fix: Enable Microsoft Entra ID authentication for the jumpbox VM through Azure Bastion#163
Open
Saswato-Microsoft wants to merge 1 commit into
Open
fix: Enable Microsoft Entra ID authentication for the jumpbox VM through Azure Bastion#163Saswato-Microsoft wants to merge 1 commit into
Saswato-Microsoft wants to merge 1 commit into
Conversation
…thentication on Jump VM via Azure Bastion
Saswato-Microsoft
requested review from
Avijit-Microsoft,
Prajwal-Microsoft,
Roopan-Microsoft,
Vinay-Microsoft,
aniaroramsft,
dgp10801 and
toherman-msft
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds Microsoft Entra ID authentication for the network-isolated jumpbox VM via Azure Bastion, removing reliance on manually managed local VM credentials.
Changes:
- Generate a non-checked-in jumpbox local admin password and stop reading VM credential env vars in top-layer params.
- Post-configure the existing jumpbox VM to support Entra ID sign-in (AADLoginForWindows extension + RBAC assignment).
- Update docs to reflect Entra ID sign-in flow via Bastion.
Reviewed changes
Copilot reviewed 6 out of 8 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| infra/main.bicepparam | Removes VM credential env var inputs; introduces deterministic generated password and updated comments. |
| infra/main.bicep | Adds resources to enable Entra ID login on the deployed jump VM (extension + role assignment). |
| docs/post_deployment_steps.md | Updates Bastion connection instructions to Entra ID authentication and updates screenshot reference. |
| docs/deploymentguide.md | Removes VM credential configuration guidance; points to Entra ID-based access docs. |
| docs/deploy_app_from_foundry.md | Updates jump VM access steps to use Entra ID auth via Bastion. |
| docs/ACCESSING_PRIVATE_RESOURCES.md | Rewrites access/troubleshooting sections to align with Entra ID sign-in and RBAC-based access control. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| param vmUserName = readEnvironmentVariable('VM_ADMIN_USERNAME', 'testvmuser') | ||
| param vmAdminPassword = readEnvironmentVariable('VM_ADMIN_PASSWORD', 'JumpboxAdminP@ssw0rd1234!') | ||
| // Jumpbox sign-in is performed via Microsoft Entra ID through Azure Bastion (Basic SKU). |
| // deterministically per azd environment so nothing weak/known is committed to source. | ||
| // Ref: https://learn.microsoft.com/azure/bastion/bastion-entra-id-authentication | ||
| param vmUserName = 'testvmuser' | ||
| param vmAdminPassword = 'Jb!${uniqueString(readEnvironmentVariable('AZURE_ENV_NAME', 'default'), readEnvironmentVariable('AZURE_SUBSCRIPTION_ID', 'sub'))}${guid(readEnvironmentVariable('AZURE_ENV_NAME', 'default'), 'vm-admin-password')}' |
|
|
||
| // Mirror the submodule's VM name computation (see submodules/ai-landing-zone/main.bicep: | ||
| // _vmBaseName = !empty(vmName) ? vmName : 'testvm${resourceToken}', then substring(..., 0, 15)). | ||
| var jumpVmEntraIdEnabled = networkIsolation && deployVM && !empty(principalId) |
| name: jumpVmName | ||
| } | ||
|
|
||
| resource jumpVmAadLoginExtension 'Microsoft.Compute/virtualMachines/extensions@2024-07-01' = if (jumpVmEntraIdEnabled) { |
| } | ||
| } | ||
|
|
||
| resource jumpVmAdminLoginRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (jumpVmEntraIdEnabled) { |
Comment on lines
+15
to
19
| The jumpbox VM is provisioned with the **AAD Login for Windows** extension and the deploying | ||
| principal is automatically granted the **Virtual Machine Administrator Login** role on the VM. | ||
| Azure Bastion is deployed using the **Standard** SKU (which supports Microsoft Entra ID | ||
| authentication for Azure portal RDP/SSH sessions). | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
This pull request updates the deployment to enable Microsoft Entra ID (formerly Azure Active Directory) authentication for the jumpbox VM through Azure Bastion, removing the need to manage local admin credentials for RDP access. Documentation and infrastructure scripts are updated to reflect this new authentication flow, making access more secure and user-friendly. Local admin credentials are now auto-generated and not used for sign-in, and guidance for troubleshooting Entra ID-based access is provided.
Infrastructure changes: Microsoft Entra ID authentication for Jump VM
infra/main.bicep: Installs theAADLoginForWindowsextension on the jumpbox VM and assigns the deploying principal the "Virtual Machine Administrator Login" role, enabling Entra ID sign-in via Bastion.infra/main.bicepparam: Removes environment-based admin credentials; now sets a default username and generates a deterministic password that is not used for sign-in.Documentation updates: Sign-in flow and troubleshooting
docs/ACCESSING_PRIVATE_RESOURCES.md: Updates instructions to show how to connect to the jump VM using Entra ID credentials, removes references to local usernames/passwords, and adds troubleshooting steps for Entra ID authentication. [1] [2]docs/deploymentguide.md: Removes references to setting VM admin credentials and clarifies that Bastion uses Entra ID authentication.docs/deploy_app_from_foundry.md,docs/post_deployment_steps.md: Updates Bastion connection instructions to use Entra ID authentication, removes local credential references, and adds links to relevant documentation. [1] [2]Does this introduce a breaking change?
Golden Path Validation
Deployment Validation
What to Check
Verify that the following are valid
Other Information