I received an email stating that I need to migrate your runbooks to managed identities in Azure Automation. It also gave which subscription this is in. I have sql servers, databases, app services , logic apps and other resources in this subscription.
I have tried looking up some details and it states its for VMs , is that correct ?
Where exactly do i start with migrating this , are there clear steps outlining this ?
Related
Stuff in Azure are secured with Service Accounts. In order for me to see stuff I need to download the Service Account certificate and then log in via the Azure CLI using the extracted certificate and the Service Account Application Id. So now I can see everything the Service Account can see, great. But it is a pain in the neck and slow. So my question: Can I use the same certificate and credentials to log into the Azure Portal website so I can browse around using the web browser instead?
Using a Service Principal for interactive logins to the Azure Portal is not possible - which is by design. In order to be able to see the same resources as the Service Principal through the Azure Portal, you would require a user account that holds the Azure RBAC Reader role against those resources that are in scope of the Service Principal role assignments.
As you mentioned performance being an issue with using the Service Principal login, you could try Azure Resource Graph queries. These are supported by Azure CLI, Azure PowerShell as well as all the major Azure SDK's. Obviously, this won't bring you the visual experience like the Azure Portal but might resolve the performance piece maybe.
However, requesting/creating a user account that has the corresponding RBAC roles assigned would be the only way to allow you to see the resources through the Azure Portal.
I have created a native application in an Azure AD in Azure General region. The application has been granted appropriate permissions (Sign in on user's behalf, execute Service Management API requests etc.). Using this application, I am able to connect to any Azure Subscription in Azure General region using this application.
However when I try to connect to an Azure Subscription in Azure China, after successful login, I am getting the following error:
AADSTS70001: Application with identifier '01234567-890a-bcde-ffff-fcc63fc150ea' was not
found in the directory 'xxx.yyy.onmschina.cn'.
So my questions are:
Is it possible to connect to an Azure Subscription in Azure China (or for that matter to any Azure Subscription in Azure Sovereign Cloud like Germany etc.) using an application created in Azure General region?
Or do I need to create a separate application for each Azure Sovereign region in an Azure AD in that region?
If I indeed need to create a separate application (i.e. answer is yes to above question), is it possible to create an Azure AD tenant in these Sovereign regions without having an Azure Subscription there?
I believe the answer to the last question is yes considering Azure AD and Azure Subscription are two different things, yet I would very much like to get a confirmation on the same.
No,
it is NOT possible to connect Azure "General" with any sovereign clouds - these are Azure US Government, Azure China, Azure Germany. All these clouds are completely separate deployments with their own Azure AD. You cannot use B2B inter clouds, you cannot use your multi-tenant applications across clouds.
For that case you have to have a subscription in every cloud you would like to support and separate application registration, and separate instructions for your users. Check for example how Azure CLI is handling this. You are always only connected to one cloud with cloud's specific account.
In Azure Germany you can create an Azure AD tenant - just create a free trial subscription and you will also get a tenant. For China and US Gov will be hard - they both have very strict requirements who can create subscriptions there.
In my azure account I have 2 directories, lets call them directory A and B.
With some recent changes I need to switch a app service from a subscription in directory A to a subscription that is on directory B.
Is this possible to achieve, and if it is how?
EDIT 1
As directory I mean the directory that you can see in the image below:
EDIT 2
Since It seems that I have mislead people I will try to explain what i want to achieve with images.
I want to move the App Service from the App Service Plan in the directory A as you can see in here:
to the App Service Plan in the directory B that you can see in here:
It looks like you want to move resources between subscriptions. It is possible to do this but there are a few restictions and rules around what you can do.
You can definitely move an App Service between subscriptions. However, in your case, as the subscriptions in question exist in different AD tenants, you will need to change the tenant of one of the subscriptions. You can only do this if you are a Service Administrator and signed in using a Microsoft i.e non organizational account.
Check this reference document from Microsoft, it explains in detail how the transfer process works.
I think we might need some additional information, since it seems that the terms we're using are sometimes equivocal. Microsoft Azure subscriptions are not associated to Azure Active Directories, but to an Service Account. You can add how many Azure ADs you want to an Azure subscription, but the Azure subscription itself will be managed by the service account (which is not necessarily member of a certain Azure AD).
Further, only the service administrator can manage Azure resources, like VMs, App Services and so on. Azure AD admins can only manage identity aspects that define identity life cycles within that specific Azure AD. The service admin could add a co-admin a user from the default Azure AD and that user would then also be able to manage Azure resources, like App Services and so on.
So the Azure App Service is tied to a Azure subscription that is managed by a service account, not by the Azure AD. Please check the official documentation on this topic. Also please clarify exactly what you would like to do.
We have developed and tested our webroles in our Free trial Azure cloud.
We now have to deploy the webroles to Company A Azure cloud. Company A is open to creating IIS VMs for our deployment but will not share username/pwds with us to publish our Webroles to their cloud.
This should be a pretty common scenario, would like to hear from folks who have solved it in their deployments.
How do we publish web roles to a pre-existing VM?
This isn't how Web Roles work. A Web Role (along with any other defined roles) is essentially a bundle of code, startup scripts, binaries, etc. that are needed on the VM. The VM itself is stateless: It's started up as a fresh (up to date) copy of Windows Server, and your code is executed. Anything needing install is done via your startup scripts.
You cannot push a Web Role independently to an existing Virtual Machine. You'd need to take your actual code project (e.g. asp.net) and publish that to a pre-existing VM, without any of the Web Role scaffolding. How you do that would be up to you (and the folks who are managing these VMs).
I guess there is a confusion with different concepts.
From what I understand you have already deployed your cloud service and associated web roles to a trial azure subscription. You were able to do that because you are the admin of the subscription. If you need to deploy the same set of roles and the cloud service to one of your customers azure subscription they will need to setup your account as a co-admin so you can follow the same deployment procedure you did with your trial subscription. They don't need to give you a user/pass pair. They just need to give your LiveID or appropriate credentials a temporary co-admin permission to do the deployment on their behalf. They can do this in the azure management portal.
Is there any API or class that helps the user to programmatically pull the details of hosted services in azure if user key-in's subscription id.
I could do the above with references you guys referred.
IS there any possibility to get Subscription details like subscription Name using Windows Azure API's
You would need both subscription id and the management certificate from the user. Once you have these two things, you could use Windows Azure Service Management REST API: http://msdn.microsoft.com/en-us/library/windowsazure/ee460799.aspx to get details about the hosted services.
have a look at the Service Management REST API
for security reasons, it's not going to be as easy as entering a subscription id though.