When I try to encrypt an Azure VM(Windows Server 2016) disk using a key in the key vault, I receive the below error. Can someone suggest what I am missing?
[{"code":"VMExtensionProvisioningError","message":"VM has reported a failure when processing extension 'AzureDiskEncryption'. Error message: "[2.2.0.45] Failed to enable Azure Disk Encryption on the VM with the following exception details:\n Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerFailedToSendEncryptionSettingsException: Unable to find additional details in disk encryption response\r\n at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.WireProtocol.WireProtocolMessage.SendEncryptionSettingsToHost() in C:\__w\1\s\src\BitLocker\BitlockerIaasVMExtension\WireProtocol\WireProtocolMessage.cs:line 210\r\n at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.SendEncryptionSettingsToHostV3(VmEncryptionSettings vmSettings) in C:\__w\1\s\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line
I tried to reproduce the same in my environment to encrypt the Azure VM Disks using PowerShell:
Make sure that Connect-AzAccount with contributor role or owner role to create resources and modify in resource group, and also check if drive is already encrypted with Bitlocker and Azure Disk Encryption, Kindly decrypt the drivers before ran the script.
PowerShell Script to encrypt Azure VM:
#Connect to Azure Account with Contributor role or Admin role.
Connect-AzAccount
Create a resource group:
New-AzResourceGroup -Name "myResourceGroup" -Location "EastUS"
Create a Key vault:
New-AzKeyvault -name thejaKVtest -ResourceGroupName myResourceGroup -Location EastUS -EnabledForDiskEncryption
#Store the value in Keyvault
$KeyVault = Get-AzKeyVault -VaultName thejaKVtest -ResourceGroupName MyResourceGroup
Encrypt Azure VM:
Set-AzVMDiskEncryptionExtension -ResourceGroupName MyResourceGroup -VMName <YourVM Name> -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri -DiskEncryptionKeyVaultId $KeyVault.ResourceId
Get Azure vm encryption status:
Get-AzVmDiskEncryptionStatus -VMName MyVm -ResourceGroupName MyResourceGroup
If still same error, kindly check the below settings in key vault , like below.
Azure Portal > Key Vault > Select your Key Vault > Access Configuration > Enable Azure Disk Encryption for volume encryption
Reference: Create and encrypt a Windows virtual machine in Azure with PowerShell
Related
I am following this tutorial where it required to use an Azure Managed Identity assigned to an Azure Storage Account.
https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview#about-customer-managed-keys
In the tutorial the step 1. is:
An Azure Key Vault admin grants permissions to encryption keys to the managed identity that's associated with the storage account.
However I cannot find a way to see or assign a managed identity to an SA. It seems that SAs have no managed identities out of the box..
Any hints?
I don't think so that it's possible to view that in the portal but I am sure that powershell can help you. As far as i know that are two ways to check if your storage account has a Principal Id assigned. One way is to check in azure AD by typing Get-AzADServicePrincipal -DisplayName storageAccountName and another one is:
$stgName = "stgName"
$rgName = "rgName"
$stg = Get-AzStorageAccount -StorageAccountName $stgName -ResourceGroupName $rgName
$stg.identity
if you have managed identity assigned so you can see principal id. Otherwrise:
Set-AzStorageAccount -ResourceGroupName $rgName -AccountName $stgName -AssignIdentity
I am trying to automate the creation of certain azure resources via an Azure PowerShell script that is triggered from an Azure DevOps release pipeline. I want to create a function app, and automatically integrate reading right access to secrets in an already existing Key Vault. This Key Vault is in the same Azure subscription.
While I can create most resources following the documentation, there seems to be a lack of documentation regarding the creation of certain resources using Azure PowerShell (or I can't find it).
If I follow the sample from this link, I can accomplish it without a problem by using the UI in the Azure Portal, but I can't find any documentation on Microsoft Docs to do it using PowerShell.
Write-Host "Creating Function App..."
