Is there a policy for auditing whether 'Login with Azure AD' is enabled on a VM or not?

Question

Hello community,

When creating a VM in Azure, under the 'Management' tab, I can choose 'Login with Azure AD'.

Is there a policy where I can audit whether my VMs have this feature enabled or not? Or is there a policy to even enforce this box to be ticked when creating a VM? According to Microsoft Documentation https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows under 'Using Azure Policy to ensure standards and assess compliance' it should be possible to at least audit but I haven't found any suitable built-in or custom policies yet. The only policies I found was to disable local users for windows or linux, therefore to only allow Azure AD Users. But I would like to keep a local user as an admnistrator. Therefore this policy is not suitable for my case.

Thanks in advance and best regards!

Answer 1

Hi,
There is not such policy out of the box but you can for example duplicate one of the built-in policies like: Log Analytics Extension should be enabled for listed virtual machine images and modify it for the AAD extension. Specifically you in that policy you can replace "equals": "Microsoft.EnterpriseCloud.Monitoring" with "equals": "Microsoft.Azure.ActiveDirectory" for Windows and "equals": "Microsoft.Azure.ActiveDirectory.LinuxSSH" for Linux.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.