---
title: Azure instance using basic authentication
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Azure instance using basic authentication
---

# Azure instance using basic authentication

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `e2d834b7-8b25-4935-af53-4a60668dcbe0`

**Cloud Provider:** Azure

**Platform:** Ansible

**Severity:** Medium

**Category:** Best Practices

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_virtualmachine_module.html#parameter-linux_config/disable_password_authentication)

### Description{% #description %}

Linux virtual machines must require SSH key authentication instead of username/password. Password-based login is susceptible to brute-force attacks and credential compromise, which can lead to unauthorized access and lateral movement.

For Ansible `azure_rm_virtualmachine` resources, ensure `ssh_password_enabled` is set to `false` and `linux_config.disable_password_authentication` is set to `true` so only SSH key authentication is allowed. This rule applies to resources intended to be Linux VMs (where `os_type` is `"linux"` or unspecified). Resources missing these properties or that allow password authentication are flagged.

Secure example configuration:

```yaml
- name: Create Linux VM with SSH keys only
  azure_rm_virtualmachine:
    name: my-linux-vm
    resource_group: my-rg
    os_type: Linux
    ssh_password_enabled: false
    linux_config:
      disable_password_authentication: true
    ssh_public_keys:
      - path: /home/azureuser/.ssh/authorized_keys
        key_data: "{{ lookup('file','~/.ssh/id_rsa.pub') }}"
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
---
- name: Create a VM with a custom image
  azure_rm_virtualmachine:
    resource_group: myResourceGroup
    name: testvm001
    vm_size: Standard_DS1_v2
    ssh_password_enabled: false
    ssh_public_keys:
      - path: ~/.ssh/id_rsa.pub
        key_data: somegeneratedkeydata
    image: customimage001
    os_type: Linux
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
---
- name: Create a VM with a custom image
  azure_rm_virtualmachine:
    resource_group: myResourceGroup
    name: testvm001
    vm_size: Standard_DS1_v2
    admin_username: adminUser
    admin_password: password01
    image: customimage001
    os_type: Linux
```