Azure Disk Encryption without Azure AD

Question

According to Microsoft's documentation and examples, it should be possible to configure Azure Disk Encryption without using Azure AD; for example at https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-windows we have the following:

 $rgName = 'MySecureRg';
 $vmName = 'MySecureVM';
 $KeyVaultName = 'MySecureVault';
 $KeyVault = Get-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $rgname;
 $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
 $KeyVaultResourceId = $KeyVault.ResourceId;

 Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;

However, when we attempt to run this script (replacing the variable values with our own names, of course) we get:

Set-AzureRmVmDiskEncryptionExtension : The input object cannot be bound because it did not contain the information
required to bind all mandatory parameters:  AadClientID AadClientSecret

Reviewing the documenation for Set-AzureRmVmDiskEncryptionExtension we once again see several examples given which do not use Azure AD, including and very explicitly Example 1 (which is a mere variant on the above) which states:

This example demonstrates enabling encryption without specifying AD credentials.

So: is there something missing here? Do we have a way to enable disk encryption without using Azure AD, or are the documentation and examples in error, and we do absolutely need Azure AD?

Supplementary info:

Azure Powershell is at the latest version.
Azure Disk Encryption with Azure AD App was not used in the past.
I have reviewed "The solution doesn't support the following scenarios, features, and technology" section in the overview documentation and confirm that none of the unsupported cases apply.

i would suggest updating azure powershell to latest version and trying again — 4c74356b41, Jan 23 '19 at 12:24

score 2 · Answer 1 · answered Jan 23 '19 at 12:31

I cannot add a comment, so I'll do it this way. Have you used the Azure Disk Encryption with Azure AD app in the past? Then you won't be able to use the command without Azure AD.

Warning If you have previously used Azure Disk Encryption with Azure AD app to encrypt this VM, you will have to continue use this option to encrypt your VM. You can’t use Azure Disk Encryption on this encrypted VM as this isn’t a supported scenario, meaning switching away from AAD application for this encrypted VM isn’t supported yet.

The answer is "no"; this is first contact with Azure Disk Encryption in any form. I'll update the question. — Maximus Minimus, Jan 23 '19 at 14:05

score 1 · Accepted Answer · answered Jan 24 '19 at 17:38

We resolved this in conjunction with MS Azure Support using the Azure Quickstart Template at https://azure.microsoft.com/en-us/resources/templates/201-encrypt-running-windows-vm-without-aad/ ("Enable encryption on a running Windows VM without AAD").

The missing piece of information was that we had to generate a key in our Key Vault, then access the key's current version, retrieve it's Key Identifier Url, and provide that as input to the template (in the "Key Encryption Key URL" field).

It seems that this would also be resolvable by providing the appropriate KEK params to the original Powershell script, but we haven't yet tested this.

The conclusion seems to be that the KEK stuff, despite being marked as optional, is actually mandatory if you wish to encrypt without AAD.

Azure Disk Encryption without Azure AD

2 Answers2