Old question, but for newcomers there is nowadays an alternative available by using run-command in Azure CLI. There is probably an equivalent for PowerShell too, but I have not investigated that.

az vm run-command invoke --name <your-vm-name> --command-id RunShellScript --scripts "cat /etc/ssh/ssh_host_ecdsa_key.pub"

will output a json document from which you can extract the public key. Beware though that this process is incredibly slow (~30 seconds per host), but you only need to run it once. See this gist for an example of how to update the known_hosts file with Ansible.

You can use a new "Run Command" feature of Azure Portal.

• In your Virtual Machine page, go to "Run command" in "Operations" section of VM menu.
• Select "RunShellScript" command.

• Paste the following command:

  for f in /etc/ssh/ssh_host_*_key; do ssh-keygen -l -f "$f"; done

• You will get an output like:

  Enable succeeded: [stdout]256 SHA256:bKKCom8yh5gOuBNWaHHJ3rrnRXmCOAyPN/WximYEPAU /etc/ssh/ssh_host_ecdsa_key.pub (ECDSA)256 SHA256:IYeDl+gseYk46Acg4g2mcXGvCr7Z8FqOd+pCJz/KLHg /etc/ssh/ssh_host_ed25519_key.pub (ED25519)2048 SHA256:rA0lIXvHqFq7VHKQCqHwjsj28kw+tO0g/X4KnPpEjMk root@myazurevm (RSA)[stderr] 

  (the set of key types will vary with your VM image)

The feature can also be used via Azure CLI, what is shown in the link above and also in the answer by @mwik.

Check also my complete guide to Connecting securely to Microsoft Azure service with SFTP.

The RSA, DSA, ECDSA, and ED25519 keys are generated on first boot, and available in the boot diagnostics log.

If you don't catch it on the first boot, I don't think it's listed anywhere else in the portal. There's only one feasible, secure option of which I can think for recovering the fingerprint for an already-deployed VM.

1. Create a new VM.

2. Attach the VHD of the VM for which you need the fingerprint.

3. Verify your connection to the new VM using the fingerprint in the boot diagnostics.

4. Check the fingerprint for the generated /etc/ssh/ssh_host_rsa_key.pub file on the other disk.

   ssh-keygen -lf /{path}/ssh_host_rsa_key.pub

You may need to add the -E md5 switch if you need the hexadecimal encoded MD5 hash.

PowerShell

To get the boot diagnostics data via PowerShell:

Get-AzureRmVMBootDiagnosticsData -ResourceGroupName ExampleGroup -Name TestLab -Linux

Connecting with Putty

Azure computes the host key fingerprints as a Base64 encoded string of the SHA-256 hash of the public key. When you attempt to connect using Putty, it presents the fingerprint as a hexadecimal encoded string of the MD5 hash of the public key.

Fortunately, Azure also lists the full public key in the boot diagnostics log, where it says BEGIN SSH HOST KEY KEYS in the second image. With that, we can manually compute the fingerprint as presented by Putty.

C#

static string ComputeMD5FingerprintFromBase64(string encoded){  // Convert Base64 string to byte array.  byte[] pub = Convert.FromBase64String(encoded);  // Compute MD5 hash.  HashAlgorithm md5 = MD5.Create();  byte[] hash = md5.ComputeHash(pub);  return BitConverter.ToString(hash).Replace('-', ':');}

Windows

For instructions on securely connecting to a Windows VM with RDP, see my answer on this StackOverflow question.