Monday, March 21, 2022

New updates to Group Managed Service Accounts (gMSA 1.3.0) on Azure Kubernetes Service

Customers are finding value in utilizing group Managed Service Accounts (gMSA) for windows containers on Azure Kubernetes Service. The gMSA powershell module has enabled a smooth and easy process for deploying gMSA on Azure Kubernetes Service. It requires only a couple of user specified variables and the script will deploy the resources after input. We have taken the feedback given by this community to release another version of the gMSA powershell module (1.3.0).


Improving the experience on gMSA

To improve the experience for gMSA, we have released a script that will build a test environment with Azure Kubernetes service for gMSA purposes. In order to set up gMSA on AKS, you need to create an Azure vNEt, an AKS cluster, a VM working as Domain Controller, and both the Windows nodes on your AKS cluster and the Domain Controller must be on the same vNet. Due to the complex nature of create all these resources to set up gMSA, the script will help automate these steps. 


Azure Key Vault Plugin for gMSA is now open sourced

Microsoft is excited to announce the release of a new open-source repository housing our Azure Key Vault Plugin used for Group Managed Service Accounts (gMSA) for Windows Containers. This plugin helps connect the Container Credential Guard (CCG) component on the node with Azure Key Vault to facilitate domain-joining nodes. Customers can now leverage this codebase as a reference to develop their own plugins to connect to Azure Key Vault as part of their gMSA solution. Additionally, our Container Credential Guard (CCG) API is also available for customers to use in their solutions.

Learn about our new GitHub repository and contribute here:


Recent changes to gMSA module

New improvements were made to the module such as including new validation code based on the updated Azure resource group names. This allows for users to add underscores to their resource group. Previous module (1.2.3) reported an error with the CCG AKV plug-in based on a specified port that resulted in a required workaround. This has been resolved in the new gMSA powershell module in version 1.3.0.


We will continue to make the necessary improvements in the gMSA powershell module to enhance your customer experience and simplify the process for deployment. We are incredibly thankful for the feedback we continue to receive from this community. As always, please tell us about your experience and do not hesitate to reach out if you have any questions - either below in the comments section or on our GitHub repo.


Thank you!
Siddique Juman, Judy Liu, Margarit Chenchev, Muzz Imam
Posted at