Once a machine is onboarded to Azure ARC it opens the door to many new features. One feature is to remotely connect to the machine. If you happen to be off network, without a VPN, or direct access this can be a challenge. Azure Arc allows you to use the OpenSSH protocol to tunnel into the machine via SSH or RDP securely. At this time, Linux can offer a single sign-on utilizing Azure Entra ID. This solution allows using Azure RBAC roles and identity to log in vs. sharing passwords or certificates. For Windows Servers, you are prompted for a Remote Desktop credential to access the machines.
We will follow these steps in this article. If you are unfamiliar with Azure ARC, the below link is a great place to start. (Microsoft Learning)
- Add RBAC Roles
- Ensure OpenSSH Server is installed
- For Linux install the Entra ID SSH extension
- Ensure the Azure CLI is installed on the client machine.
- Connect to the ARC Enabled machine using Azure CLI for SSH and RDP
Add RBAC Roles
Remote connectivity requires adding Azure Role Based Access Control security (RBAC) to the ARC enable machines. It may be desired for users to elevate their privileges utilizing Microsoft Entra Privileged Identity Management (PIM) to gain access to these roles for a desired amount of time. Users/Groups need to have one of the roles below added to access the machines.
- Virtual Machine Administrator Login: Users who have this role assigned can sign in to an Azure virtual machine with administrator privileges.
- Virtual Machine User Login: Users who have this role assigned can sign in to an Azure virtual machine with regular user privileges.
Before we utilize this new feature, we need to ensure that OpenSSH Server is installed and running on the machine.
Install OpenSSH Server
There are multiple ways to install OpenSSH Server onto an ARC enabled virtual machine.
- Use the Azure Portal to install the extension
- Use Azure CLI to install the extension
- Use Windows Server Apps & Features
- (Windows Server 2025 has the service installed by default, and just needs to be started.)
Option 1: Use the Azure Portal to install the OpenSSH extension.
Navigate to the Azure ARC machines in the portal and select the machine to add the extension to. Click on Extensions. Search for SSH in the text box to find OpenSSH for Windows – Azure Arc.
Click Next and then click Create to start the deployment. After the
To install OpenSSH Server on Windows Server 2022 go to Settings and then Apps & features. Click the Optional features link. After the deployment is finished the OpenSSH Server service will be installed see below.
Option 2: Use Azure CLI to install the OpenSSH Server extension
From Azure Cloud Shell or from a machine that has the Azure CLI installed run the command below. Replace the AzureArcVmName with the ARC VM Name.
az connectedmachine extension create --name OpenSSH --publisher Microsoft.Azure.OpenSSH --type WindowsOpenSSH --resource-group (ResourceGroupName) --machine-name (AzureArcVmName) --location (AzureRegion)
Option 3: Install on Windows Server using Apps & Features
Click the Add a feature button.
Search for SSH in the text box.
Click the check box to install OpenSSH Server and then click Install at the bottom of the page.
OpenSSH Server – Running in Windows Server (services.msc)
Connect to the remote server
On a machine that has the Azure CLI installed How to install the Azure CLI | Microsoft Learn
Ensure that you are logged in with the “az login” command first. Make sure to sign in to an account that is part of the group that was granted the RBAC roles above.
RPD for Windows Servers:
az ssh arc --subscription "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" --resource-group "ResourceGroupName" --name "AzureArcVmName" --local-user Administrator –rdp
The Remote Desktop login prompts should appear where you may enter in your local or active directory user credentials to log into the machine.
SSH for Linux:
To utilize Azure Entra ID for Single Sign-on the Azure AD based SSH Login – Azure ARC needs to be installed first. This can be done from the command line or from the portal.
Azure Portal:
Command Line:
az connectedmachine extension create --name AADSSHLoginForLinux --publisher Microsoft.Azure.ActiveDirectory --type AADSSHLoginForLinux --resource-group (ResourceGroupName) --machine-name (AzureArcVmName) --location (AzureRegion)
Remote SSH Connection to Linux using EntraID.
az ssh arc --subscription "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" --resource-group "ResourceGroupName" --name "AzureArcVmName"
This should connect you directly to the Arc Enabled Linux machine without asking for a username, password or requiring a certificate.
Issue the whoami command from the command line it should show your EntraID username.
Some of the above items are still in preview and may change as the product develops. It is very exciting to see the new features of Azure ARC develop. Stay tuned for more announcements!
