In this blog post, we will show you how to use Terraform to create an Azure VM running Windows 11 and join it to Azure AD.
In today’s cloud-centric world, it’s essential to manage access to cloud resources using Identity and Access Management (IAM) tools. In Azure, Azure Active Directory (AD) is the primary IAM tool that manages user identities and access to resources. Joining an Azure Virtual Machine (VM) to Azure AD is a crucial step towards managing access to your cloud resources efficiently. In this blog post, we will discuss how to create and join an Azure VM to Azure AD using Terraform.
Terraform Code
The following code, create a Windows 11 VM with an RDP port available for remote access. The parts that join the VM to Azure AD are:
- identity – Set to SystemManaged
- azurerm_virtual_machine_extension – We use the Azure AD login extension to enable Azure AD login. We also have a local user configured.
- azurerm_role_assignment – We assign a local admin role to the user that will get access to the machine (You will need to use the Azure AD objectId of the user).
Note: To log in to the machine, the local machine that will access it needs to be joined to Azure AD.
Make sure you create a variable file with all the variables in the code before running.
resource "azurerm_resource_group" "rg" {
name = var.rg_name
location = var.location
}
resource "azurerm_virtual_network" "vnet" {
name = var.vnet_name
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
}
resource "azurerm_subnet" "subnet" {
name = var.subnet_name
resource_group_name = azurerm_resource_group.rg.name
virtual_network_name = azurerm_virtual_network.vnet.name
address_prefixes = ["10.0.2.0/24"]
}
resource "azurerm_network_interface" "win11nic" {
name = "${var.win11prefix}-nic"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
ip_configuration {
name = "internal"
subnet_id = azurerm_subnet.subnet.id
private_ip_address_allocation = "Dynamic"
public_ip_address_id = azurerm_public_ip.win11publicip.id
}
}
resource "azurerm_network_security_group" "nsg" {
name = var.vm_nsg
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
security_rule {
name = "RDP"
priority = 101
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "3389"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}
resource "azurerm_windows_virtual_machine" "win11vm" {
name = "${var.win11prefix}-vm"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
size = "Standard_F2s_v2"
admin_username = "vmadmin"
admin_password = var.vm_password
network_interface_ids = [
azurerm_network_interface.win11nic.id,
]
source_image_reference {
publisher = "microsoftwindowsdesktop"
offer = "windows-11"
sku = "win11-22h2-pro"
version = "latest"
}
os_disk {
storage_account_type = "Standard_LRS"
caching = "ReadWrite"
}
identity {
type = "SystemAssigned"
}
}
resource "azurerm_public_ip" "win11publicip" {
name = "${var.win11prefix}-pubip"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
allocation_method = "Dynamic"
}
resource "azurerm_network_interface_security_group_association" "securitygroup" {
network_interface_id = azurerm_network_interface.win11nic.id
network_security_group_id = azurerm_network_security_group.nsg.id
}
resource "azurerm_virtual_machine_extension" "aadlogin" {
name = "AADLoginForWindows"
virtual_machine_id = azurerm_windows_virtual_machine.win11vm.id
publisher = "Microsoft.Azure.ActiveDirectory"
type = "AADLoginForWindows"
type_handler_version = "2.0"
}
resource "azurerm_role_assignment" "assign-vm-role" {
scope = azurerm_resource_group.rg.id
role_definition_name = "Virtual Machine Administrator Login"
principal_id = var.principal_id
}
To login to the VM using Azure AD creds, use the following login format.
AzureAD\UPN
Leave a Reply