$fnApp = New-AzFunctionApp -Name $functionAppName `
-ResourceGroupName $emailFunctionRg `
-Location "$(AzureRegion)" `
-StorageAccount $storageName `
-Runtime dotnet `
-FunctionsVersion '3' `
-IdentityType SystemAssigned
Write-Host "Function App created!"
Write-Host "Assigning Key Vault access..."
$appId = Get-AzADServicePrincipal -DisplayName $functionAppName
Set-AzKeyVaultAccessPolicy -VaultName EmailSettings -ServicePrincipalName $appId -PermissionsToSecrets Get,List
Write-Host "Key Vault access granted!"
Running Set-AzKeyVaultAccessPolicy fails with "Insufficient privileges to complete the operation.". But I am not sure if this is the right path to follow, it was just a guess, based on the available functions in the documentation.
Any ideas?
Two potential issues to check out here:
your app creation assigns the result to $fnApp. perhaps $fnApp or as commented above, $fnApp.ApplicationId is what you should be using for the -ServicePrincipalName parameter on the access policy grant.
you don't have privileges to assign RBAC roles. Go to the Key Vault, choose Access Control, then click the Role Assignments tab and verify that your user appears in the list as an Administrator, User Access Administrator, or Owner.
Edit: With respect to the RBAC privilege, since this is running in Azure Powershell from Azure DevOps, you need to check the role assignment for the Service Connection's service principal - under Azure Active Directory in the Azure Portal, look up the principal used to create the service connection, and make sure THAT gets the correct Role on the key vault.
After a little of trial and error I just came to the conclusion I was not using the right parameter for the Set-AzKeyVaultAccessPolicy cmdlet.
The following script will work (if the service principle running it has the appropriate role, like WaitingForGuacamole mentioned in his/her answer):
Write-Host "Creating Function App..."
$fnApp = New-AzFunctionApp -Name <FnAppName> `
-ResourceGroupName <ResourceGroupName> `
-Location <AzureRegion> `
-StorageAccount <StorageAccount> `
-Runtime dotnet `
-FunctionsVersion '3' `
-IdentityType SystemAssigned
Write-Host "Function App created!"
Write-Host "Assigning Key Vault access..."
Set-AzKeyVaultAccessPolicy -VaultName <NameOfTheKeyVault> -ObjectId (Get-AzADServicePrincipal -DisplayName <FnAppName>).Id -PermissionsToSecrets <Get, List, etc...>
Write-Host "Key Vault access granted!"
I'm a bit of an Azure & Powershell newbie.
I'm trying to write PowerShell scripts to create an environment that can be published to from Azure DevOps.
As part of that, I'm creating a Service Bus with multiple topics. Each of the topics will have multiple Authorization Rules - one for publication and one for subscription.
I have the scripts for this working. However, I need to get the connection strings for these rules and save them to a key vault, to make them available to apps.
This is where I have become stuck.
This is similar to my existing code:
New-AzServiceBusTopic -ResourceGroupName myResourceGroup -Namespace myServiceBus -EnablePartitioning $false -Name myTopic
New-AzServiceBusAuthorizationRule `
-ResourceGroupName myResourceGroup `
-Namespace myServiceBus `
-Topic myTopic`
-Name myTopic.pub `
-Rights #("Send")
In the Azure Portal, I would click into the Service bus and Topic, select Shared Access Policies and click on the policy. It would show me the SAS Policy with the Primary Connection String.
Is there any way in PowerShell to get the Primary Connection String?
Thanks
If you have azure powershell Az.ServiceBus module installed, you can directly use this command: Get-AzServiceBusKey.
For example:
Get-AzServiceBusKey -ResourceGroup Default-ServiceBus-WestUS -Namespace SB-Example1 -Name AuthoRule1
I am trying to check the Infrastructure encryption status via powershell. Here is the screenshot Encryption
I referenced this doc("https://learn.microsoft.com/en-us/azure/storage/common/infrastructure-encryption-enable?tabs=portal") and tried the below script but didn't get any result.
