# Install SSH Access
This final step connects P0's SSH integration to your Azure subscription enabling SSH access requests to Virtual Machines.
{% hint style="warning" %}
Complete [Configure bastion host integration](https://docs.p0.dev/integrations/resource-integrations/microsoft-azure/configure-bastion-host-integration) before starting this step. SSH access requires the Bastion host configuration from the previous step.
{% endhint %}
## How SSH subscription filtering works
When you configure SSH access, P0 only shows Azure subscriptions that already have a [Bastion host configured](https://docs.p0.dev/integrations/resource-integrations/microsoft-azure/configure-bastion-host-integration). If your subscription does not appear in the list, verify that the Bastion host component is installed for that subscription.
## Virtual machine requirements
Any virtual machine you want to connect to via SSH through P0 must meet the following requirements.
| Requirement | Details |
| ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `AADSSHLoginForLinux` extension | Must be **installed** on each Linux VM. VMs without this extension do not appear in the P0 inventory. See [Microsoft documentation](https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-linux) for installation instructions. |
| Network connectivity | VMs must be in a virtual network that is either: **the same virtual network** as the Bastion host, or **a peered virtual network** connected to the Bastion's virtual network. |
## Virtual network peering
P0 automatically manages virtual network (VNet) peering between the Bastion host's network and the target VM's network when they are in different virtual networks.
* **Session start:** If the Bastion host and the target VM are in different VNets, P0 creates bidirectional VNet peering between them. If they share the same VNet, no peering is needed.
* **Session end:** When an SSH session ends, P0 removes the VNet peering — but only if no other active SSH sessions depend on that same peering.
This ensures that VNet peering exists only while SSH sessions are active, and that concurrent sessions sharing the same peering are not disrupted.
## Permissions
During setup, P0 creates a custom Azure role scoped to the target subscription. This role grants P0 the permissions needed to manage VM access and VNet peering during SSH sessions.
**Role name:** `P0 Virtual Machine Management - {subscriptionId}`
**Required permissions:**
| Permission | Purpose |
| ----------------------------------------------------------------- | -------------------------------------- |
| `Microsoft.Compute/virtualMachines/read` | Read VM metadata |
| `Microsoft.Compute/virtualMachines/extensions/read` | Check for required VM extensions |
| `Microsoft.Network/networkInterfaces/read` | Read VM network interface details |
| `Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read` | Read existing VNet peering |
| `Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write` | Create VNet peering for SSH sessions |
| `Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete` | Remove VNet peering after sessions end |
| `Microsoft.Network/virtualNetworks/peer/action` | Authorize VNet peering operations |
| `Microsoft.Network/bastionHosts/getactivesessions/action` | Query active Bastion sessions |
If you enable sudo access, the role also includes `Microsoft.Compute/virtualMachines/loginAsAdmin/action` in addition to the standard `Microsoft.Compute/virtualMachines/login/action`.
## Setup steps
1. In P0, open **Integrations → SSH**.
2. Click **Add account**.
3. Select the Azure subscription you added during IAM management setup. Only subscriptions with a [Bastion host configured](https://docs.p0.dev/integrations/resource-integrations/microsoft-azure/configure-bastion-host-integration) appear in this list.
4. Run the install commands.
## Optional settings
* **Grouping tag:** specify a tag to enable group SSH access requests
* **Allow sudo:** toggle whether users can request sudo on target nodes
If you enable sudo, run the additional Shell steps shown to configure sudo access.
When these steps are complete, SSH access is installed. You can now [request SSH access](https://docs.p0.dev/integrations/resource-integrations/microsoft-azure/requesting-access) to Azure VMs through P0.
.png?alt=media)
