diff --git a/base/comps/azurelinux-release/50-permit-root-login.conf b/base/comps/azurelinux-release/50-permit-root-login.conf
new file mode 100644
index 00000000000..63d18c0ecf2
--- /dev/null
+++ b/base/comps/azurelinux-release/50-permit-root-login.conf
@@ -0,0 +1,2 @@
+# Explicitly disable root login over SSH.
+PermitRootLogin no
diff --git a/base/comps/azurelinux-release/azurelinux-release.spec b/base/comps/azurelinux-release/azurelinux-release.spec
index 7efc9aec983..88969fcb832 100644
--- a/base/comps/azurelinux-release/azurelinux-release.spec
+++ b/base/comps/azurelinux-release/azurelinux-release.spec
@@ -36,7 +36,7 @@ Summary:        Azure Linux release files
 Name:           azurelinux-release
 Version:        4.0
 # TODO(azl): Review whether we can move back to autorelease (with conditional -p)
-Release:        15%{?dist}
+Release:        16%{?dist}
 License:        MIT
 URL:            https://aka.ms/azurelinux
 
@@ -54,6 +54,7 @@ Source20:       chrony-azure.conf
 Source21:       50-azure-cloud.conf
 Source22:       70-azurelinux-hardening.conf
 Source23:       50-client-alive-interval.conf
+Source24:       50-permit-root-login.conf
 
 BuildArch:      noarch
 
@@ -316,6 +317,8 @@ ln -s ../usr/lib/issue.net %{buildroot}%{_sysconfdir}/issue.net
 # Create /etc/issue.d
 mkdir -p %{buildroot}%{_sysconfdir}/issue.d
 
+install -Dm0600 %{SOURCE24} -t %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/
+
 mkdir -p %{buildroot}%{_swidtagdir}
 
 # Create os-release files for the different variants
@@ -432,6 +435,7 @@ install -Dm0644 %{SOURCE22} -t %{buildroot}%{_sysctldir}/
 %{_sysconfdir}/swid/swidtags.d
 %{_prefix}/share/dnf5/libdnf.conf.d/20-azurelinux-defaults.conf
 %{_sysctldir}/70-azurelinux-hardening.conf
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
 
 
 %if %{with basic}
@@ -472,6 +476,9 @@ install -Dm0644 %{SOURCE22} -t %{buildroot}%{_sysctldir}/
 
 
 %changelog
+* Tue May 12 2026 Lynsey Rydberg <lyrydber@microsoft.com> - 4.0-16
+- Add 50-permit-root-login.conf to explicitly set PermitRootLogin no
+
 * Fri May 08 2026 Chris Co <chrco@microsoft.com> - 4.0-15
 - Update prerelease name to Beta
 - Drop eol_date and SUPPORT_END for the Beta phase
diff --git a/locks/azurelinux-release.lock b/locks/azurelinux-release.lock
index ecf75d1b878..c75d532d396 100644
--- a/locks/azurelinux-release.lock
+++ b/locks/azurelinux-release.lock
@@ -1,3 +1,3 @@
 # Managed by azldev component update. Do not edit manually.
 version = 1
-input-fingerprint = 'sha256:55e516299d72271dc35eed3c4883b3c512ef9d87599df21c3f2820d8ebed8c36'
+input-fingerprint = 'sha256:77dbc8826997e5ae080299968a4fec582eb39ae26f6933c7516714d26be32753'
diff --git a/specs/a/azurelinux-release/50-permit-root-login.conf b/specs/a/azurelinux-release/50-permit-root-login.conf
new file mode 100644
index 00000000000..63d18c0ecf2
--- /dev/null
+++ b/specs/a/azurelinux-release/50-permit-root-login.conf
@@ -0,0 +1,2 @@
+# Explicitly disable root login over SSH.
+PermitRootLogin no
diff --git a/specs/a/azurelinux-release/azurelinux-release.spec b/specs/a/azurelinux-release/azurelinux-release.spec
index 39b4be6e6ee..ceb7112fc90 100644
--- a/specs/a/azurelinux-release/azurelinux-release.spec
+++ b/specs/a/azurelinux-release/azurelinux-release.spec
@@ -39,7 +39,7 @@ Summary:        Azure Linux release files
 Name:           azurelinux-release
 Version:        4.0
 # TODO(azl): Review whether we can move back to autorelease (with conditional -p)
-Release:        15%{?dist}
+Release:        16%{?dist}
 License:        MIT
 URL:            https://aka.ms/azurelinux
 
@@ -57,6 +57,7 @@ Source20:       chrony-azure.conf
 Source21:       50-azure-cloud.conf
 Source22:       70-azurelinux-hardening.conf
 Source23:       50-client-alive-interval.conf
+Source24:       50-permit-root-login.conf
 
 BuildArch:      noarch
 
@@ -319,6 +320,8 @@ ln -s ../usr/lib/issue.net %{buildroot}%{_sysconfdir}/issue.net
 # Create /etc/issue.d
 mkdir -p %{buildroot}%{_sysconfdir}/issue.d
 
+install -Dm0600 %{SOURCE24} -t %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/
+
 mkdir -p %{buildroot}%{_swidtagdir}
 
 # Create os-release files for the different variants
@@ -435,6 +438,7 @@ install -Dm0644 %{SOURCE22} -t %{buildroot}%{_sysctldir}/
 %{_sysconfdir}/swid/swidtags.d
 %{_prefix}/share/dnf5/libdnf.conf.d/20-azurelinux-defaults.conf
 %{_sysctldir}/70-azurelinux-hardening.conf
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
 
 
 %if %{with basic}
@@ -475,6 +479,9 @@ install -Dm0644 %{SOURCE22} -t %{buildroot}%{_sysctldir}/
 
 
 %changelog
+* Tue May 12 2026 Lynsey Rydberg <lyrydber@microsoft.com> - 4.0-16
+- Add 50-permit-root-login.conf to explicitly set PermitRootLogin no
+
 * Fri May 08 2026 Chris Co <chrco@microsoft.com> - 4.0-15
 - Update prerelease name to Beta
 - Drop eol_date and SUPPORT_END for the Beta phase