$account = Get-AzStorageAccount -ResourceGroupName `
-StorageAccountName $account.Encryption.RequireInfrastructureEncryption
Is there a way to see if the Infrastructure encryption is enabled or disabled?
Thank you
From that docs, there are two kinds of encryption levels for Azure storage account, at the service level and at the infrastructure level. By default, Azure Storage automatically encrypts all data in a storage account at the service level using 256-bit AES encryption, customers who require higher levels of assurance that their data is secure can also enable 256-bit AES encryption at the Azure Storage infrastructure level.
To doubly encrypt your data, you must first create a storage account that is configured for infrastructure encryption.
In this case, if you have not enabled the infrastructure encryption, you could see the "requireInfrastructureEncryption": null with Azure CLI.
az storage account show --name <storage-account> --resource-group <resource-group>
To Verify that infrastructure encryption is enabled, you could Register to use infrastructure encryption,
Register-AzProviderFeature -ProviderNamespace Microsoft.Storage `
-FeatureName AllowRequireInfraStructureEncryption
Create an account with infrastructure encryption enabled,
New-AzStorageAccount -ResourceGroupName <resource_group> `
-AccountName <storage-account> `
-Location <location> `
-SkuName "Standard_RAGRS" `
-Kind StorageV2 `
-RequireInfrastructureEncryption
Then you can Verify that infrastructure encryption is enabled with the PowerShell scripts.
$account = Get-AzStorageAccount -ResourceGroupName <resource-group> `
-StorageAccountName <storage-account>
$account.Encryption.RequireInfrastructureEncryption
I have OS data in a managed azure data disk. I want to create a VM from this data disk. I tried using
az vm create --resource-group myResourceGroup --location eastus --name myVM \ --os-type linux --attach-os-disk myManagedDisk
The issue that I am facing is that the newly created vm is up and running, however when I try to connect to it via ssh using the IP address, I am unable to do so.
Also how do I give an username and password to this newly created VM? It says the --admin-username and --admin-password options are unavailable for this type of command?
It seems you can't login the new VM with original passwrod, please Reset Password via Azure portal, then use new Password to login it.
It says the --admin-username and --admin-password options are
unavailable for this type of command?
Yes, Azure does not support reset username and password for an existing OS disk.
If you want to reset username and password, maybe you should create a new image from this VM. Create new image will general this VM, and remove user settings, then you can't login that original VM, if you want create new VM image, backup that os disk first.
Update:
Please follow those steps to copy managed disk and create new VM:
1.Stop original VM, then create snapshot of that OS disk via Azure portal.
2.Use the snapshot to create an new disk.
3.Use New OS disk to create Azure VM.
#Provide the subscription Id of the subscription where managed disk exists
$sourceSubscriptionId='yourSourceSubscriptionId'
#Provide the name of your resource group where managed disk exists
$sourceResourceGroupName='mySourceResourceGroupName'
#Provide the name of the managed disk
$managedDiskName='myDiskName'
#Set the context to the subscription Id where Managed Disk exists
Select-AzureRmSubscription -SubscriptionId $sourceSubscriptionId
#Get the source managed disk
$managedDisk= Get-AzureRMDisk -ResourceGroupName $sourceResourceGroupName -DiskName $managedDiskName
#Provide the subscription Id of the subscription where managed disk will be copied to
#If managed disk is copied to the same subscription then you can skip this step
$targetSubscriptionId='yourTargetSubscriptionId'
#Name of the resource group where snapshot will be copied to
$targetResourceGroupName='myTargetResourceGroupName'
#Set the context to the subscription Id where managed disk will be copied to
#If snapshot is copied to the same subscription then you can skip this step
Select-AzureRmSubscription -SubscriptionId $targetSubscriptionId
$diskConfig = New-AzureRmDiskConfig -SourceResourceId $managedDisk.Id -Location $managedDisk.Location -CreateOption Copy
#Create a new managed disk in the target subscription and resource group
New-AzureRmDisk -Disk $diskConfig -DiskName $managedDiskName -ResourceGroupName $targetResourceGroupName