Revised local Administrator account prerequisite #4048
Conversation
|
@ManikaDhiman : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change. |
|
Learn Build status updates of commit dfca0ef: ✅ Validation status: passed
For more details, please refer to the build report. |
|
Can you review the proposed changes? Important: When the changes are ready for publication, adding a #label:"aq-pr-triaged" |
prmerger-automator
bot
added
the
aq-pr-triaged
There was a problem hiding this comment.
Pull request overview
This PR revises the local administrator account prerequisite documentation for deploying Azure Local with local identity using Azure Key Vault. The changes improve clarity and structure while adding important guidance about credential management.
- Updated the documentation date to reflect recent changes (12/16/2025)
- Removed commented-out contact information section
- Restructured the local administrator account prerequisite into a clearer, more detailed format with explicit sub-requirements
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - Create a local user account and add it to the local Administrators group. | ||
| - Do not use the built-in Administrator account. | ||
| - Use the same credentials for this account across all nodes in the cluster. | ||
| - This account is required for cluster management operations, such as adding or repairing a node, to enable authentication and changes across all nodes. For instructions, see [Add a node](../manage/add-server.md) and [Repair a node](../manage/repair-server.md). | ||
| - You are responsible for creating and maintaining this account after the base operating system (OS) setup. This includes credential expiration, rotation, and security. |
There was a problem hiding this comment.
The documentation requires creating a single local administrator account and reusing the exact same high-privilege credentials across all nodes, which creates a shared credential that greatly increases the blast radius of any compromise. If an attacker obtains this password on one node (for example via credential dumping), they can authenticate as local admin to every other node in the cluster and fully control cluster management operations. Consider recommending a centrally managed identity or per-node credentials with a secure management solution, or at minimum documenting compensating controls such as strong rotation policies, restricted use, and network access limitations for this account.
| - Create a local user account and add it to the local Administrators group. | |
| - Do not use the built-in Administrator account. | |
| - Use the same credentials for this account across all nodes in the cluster. | |
| - This account is required for cluster management operations, such as adding or repairing a node, to enable authentication and changes across all nodes. For instructions, see [Add a node](../manage/add-server.md) and [Repair a node](../manage/repair-server.md). | |
| - You are responsible for creating and maintaining this account after the base operating system (OS) setup. This includes credential expiration, rotation, and security. | |
| - Create a local user account and add it to the local Administrators group on each node. | |
| - Do not use the built-in Administrator account. | |
| - We recommend using unique, strong credentials per node and managing them with a secure solution such as Microsoft Local Administrator Password Solution (LAPS) or an equivalent password management service, instead of reusing the same password across nodes. | |
| - This account must exist on every node and is required for cluster management operations, such as adding or repairing a node, to enable authentication and changes across all nodes. For instructions, see [Add a node](../manage/add-server.md) and [Repair a node](../manage/repair-server.md). If you choose to reuse the same credentials across nodes for operational reasons, you must apply strict compensating controls, including strong password complexity, frequent rotation, limited network access to management interfaces, and monitoring of administrative logons. | |
| - You are responsible for creating and maintaining this account after the base operating system (OS) setup. This includes credential expiration, rotation, access control, and overall security. |
|
Learn Build status updates of commit d4b2ebb: ✅ Validation status: passed
For more details, please refer to the build report. |
3 participants
No description provided.