I am currently busy to convert my Azure AD PowerShell scripts to Microsoft Graph PowerShell. I have already some scripts that I want to run within Azure Automation, but I try to figure out how to connect to Azure Automation.
With Azure AD PowerShell, I have a connected service account in Azure Automation. With Microsoft Graph PowerShell I'm trying to use a RunAs account within the Azure Automation Account with the following connection:
$Connection = Get-AutomationConnection -Name AzureRunAsConnection
# Get certificate from the automation account
$Certificate = Get-AutomationCertificate -Name AzureRunAsCertificate
# Connect to the Graph SDK endpoint using the automation account
Connect-MgGraph -ClientID $Connection.ApplicationId -TenantId $Connection.TenantId -CertificateThumbprint $Connection.CertificateThumbprint
When I run the RunBook to create the connection I get an error:
Connect-MgGraph: C:\Temp\os4k24vd.4cs\xxxxxxxxxxxxxxxxxxx.ps1:5
Line | 5 | Connect-MgGraph -ClientID $Connection.ApplicationId -TenantId $Connec …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Could not load file or assembly 'Newtonsoft.Json, Version=13.0.0.0,
| Culture=neutral, PublicKeyToken=xxxxxxx'. The system cannot | find the file specified.
I have the following module installed that is needed for Connect-MgGraph Microsoft.Graph.Authentication >> Runtime: 7.1 When I search on the error, it have something to do that .NET could not find the Json.NET library. But which module I'm missing in Azure Automation, or are there other ways to connect Microsoft Graph PowerShell with Azure Automation?
I hope you are using App only Access approach to connect the Azure Automation. if not refer MSDOC - App only Authentication
To get the Certificate and AppID you can use the below command let
#To get App Id
$AppId = Get-AutomationVariable -Name '<Your AppID>'
# Get TenentId
$TenantId = Get-AutomationVariable -Name '< your tenantId>'
# Get Certificate
$CertificateName = Get-AutomationCertificate -Name '<Your Certificate>'
#Connect the mgGraph
Connect-MgGraph -ClientID $AppId -TenantId $TenantId -CertificateName $CertificateName ## Or -CertificateThumbprint
Still, you are facing issue please give a try Automation Hybrid Runbook Worker for more flexibility.
The problem was not the first connect script, but the runtime version. After changing to PS 5.1 instead of 7.1 it all works. The Runbook now shows 'Welcome to Welcome To Microsoft Graph!'
$Connection = Get-AutomationConnection -Name AzureRunAsConnection
# Connect to the Graph SDK endpoint using the automation account
Connect-MgGraph -ClientID $Connection.ApplicationId -TenantId $Connection.TenantId -CertificateThumbprint $Connection.CertificateThumbprint
Related
I would like to run a Azure Automation Runbook (PowerShell) and run
connect-PnPOnline or connect-MicrosoftExchange
clientid & clientsecret will be deprecating
User is MFA enabled
Can't I connect trough managed identity or keyvault or something else?
Who can point me in the right direction?
Run connect-PnPOnline or connect-MicrosoftExchange trough managed identity:
I tried authenticating to the required conections using Azure PowerShell as well as Azure Automation runbook as follow:
SystemAssigned Managed Identity:
Connect-PnPOnline -Url "https://microsoftapc.sharepoint.com/teams/<Site_Name>"-ManagedIdentity
UserAssigned Managed Identity:
Connect-PnPOnline -Url ""-ManagedIdentity -UserAssignedManagedIdentityObjectId <ObjectId of UserAssigned Managed Identity>
Client_ID & Client_secret:
Install-Module -Name PnP.PowerShell
connect-pnponline -url "https://microsoftapc.sharepoint.com/teams/<Site_Name>"-ClientId "48b4f657-904f-496d-b02a-49cc492b3ee3" -ClientSecret "Tis8Q~Pxn3F2t8kllVCV5pCC2u2SMkxcSEeOrds2" -WarningAction Ignore
Output(AZ Powershell):
Azure runbook:
First of all, Add the required modules by going to Automation Account -> Shared Resources -> Modules -> Add a Module
To check whether modules are successfully imported, Give
Install-Module -Name ExchangeOnlineManagement -Scope AllUsers
Get-command -Module ExchangeOnlineManagement
Azure PowerShell:
Connect-ExchangeOnline -ManagedIdentity -Organization "xxxxx" -ManagedIdentityAccountId "<UserManagedIdentityID>"
References:
Check here for other possible ways to Connect-PnPOnline &
connect-ExchangeOnline.
I have an Azure runbook where I am trying to deallocate VMs. When I run the runbook I get the error
Stop-AzureVM : No default subscription has been designated. Use Select-AzureSubscription -Default <subscriptionName> to
set the default subscription.
