Create and Join Azure VM to Azure AD With Terraform

In this blog post, we will show you how to use Terraform to create an Azure VM running Windows 11 and join it to Azure AD.

In today’s cloud-centric world, it’s essential to manage access to cloud resources using Identity and Access Management (IAM) tools. In Azure, Azure Active Directory (AD) is the primary IAM tool that manages user identities and access to resources. Joining an Azure Virtual Machine (VM) to Azure AD is a crucial step towards managing access to your cloud resources efficiently. In this blog post, we will discuss how to create and join an Azure VM to Azure AD using Terraform.

Terraform Code

The following code, create a Windows 11 VM with an RDP port available for remote access. The parts that join the VM to Azure AD are:

  • identity – Set to SystemManaged
  • azurerm_virtual_machine_extension – We use the Azure AD login extension to enable Azure AD login. We also have a local user configured.
  • azurerm_role_assignment – We assign a local admin role to the user that will get access to the machine (You will need to use the Azure AD objectId of the user).

Note: To log in to the machine, the local machine that will access it needs to be joined to Azure AD.

Make sure you create a variable file with all the variables in the code before running.

resource "azurerm_resource_group" "rg" {
name = var.rg_name
location = var.location  
}

resource "azurerm_virtual_network" "vnet" {
  name                = var.vnet_name
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
}

resource "azurerm_subnet" "subnet" {
  name                 = var.subnet_name
  resource_group_name  = azurerm_resource_group.rg.name
  virtual_network_name = azurerm_virtual_network.vnet.name
  address_prefixes     = ["10.0.2.0/24"]
}



resource "azurerm_network_interface" "win11nic" {
  name                = "${var.win11prefix}-nic"
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location

  ip_configuration {
    name                          = "internal"
    subnet_id                     = azurerm_subnet.subnet.id
    private_ip_address_allocation = "Dynamic"
    public_ip_address_id          = azurerm_public_ip.win11publicip.id
  }

}

resource "azurerm_network_security_group" "nsg" {
  name                = var.vm_nsg
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name

    security_rule {
    name                       = "RDP"
    priority                   = 101
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "3389"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
    
  }
}

resource "azurerm_windows_virtual_machine" "win11vm" {
  name                            = "${var.win11prefix}-vm"
  resource_group_name             = azurerm_resource_group.rg.name
  location                        = azurerm_resource_group.rg.location
  size                            = "Standard_F2s_v2" 
  admin_username                  = "vmadmin"
  admin_password                  = var.vm_password
  network_interface_ids = [
    azurerm_network_interface.win11nic.id,
  ]

  source_image_reference {
    publisher = "microsoftwindowsdesktop"
    offer     = "windows-11"
    sku       = "win11-22h2-pro"
    version   = "latest"
  }

  os_disk {
    storage_account_type = "Standard_LRS"
    caching              = "ReadWrite"
  }

 identity {
        type   = "SystemAssigned"  
      

      }

}


resource "azurerm_public_ip" "win11publicip" {
  name                = "${var.win11prefix}-pubip"
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  allocation_method   = "Dynamic"

}

resource "azurerm_network_interface_security_group_association" "securitygroup" {
    network_interface_id      = azurerm_network_interface.win11nic.id
    network_security_group_id = azurerm_network_security_group.nsg.id
}


resource "azurerm_virtual_machine_extension" "aadlogin" {
  name = "AADLoginForWindows"
  virtual_machine_id = azurerm_windows_virtual_machine.win11vm.id
  publisher = "Microsoft.Azure.ActiveDirectory"
  type = "AADLoginForWindows"
  type_handler_version = "2.0"
  
}


resource "azurerm_role_assignment" "assign-vm-role" {
  scope                =  azurerm_resource_group.rg.id
  role_definition_name = "Virtual Machine Administrator Login"
  principal_id         = var.principal_id

}

To login to the VM using Azure AD creds, use the following login format.

AzureAD\UPN

Processing…
Success! You're on the list.

Posted

in

,

by

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.