Control who logs into VMs via Azure AD Domain Services

Nigel Morse 186 Reputation points

Looking at setting up Azure AD Domain Services for several VMs in Azure (include 2 SQL Servers in a cluster for Availability Groups). If we do that how can we control which people from the AAD can log into the machines - is that just done by making an AAD group "Azure VM Access" or similar and then making that group either able to RDP in and/or make them local machine Admins ?

Azure Active Directory Domain Services
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
372 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. JamesTran-MSFT 26,616 Reputation points Microsoft Employee

    @Nigel Morse
    Thank you for your post and I apologize for the delayed response!

    When it comes to controlling who from your AzureAD tenant can connect to your VMs, you can definitely try leveraging Azure role-based access control (Azure RBAC). RBAC helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. For more info.

    Compute specific built-in roles:

    Additional link - Sign in to Windows virtual machine in Azure using Azure Active Directory authentication (Preview)

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.


    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    No comments