Document Details

Quick Create Confidential Vm Azure Cli
Home / Scan #41 / Quick Create Confidential Vm Azure Cli
Sad Tux - Windows bias detected
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Detected Bias Types
powershell_heavy
windows_tools
missing_linux_example
Summary
The documentation page demonstrates a bias towards Windows and PowerShell in the sections related to customer-managed keys and disk encryption set configuration. Several steps use PowerShell scripting and Windows-specific tools (e.g., Microsoft Graph PowerShell SDK) without providing equivalent Bash or Linux-native alternatives, despite the overall focus on Azure CLI and the fact that confidential VMs are often Linux-based. Some commands mix Azure CLI and PowerShell, which may confuse Linux users or those working in Bash environments. The attestation section is Linux-focused, but earlier critical steps lack Linux parity.
Recommendations
  • Provide Bash/Linux shell equivalents for all PowerShell-based steps, especially for Azure AD and Microsoft Graph operations.
  • Avoid using PowerShell-specific constructs (e.g., Out-String, ConvertFrom-Json, $variable assignment) in CLI-focused documentation unless a Linux/Bash alternative is also shown.
  • Clearly indicate when a step is Windows-only or provide both Windows (PowerShell) and Linux (Bash) instructions side-by-side.
  • For steps requiring Microsoft Graph, link to or provide instructions for using the Microsoft Graph CLI or REST API from Bash.
  • Ensure that all scripting examples are runnable in Azure Cloud Shell (Bash) or on a typical Linux system, or provide explicit guidance for Linux users.
GitHub Create Pull Request

Scan History

Date Scan Status Result
2025-07-12 23:44 #41 cancelled Biased Biased
2025-07-12 00:58 #8 cancelled Clean Clean
2025-07-10 05:06 #7 processing Clean Clean

Flagged Code Snippets

3. Give `Confidential VM Orchestrator` permissions to `get` and `release` the key vault.
  
Make a note of the `publicIpAddress` to use later.

## Create Confidential virtual machine using a Customer Managed Key

To create a confidential [disk encryption set](/azure/virtual-machines/linux/disks-enable-customer-managed-keys-cli), you have two options: Using [Azure Key Vault](/azure/key-vault/general/quick-create-cli) or [Azure Key Vault managed Hardware Security Module (HSM)](/azure/key-vault/managed-hsm/quick-create-cli). Based on your security and compliance needs you can choose either option. However, it is important to note that the standard SKU is not supported. The following example uses Azure Key Vault Premium.

1. Grant confidential VM Service Principal `Confidential VM Orchestrator` to tenant.
For this step you need to be a Global Admin or you need to have the User Access Administrator RBAC role. [Install Microsoft Graph SDK](/powershell/microsoftgraph/installation) to execute the commands below.