Skip to content

Revised local Administrator account prerequisite #4048

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ManikaDhiman wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Revised local Administrator account prerequisite #4048

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
dfca0ef
Revised local Administrator account prerequisite
ManikaDhiman Dec 16, 2025
c9e1c7e
Merge branch 'main' into md-local-identity-prereqs
ManikaDhiman Dec 17, 2025
d4b2ebb
added review feedback and revised post-deployment steps
ManikaDhiman Dec 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 15 additions & 9 deletions azure-local/deploy/deployment-local-identity-with-key-vault.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ title: Deploy Azure Local, version 23H2 using local identity with Azure Key Vaul
description: Learn how to use local identity with Azure Key Vault for Azure Local, version 23H2 deployment (Preview).
author: alkohli
ms.topic: how-to
ms.date: 12/11/2025
ms.date: 12/17/2025
ms.author: alkohli
ms.reviewer: alkohli
ms.service: azure-local
Expand All @@ -16,8 +16,6 @@ ms.custom: sfi-image-nochange

This article describes how to use local identity with Azure Key Vault for Azure Local deployment.

<!--If you have questions or need further information, contact the product team at [azurelocalidentity@microsoft.com](mailto:azurelocalidentity@microsoft.com). To learn how Microsoft collects, uses, and protects your personal data, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement).-->

[!INCLUDE [important](../includes/hci-preview.md)]

## Overview
Expand All @@ -44,16 +42,22 @@ Using local identity with Key Vault on Azure Local offers several benefits, part

- Satisfy the [prerequisites and complete deployment checklist](./deployment-prerequisites.md). Skip the AD-specific prerequisites.

- Create a local user account with the same credentials across all nodes and add it to the local administrators group, instead of using the built-in administrator account.

- Create a local administrator account with identical credentials on every node in the cluster. This requirement ensures that add and repair node operations can successfully authenticate and execute across all nodes. For instructions, see [Add a node](../manage/add-server.md) and [Repair a node](../manage/repair-server.md).
- Create a local administrator account:
- Create a local user account and add it to the local Administrators group. **Do not use the built-in Administrator account.**
- **Using SConfig.** Select option `3` for **Add local administrator**. Enter a username and a strong password. Ensure that the password follows Azure password length and complexity requirements. Use a password that is at least 14 characters long and contains a lowercase character, an uppercase character, a numeral, and a special character.
- **Using PowerShell.** Use [`New-LocalUser`](/powershell/module/microsoft.powershell.localaccounts/new-localuser) to create a local user account. Then use [`Add-LocalGroupMember`](/powershell/module/microsoft.powershell.localaccounts/add-localgroupmember) to add members to the local group.
- Use the same credentials for this account across all nodes in the cluster.
- This account is required for cluster management operations, such as adding or repairing a node, to authenticate and apply changes across all nodes. For instructions, see [Add a node](../manage/add-server.md) and [Repair a node](../manage/repair-server.md).
- You are responsible for creating and maintaining this account after the base operating system (OS) setup. This includes credential expiration, rotation, and security.

- Download the Azure Local software. See [Download operating system for Azure Local deployment](./download-23h2-software.md).

- The nodes require static IP addresses and don't support DHCP. After the OS is installed, use SConfig to set the static IP address, subnet, gateway, and DNS.

- Have a DNS server with a properly configured zone. This setup is crucial for the network to function correctly. See [Configure DNS server for Azure Local](#configure-dns-server-for-azure-local).

- Enable SSH on each node for remote access from the Azure portal. For instructions, see [SSH access to Azure Arc-enabled servers](/azure/azure-arc/servers/ssh-arc-overview?tabs=azure-cli).

## Configure DNS server for Azure Local

Follow these steps to configure DNS for Azure Local:
Expand Down Expand Up @@ -124,11 +128,13 @@ The general deployment steps are the same as those outlined in [Deploy an Azure

## Post-deployment steps

After deploying the system, confirm the deployment was AD-less and verify that secrets are being backed up to Key Vault.
After deploying the system, confirm the deployment was without AD (AD-less) and verify that secrets are backed up to Key Vault. You can connect to the cluster nodes in several ways:

### Confirm the system was deployed without Active Directory
- Connect locally on the site.
- Connect remotely through an existing Baseboard Management Controller (BMC) solution.
- Connect remotely through the Azure portal using an Azure Arc connection with SSH enabled, as described in [Prerequisites](#prerequisites).

After deploying the system, confirm the deployment was without AD (AD-less).
### Confirm the system was deployed without Active Directory

1. Confirm the node isn't joined to an AD domain by running the following command. If the output shows `WORKGROUP`, the node isn't domain-joined.

Expand Down