Skip to content

Commit f02cb94

Browse files
Jak-MSJak-MS
authored
Merge pull request #103724 from richeney/patch-14
Update ssh-arc-overview.md
2 parents 0df6e31 + 105f7b0 commit f02cb94

File tree

1 file changed

+11
-0
lines changed

1 file changed

+11
-0
lines changed

articles/azure-arc/servers/ssh-arc-overview.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,17 @@ To leverage this functionality, please ensure the following:
2929
- [Ensure the Arc-enabled server has the "sshd" service enabled](/windows-server/administration/openssh/openssh_install_firstuse).
3030
- Ensure you have the Virtual Machine Local User Login role assigned (role ID: 602da2baa5c241dab01d5360126ab525)
3131

32+
Authenticating with Azure AD credentials has additional requirements:
33+
- `aadsshlogin` and `aadsshlogin-selinux` (as appropriate) must be installed on the Arc-enabled server. These packages are installed with the AADSSHLoginForLinux VM extension.
34+
- Configure role assignments for the VM. Two Azure roles are used to authorize VM login:
35+
- **Virtual Machine Administrator Login**: Users who have this role assigned can log in to an Azure virtual machine with administrator privileges.
36+
- **Virtual Machine User Login**: Users who have this role assigned can log in to an Azure virtual machine with regular user privileges.
37+
38+
An Azure user who has the Owner or Contributor role assigned for a VM doesn't automatically have privileges to Azure AD login to the VM over SSH. There's an intentional (and audited) separation between the set of people who control virtual machines and the set of people who can access virtual machines.
39+
40+
> [!NOTE]
41+
> The Virtual Machine Administrator Login and Virtual Machine User Login roles use `dataActions` and can be assigned at the management group, subscription, resource group, or resource scope. We recommend that you assign the roles at the management group, subscription, or resource level and not at the individual VM level. This practice avoids the risk of reaching the [Azure role assignments limit](../../role-based-access-control/troubleshooting.md#limits) per subscription.
42+
3243
### Availability
3344
SSH access to Arc-enabled servers is currently supported in the following regions:
3445
- eastus2euap, eastus, eastus2, westus2, southeastasia, westeurope, northeurope, westcentralus, southcentralus, uksouth, australiaeast, francecentral, japaneast, eastasia, koreacentral, westus3, westus, centralus, northcentralus.

0 commit comments

Comments
 (0)