Now,

34
00:01:35,810 --> 00:01:39,270
the reason why I have syntax highlighting and auto

35
00:01:39,270 --> 00:01:41,880
complete and all of that good stuff is because I've

36
00:01:41,880 --> 00:01:44,450
installed the Azure CLI Tools extension,

37
00:01:44,450 --> 00:01:47,650
and the reason why the code is running is because I

38
00:01:47,650 --> 00:01:49,880
have the Azure CLI installed.

39
00:01:49,880 --> 00:01:53,090
Now normally, you can use the back‑slash as a line terminator,

40
00:01:53,090 --> 00:01:55,940
but it looks like that kind of choked VS Code.

41
00:01:55,940 --> 00:01:58,580
So what I'm going to do is quickly refactor here to

42
00:01:58,580 --> 00:02:00,830
get rid of those line separators.

43
00:02:00,830 --> 00:02:03,410
Okay, now that I've put the command on one line,

44
00:02:03,410 --> 00:02:05,830
let me right‑click Run Line in Terminal,

45
00:02:05,830 --> 00:02:08,050
and it looks like it's going to go through this time.

46
00:02:08,050 --> 00:02:10,720
Now the rest of the sample code I have here just

47
00:02:10,720 --> 00:02:13,000
involves granting RBAC permissions,

48
00:02:13,000 --> 00:02:15,600
but I'm going to show you how to do that in the portal.

49
00:02:15,600 --> 00:02:18,100
I think it's just going to be more effective that way.

50
00:02:18,100 --> 00:02:21,530
So for the virtual machine access control IAM blade,

51
00:02:21,530 --> 00:02:23,480
let's do a role assignment here.

52
00:02:23,480 --> 00:02:25,950
We'll do Add Role Assignment, and in this case,

53
00:02:25,950 --> 00:02:27,910
we'll filter the list for virtual machine.

54
00:02:27,910 --> 00:02:29,830
I want to sign in as an administrator,

55
00:02:29,830 --> 00:02:34,470
so I'm going to assign myself the Virtual Machine Administrator Login role,

56
00:02:34,470 --> 00:02:38,140
and again, it bears repeating that even though I'm a subscription owner,

57
00:02:38,140 --> 00:02:41,440
once you enable Azure AD sign‑in to a virtual machine,

58
00:02:41,440 --> 00:02:44,480
you're not going to be able to sign in with your credential,

59
00:02:44,480 --> 00:02:47,160
unless you're a member of this, or should I say,

60
00:02:47,160 --> 00:02:49,080
you've been assigned this role.

61
00:02:49,080 --> 00:02:52,640
So let me search the directory for my tim@ account.

62
00:02:52,640 --> 00:02:57,850
Let me bring myself into scope here, let's proceed, and then Review and Assign.

63
00:02:57,850 --> 00:02:58,070
Nice.

64
00:02:58,070 --> 00:03:01,700
We'll come back to VS Code, make sure that we got JSON back,

65
00:03:01,700 --> 00:03:05,410
the provisioningState has succeeded; that's exactly what I wanted to see.

66
00:03:05,410 --> 00:03:08,350
We might want to reboot the VM just to be sure,

67
00:03:08,350 --> 00:03:10,970
so let me go to Overview and Restart.

68
00:03:10,970 --> 00:03:15,110
Now to complete the process, let's do a Connect RDP.

69
00:03:15,110 --> 00:03:18,780
I do happen to have a public IP address on this instance.

70
00:03:18,780 --> 00:03:22,550
I have just‑in‑time VM access configured, so I'll request access.

71
00:03:22,550 --> 00:03:26,190
I actually did that a moment ago, and I downloaded the RDP file.

72
00:03:26,190 --> 00:03:28,820
Let me right‑click on Edit and show you how you sign in.

73
00:03:28,820 --> 00:03:35,220
For username, it's going to be AzureAD\, then the user portion of your user ID.

74
00:03:35,220 --> 00:03:39,390
So my tim@timw.info Azure AD account is being

75
00:03:39,390 --> 00:03:41,290
represented in this down‑level way.

76
00:03:41,290 --> 00:03:43,210
It's kind of backwards, but there you have it.

77
00:03:43,210 --> 00:03:46,420
Okay, I'm going to put in my Azure Active Directory password,

78
00:03:46,420 --> 00:03:47,430
and momentarily,

79
00:03:47,430 --> 00:03:54,000
we are being signed into that virtual machine with Azure Active Directory credentials.