VMSS password-based authentication is enabled

April 4, 2026 ยท View on GitHub

SYNOPSIS

Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities.

DESCRIPTION

Linux virtual machine scale sets should have password authentication disabled to help with eliminating password-based attacks.

RECOMMENDATION

Consider disabling password-based authentication on Linux VM scale sets and instead use public keys.

EXAMPLES

Configure with Azure template

To deploy an virtual machine scale set that pass this rule:

  • Set the properties.virtualMachineProfile.OsProfile.linuxConfiguration.disablePasswordAuthentication property to true.

For example:

{
  "type": "Microsoft.Compute/virtualMachineScaleSets",
  "apiVersion": "2024-07-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned"
  },
  "sku": {
    "name": "Standard_D8d_v5",
    "tier": "Standard",
    "capacity": 3
  },
  "properties": {
    "overprovision": true,
    "upgradePolicy": {
      "mode": "Automatic"
    },
    "singlePlacementGroup": true,
    "virtualMachineProfile": {
      "storageProfile": {
        "osDisk": {
          "caching": "ReadWrite",
          "createOption": "FromImage"
        },
        "imageReference": {
          "publisher": "MicrosoftCblMariner",
          "offer": "Cbl-Mariner",
          "sku": "cbl-mariner-2-gen2",
          "version": "latest"
        }
      },
      "osProfile": {
        "adminUsername": "[parameters('adminUsername')]",
        "computerNamePrefix": "vmss-01",
        "linuxConfiguration": {
          "disablePasswordAuthentication": true,
          "provisionVMAgent": true,
          "ssh": {
            "publicKeys": [
              {
                "path": "/home/azureuser/.ssh/authorized_keys"
              }
            ]
          }
        }
      },
      "networkProfile": {
        "networkInterfaceConfigurations": [
          {
            "name": "vmss-001",
            "properties": {
              "primary": true,
              "enableAcceleratedNetworking": true,
              "ipConfigurations": [
                {
                  "name": "ipconfig1",
                  "properties": {
                    "primary": true,
                    "subnet": {
                      "id": "[parameters('subnetId')]"
                    },
                    "privateIPAddressVersion": "IPv4",
                    "loadBalancerBackendAddressPools": [
                      {
                        "id": "[parameters('backendPoolId')]"
                      }
                    ]
                  }
                }
              ]
            }
          }
        ]
      }
    }
  },
  "zones": [
    "1",
    "2",
    "3"
  ]
}

Configure with Bicep

To deploy an virtual machine scale set that pass this rule:

  • Set the properties.virtualMachineProfile.OsProfile.linuxConfiguration.disablePasswordAuthentication property to true.

For example:

resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2024-07-01' = {
  name: name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  sku: {
    name: 'Standard_D8d_v5'
    tier: 'Standard'
    capacity: 3
  }
  properties: {
    overprovision: true
    upgradePolicy: {
      mode: 'Automatic'
    }
    singlePlacementGroup: true
    virtualMachineProfile: {
      storageProfile: {
        osDisk: {
          caching: 'ReadWrite'
          createOption: 'FromImage'
        }
        imageReference: {
          publisher: 'MicrosoftCblMariner'
          offer: 'Cbl-Mariner'
          sku: 'cbl-mariner-2-gen2'
          version: 'latest'
        }
      }
      osProfile: {
        adminUsername: adminUsername
        computerNamePrefix: 'vmss-01'
        linuxConfiguration: {
          disablePasswordAuthentication: true
          provisionVMAgent: true
          ssh: {
            publicKeys: [
              {
                path: '/home/azureuser/.ssh/authorized_keys'
              }
            ]
          }
        }
      }
      networkProfile: {
        networkInterfaceConfigurations: [
          {
            name: 'vmss-001'
            properties: {
              primary: true
              enableAcceleratedNetworking: true
              ipConfigurations: [
                {
                  name: 'ipconfig1'
                  properties: {
                    primary: true
                    subnet: {
                      id: subnetId
                    }
                    privateIPAddressVersion: 'IPv4'
                    loadBalancerBackendAddressPools: [
                      {
                        id: backendPoolId
                      }
                    ]
                  }
                }
              ]
            }
          }
        ]
      }
    }
  }
  zones: [
    '1'
    '2'
    '3'
  ]
}