I have used the below in my script.
Add-AzureRmAccount
Select-AzureRMSubscription
After calling the select, it prints out
PSComputerName : localhost
PSSourceJobInstanceId :
Account :
Environment :
Subscription :
Tenant :
with the correct subscrption and tenant information so it seems the select is working correctly, but for some reason I still cannot use the Stop-AzureVM cmdlet.
Any ideas?
The command Stop-AzureVM is Azure Service Management PowerShell command. It just can be used to stop Azure classic VM. But the command Add-AzureRmAccount is Azure Resource Management PowerShell command. After running the command, we just can manage Azure Resource Management resources. For more details, please refer to here and here.
So with Azure ARM VM, please use the command Stop-AzureRmVM to stop it. Meanwhile, regarding how to stop Azure classic VM, please refer to the following steps
Create Azure Classic Run As Account
Script
$ConnectionAssetName = "AzureClassicRunAsConnection"
# Get the connection
$Conn = Get-AutomationConnection -Name $ConnectionAssetName
# Authenticate to Azure with certificate
$CertificateAssetName = $Conn.CertificateAssetName
$AzureCert = Get-AutomationCertificate -Name $CertificateAssetName
Set-AzureSubscription -SubscriptionName $Conn.SubscriptionName -SubscriptionId $Conn.SubscriptionID -Certificate $AzureCert
Select-AzureSubscription -SubscriptionId $Conn.SubscriptionID
#stop VM
Stop-AzureVM -ServiceName "ContosoService01" -Name "MyVM" -Force
Besides, regarding how to check if the VM is classic, please refer to the blog
Try Running the below :
Get-Module AzureRm.Profile -ListAvailable
This issue might occur when there is multiple instances of the module. If there are multiple instance remove the older modules and retain the new module.
To remove the old module : Uninstall-Module -Name AzureRm.Profile -RequiredVersion 4.6.0#(olderversion if you have any)
I have an Azure Automation Run As account. When I run the following code (from step 5 of Azure online tutorial) on the runbook in Azure Portal, I get the error shown below. Question: What I may be missing here, and how can we resolve the issue?
runbook code:
# Ensures you do not inherit an AzContext in your runbook
Disable-AzContextAutosave –Scope Process
$Conn = Get-AutomationConnection -Name AzureRunAsConnection
Connect-AzAccount -ServicePrincipal -Tenant $Conn.TenantID `
-ApplicationId $Conn.ApplicationID -CertificateThumbprint $Conn.CertificateThumbprint
$AzureContext = Select-AzSubscription -SubscriptionId $Conn.SubscriptionID
Error:
Failed At line:4 char:1
+ Disable-AzContextAutosave –Scope Process
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Cannot find the 'Disable-AzContextAutosave' command. If this command is defined as a workflow, ensure it is defined before the workflow that calls it. If it is a command intended to run directly within Windows PowerShell (or is not available on this system), place it in an InlineScript: 'InlineScript { Disable-AzContextAutosave }'
I'm assuming you havn't imported the Az.Accounts module into your automation account. Disable-AzContextAutosave, Connect-AzAccount and Select-AzSubscription are from this module.
Follow this guide to Import Az modules.
I am trying to create a Runbook which does some maintenance in Active Directory. On creation of an Automation Account an "RunAs" account was created. In the runbook I connect to AD using the below command.
$connectionName = "AzureRunAsConnection"
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to AzureAD..."
Connect-AzureAD `
-TenantId $servicePrincipalConnection.TenantId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-LogLevel Info
This command runs fine, however the subsequent use of AD CMDLETS gives the following error,
$Users = Get-AzureADUser
Get-AzureADUser : Error occurred while executing GetUsers Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation.
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
The same is true for other CMDLETS in the AD module, not just this I have tried adding API permission through the registered application (relating to the Automation Account connection resource) in Active Directory but I am still facing the above privileges issue.
According to some test, you need to add the permissions of Azure AD but not Micorsoft Graph. It seems the Get-AzureADUser command use Azure AD graph in the backend. So we need to do the operations as below:
After that we can use the command Get-AzureADUser successfully(if you test the command in powershell, when you add the Azure AD permission, please close the powershell and reopen it and re-connect)
I have created some Azure VMs using the new Resource Manager and i'd like to stop them everyday.
