In today’s digital landscape, security is paramount, especially when working with cloud-based infrastructure. For those leveraging Azure Virtual Machines (VMs), incorporating multi-factor authentication (MFA) with YubiKey can significantly strengthen security. YubiKey, a hardware-based security key developed by Yubico, is known for its reliability and ease of use for passwordless sign-ins and MFA. This blog post explores how to set up and use YubiKey for authentication on an Azure VM, providing an additional layer of security for your remote sessions.
Why Use YubiKey with Azure Virtual Machines?
YubiKeys enhance security by requiring physical possession of the device for authentication, making unauthorized access significantly more challenging. With Azure’s support for FIDO2 and Microsoft Entra ID (formerly Azure Active Directory), you can integrate YubiKey to provide secure, passwordless access to your Azure VMs.
Step-by-Step Guide to Using YubiKey with Azure VMs
Step 1: Configure Microsoft Entra ID for Security Keys
To enable YubiKey authentication on your Azure VM, start by configuring Microsoft Entra ID to recognize security keys.
Navigate to Security Settings
In the Azure portal, go to Microsoft Entra ID > Security > Authentication methods > Policies.Enable FIDO2 Security Key
Under policies, locate the FIDO2 security key option and enable it. This setting allows users to use FIDO2-compliant security keys, like YubiKey, for authentication.Assign Users or Groups
Specify the users or groups who will be permitted to register and use security keys for authentication. This step ensures that only authorized users can log in using YubiKey.
Step 2: Register Your YubiKey
Each user who wants to access the Azure VM with YubiKey needs to register their device with Microsoft Entra ID.
- Register Your YubiKey Log into your Microsoft account settings and add your YubiKey as an authentication method. This can be done in the security settings of your Microsoft account, where you’ll be prompted to insert and activate your YubiKey.
- Follow YubiKey Registration Steps Yubico provides a detailed guide on setting up YubiKey with Microsoft Entra ID, ensuring your device is configured correctly. Check Yubico’s Guide Here
Step 3: Enable Microsoft Entra ID Login on the VM
To allow users to sign in with Microsoft Entra ID and YubiKey on the VM, enable the Microsoft Entra login option.
Configure VM Settings
When creating or modifying a Windows VM in Azure, select the Login with Microsoft Entra ID option. This setting enables Microsoft Entra ID authentication, allowing YubiKey-enabled logins.Microsoft Entra Join
Ensure the VM is either Microsoft Entra joined or hybrid Microsoft Entra joined. This allows the VM to recognize and authenticate users with Microsoft Entra credentials.Assign Appropriate Roles
Assign Azure roles like Virtual Machine Administrator Login to users who need access to the VM. This ensures they have the necessary permissions to authenticate using Microsoft Entra ID.
Step 4: Enable YubiKey in RDP Sessions
To use YubiKey within an RDP session, USB redirection needs to be enabled so that the YubiKey is recognized within the remote session.
Configure USB Redirection
In your RDP client settings, enable USB redirection for supported USB devices. This allows your local machine to redirect the YubiKey’s functionality to the Azure VM.Verify Compatibility
Some environments, such as Terminal Servers, may not fully support YubiKey functionality within RDP sessions. Test the YubiKey setup in your specific environment to confirm compatibility.
Step 5: Testing and Troubleshooting
After configuration, it’s essential to test the YubiKey integration:
Attempt a Login with YubiKey
Try logging into your Azure VM using the Microsoft Entra login option and your YubiKey. You should be prompted to insert the YubiKey as part of the MFA or passwordless process.Troubleshoot Common Issues
If you encounter issues, check USB redirection settings and confirm that YubiKey is registered correctly with Microsoft Entra ID. For persistent issues, consult the Microsoft support documentation or Yubico’s troubleshooting guide.
Conclusion
Using YubiKey for authentication on Azure Virtual Machines is an excellent way to secure your environment against unauthorized access. With FIDO2 and Microsoft Entra ID, Azure users can benefit from hardware-based authentication that provides both MFA and passwordless login options. By following the steps outlined in this guide, you can configure YubiKey for secure, convenient access to your Azure VMs.
This setup not only adds an extra security layer but also simplifies the user experience by reducing reliance on passwords. By adopting YubiKey authentication, organizations can take a proactive step towards enhancing cloud security and ensuring that only authorized users access critical virtual infrastructure.