Does Azure not support cloud-init? When AWS complained about Ed25519 keys, I just told AWS to not associate any keys at all and just put my key in the cloud-init config. The OS copies the contents from cloud-init to the appropriate authorized_keys file on first boot and it's none of AWS's business which key (or how many keys) I use to login into my instances.
That seems like specifically Azure DevOps, not the Azure platform generally? I assume any OS running inside Azure Compute, or any other managed services will support Ed25519 fine?
But once you've created the VM you can log in and replace that RSA key with an ED25519 one just like any standard Linux install, via ssh-copy-id or manually updating authorized_keys or whatever you want. So you just need a throwaway RSA key for the initial deployment.
It's probably because FIPS 140-2 doesn't list it. I know machines booted with fips=1 and fips certified openssl, etc, openssh won't accept ed25519 keys for key auth.
Turns out they didn’t even support it until ~2021.
These instances were created before then. It took quite a while to figure out what was going on.