To do so, i've published a runbook to stop aboth classic and ARM VMs, and i created a scheduler which runs the runbook every night :
workflow Stop-AzureVMs
{
$cred = Get-AutomationPSCredential -Name 'Cred'
Add-AzureAccount -Credential $cred
Select-AzureSubscription -Current 'SubscriptionName'
Get-AzureVM | Stop-AzureVM –Force
Get-AzureRmVM | Stop-AzureRmVM -Force
}
I have imported the AzureResourceManager module to my Azure Automation account :
But i am getting this error :
Exception
At line:34 char:2
+ Get-AzureRMVM | Stop-AzureRMVM -Force
+ ~~~~~~~~~~~~~ Cannot find the 'Get-AzureRMVM' command. If this command is defined as a workflow, ensure it is defined before the workflow that calls it. If it is a command intended to run directly within Windows PowerShell (or is not available on this system), place it in an InlineScript: 'InlineScript { Get-AzureRMVM }'
How is that possible ?
Edit : Below is the solution
$cred = Get-AutomationPSCredential -Name 'Cred'
Add-AzureRmAccount -Credential $cred
Select-AzureRmSubscription -Name 'SubscriptionName' -SubscipritionId 'SubscriptionId'
Get-AzureRmVM | Stop-AzureRmVM -Force
All workflows i found didn't mention the use of Add-AzureRmAccount and Select-AzureRmSubcription instead of the standard Add-AzureAccount and Select-AzureSubscription. I thought that the authentication process to our Azure account was the same.
Update : It is now possible to combine both ASM and ARM cmdlets within the same runbooks, see this post for more informations about ARM supported by default on Azure Automation
Looks like you imported the old version of the ARM cmdlets (before Azure PS 1.0) into Azure Automation. This was before the *-AzureRm* renaming. So tt should be Stop-AzureVM not Stop-AzureRmVM.
However, that makes it ambiguous as to whether you are trying to call Azure Service Management or Azure Resource Manager cmdlets -- which is exactly why the cmdlet names were renamed in Azure PS 1.0. I recommend you follow the guidance here.
As per my understanding ASM mode is default. If you are going for ARM command firstly switch mode is required using Switch-AzureMode
One more confusion is what is the purpose of Get-AzureRMVM command. I googled but coulndn't find anything -
The Get-AzureRMVM cmdlet is in the AzureRM.Compute module... The AzureRM* cmdlets are still in preview, I don't think they are available in Azure Automation yet.
The two modules in your screenshot above likely correspond to the 0.9.x version of the cmdlets and there were indeed two different modules (Azure=ASM and AzureResourceManager=ARM) behind Switch-AzureMode. Switch-AzureMode just unloads one and loads the other.
If Automation is still using the 0.9.x version of the cmdlets then you should be able to just use Get-AzureVM for ARM VMs using the AzureResourceManager module.
Below is the solution
$cred = Get-AutomationPSCredential -Name 'Cred'
Add-AzureRmAccount -Credential $cred
Select-AzureRmSubscription -Name 'SubscriptionName' -SubscriptionId 'SubscriptionId'
Get-AzureRmVM | Stop-AzureRmVM -Force
It is not yet possible to combine ARM and ASM cmdlets in same runbook apparently ... So you have to use only ARM cmdlet or ASM cmdlet.
Also, all workflows i found didn't mention the use of Add-AzureRmAccount and Select-AzureRmSubcription instead of the standard Add-AzureAccount and Select-AzureSubscription.
I thought that the authentication process to our Azure account was the same.
The Following code will work for both old style and new Style VM's but be aware this will shut down all machines with no warning.
{
# TODO: update to the name of the credential asset in your Automation account
$AutomationCredentialAssetName = "AzureAutomationRG"
# Get the credential asset with access to my Azure subscription
$Cred = Get-AutomationPSCredential -Name $AutomationCredentialAssetName
# Authenticate to Azure Service Management and Azure Resource Manager
Add-AzureAccount -Credential $Cred
Add-AzureRmAccount -Credential $Cred
"`n-Old Style VMS-`n"
# Get and output Azure classic VMs
$VMs = Get-AzureVM
$VMs.Name
Get-AzureVM | Stop-AzureVM -Force
"`n-New Style Resource Group VMs-`n"
# Get and output Azure v2 VMs
$VMsv2 = Get-AzureRmVM
$VMsv2.Name
Get-AzureRmVM | Stop-AzureRmVM -Force
}
For new Azure RM VMs use access extensions the following command:
Set-AzureRmVMAccessExtension -ResourceGroupName "ResourceGroupName" -VMName "VMName" -Username "Admin User Name" -Password "Admin Password" -Name "Extension Name"
Please note the -Name parameter is the arbitrary extension name.
This might be late to the party, but I would recommend you check out this link:
https://www.attosol.com/start-or-stop-all-vms-of-a-resource-group-in-azure/
Basically, you can create a script and write some aliases with switches to make your job super easy.