Azure ARM Template for VM Creation with AAD Sign-in

Microsoft recently released a public preview of a new capability in Azure allowing to sign in to Windows virtual machine using Azure AD account. Previously you would need several steps to complete the deployment of joining your virtual machine to managed Azure AD Domain Service (ADDS). Now you can create a virtual machine with AAD sign-in capability.

This article shortly gives a bit about the capability as well as a ARM template to help create a virtual machine that can be logged in using Azure AD.

TL;DR: You can skip this article and use template from here

This article gives you tons of things. Do not miss it

Extension schema

The extension is named AADLoginForWindows. Below is the extension schema you can include into your ARM template for virtual machine creation.

    "type": "Microsoft.Compute/virtualMachines/extensions",
    "name": "[concat(parameters('vmName'), '/AADLoginForWindows')]",
    "location": "[parameters('location')]",
    "apiVersion": "2019-03-01",
    "dependsOn": [
        "[resourceId('Microsoft.Compute/virtualMachines/', parameters('vmName'))]"
    "properties": {
        "publisher": "Microsoft.Azure.ActiveDirectory",
        "type": "AADLoginForWindows",
        "typeHandlerVersion": "0.4",
        "autoUpgradeMinorVersion": true

Once the deployment is completed, you can go to virtual machine extension to verify:

and Azure AD > Devices to check status.


You can enable AAD login after creating a virtual machine. For the sake of using PowerShell, below is the dirty code snippet to achieve:

$vmName = "vm00001"
$vmRgName = "azsec-corporate-rg"
$extensionName = "AADLoginForWindows"
$publisher = "Microsoft.Azure.ActiveDirectory"

$vm = Get-AzVm -ResourceGroupName $vmRgName -Name $vmName
Set-AzVMExtension -ResourceGroupName $vmRgName `
                    -VMName $vm.Name `
                    -Name $extensionName `
                    -Location $vm.Location `
                    -Publisher $publisher `
                    -Type "AADLoginForWindows" `
                    -TypeHandlerVersion "0.4"

There is a thing worth mentioning. If your subscription is an MSDN one then you may need to wait. Currently AAD Sign-In capability on VM can only be seen (when creating a VM) in EA subscription.

This entry was posted in Identity & Access Control and tagged , . Bookmark the permalink.

2 Responses to Azure ARM Template for VM Creation with AAD Sign-in

  1. Pingback: Deploy a healthy development Windows virtual machine

  2. Pingback: Какая разница? Регистрация в Azure AD и присоединение к Azure AD - Pagb

Leave a Reply

Your email address will not be published.