All the instructions I've found for enrolling devices in Azure AD require the user to manually log a machine in to Azure AD themselves to enroll.
Is there any way to enroll machines from Powershell? I'm looking at enrolling about 200 machines and not looking forward to having users login to Azure AD one by one manually.
Thanks!
For your scenario you should use something called bulk enrollment.
Steps are:
Create configuration file called provisioning package (*.ppkg) using Windows Configuration Designer tool. More info: https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-bulk-enroll#create-a-provisioning-package.
Don't use the desktop wizard here, since bulk Azure AD deployment can only be configured via advanced configuration.
Deploy the *.ppkg file using PowerShell command Add-ProvisioningPackage. More info is here: https://learn.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-powershell
Related
I have an azure active directory setup in my company
what i want to do is to run exe or PowerShell file when any user login using his azure ad account on his computer
because there is an application we must use at work and it should be run at every device on the company
i did search on this issue but i didn't find any useful solution
so is this is possible
Your condition can be addressed with MS Intune provided you should have license for it.
MS Intune integrates with Azure AD to manage devices and user based on your custom organization policy. You must enroll your devices in MS Intune MDM for the Startup/logon PowerShell Script to be run on those devices. Devices must run Windows 10 version 1709 or later. The Devices should be Azure AD joined and enrolled with auto enrolment or manual enrolled policy.
The Microsoft Intune Management Extension is a service that runs on
the device, just like any other service listed in the Services app
(services.msc). After a device reboots, this service may also restart,
and check for any assigned PowerShell scripts with the Intune service.
If the Microsoft Intune Management Extension service is set to Manual,
then the service may not restart after the device reboots
Would suggest you follow this MS document to get to know what would be the
Prerequisites and create a script policy and assign it devices.
https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
I have an Azure CDN. It has a custom domain, and I attempting to register my own certificate for HTTPS support.
I am attempting to follow the instructions here: https://learn.microsoft.com/en-us/azure/cdn/cdn-custom-ssl?tabs=option-2-enable-https-with-your-own-certificate
I have uploaded my Certificate to a Key Vault. That should be good. I am now trying grant my Azure CDN Profile access to my Key Vault in order for it to get the certificate. That is this step in the tutorial (Register Azure CDN, step #2)
That step shows a GUID (205478c0-bd83-4e1b-a9d6-db63a3e1e1c8). Where is that coming from? Is that the identifier for my Azure CDN Profile? If so, where would I get that?
I also just noticed there are two commands there: The text shows New-AzADServicePrincipal, but the screenshot shows New-AzureRmADServicePrincipal. Presumably, the latter is the (older?) command based on Resource Manager. But, which one should I be using?
Also, I don't think I have Azure Powershell installed. Can I do this using Cloud Shell via the Azure Portal?
What I see when I attempt to run the command from Cloud Shell
That step shows a GUID (205478c0-bd83-4e1b-a9d6-db63a3e1e1c8). Where is that coming from? Is that the identifier for my Azure CDN Profile? If so, where would I get that?
The GUID is the Application ID of the multi-tenant AD App in the Microsoft tenant(microsoft.onmicrosoft.com), when you use the New-AzADServicePrincipal with the GUID, it will create a service principal related to this AD App in your AAD tenant, which represents your CDN.
When you run the New-AzADServicePrincipal successfully, you could find it in the portal -> Azure Active Directory -> Enterprise applications in your tenant.
I also just noticed there are two commands there: The text shows New-AzADServicePrincipal, but the screenshot shows New-AzureRmADServicePrincipal. Presumably, the latter is the (older?) command based on Resource Manager. But, which one should I be using?
The New-AzureRmADServicePrincipal belongs to the old AzureRM module, New-AzADServicePrincipal belongs to the new Az module. You could use both of them, but I recommend you to use New-AzADServicePrincipal, because the AzureRM module was deprecated and will not be updated any more.
Also, I don't think I have Azure Powershell installed. Can I do this using Cloud Shell via the Azure Portal?
Of course, you can. Just run that in the cloud shell, no need to install any module manually.
we have an Infrastructure for one customer in Azure which require many configurations like MFA with VPN and Remote Desktop (this one is the reason why I'm confused with Azure AD).
The installation should be only in Azure, that's mean there is no local AD which could be synced to it.
I've created an seperated Azure Directory for them and configured an AD DS inside it so I can join the Azure VMs to it.
My problem here is I was asked to configure MFA for remote desktop users along with the VPN connection. The requirement the MFA that I should install an local NPS with MFA Extenstion and the local AD users should be synced with Azure AD. Which in my case it's not possible to do it since there is no local Network for this customer.
This problem as I understood is because that we don't have permissions to administrate Azure AD DS Active Directory and by this we can't register the NPS with MFA Extension with it. here are some Links related to this topic:
Request to Support NPS/RADIUS for Azure AD Domain Services
Integrate Remote Desktop Gateway with Azure MFA
Integrate VPN with Azure MFA
My question here is:
1) the seperated Azure AD for this tenant is a good Idea? Is it not better to just create an Azure AD Domain Services inside our Company Azure AD and sync the required groups to it? what is the best practice for this situation?
2) In order to use the Azure MFA here, what should I do? is there any other option in Azure to implement such a scenario?
I will be glad for any help or explaination.
I am trying to follow https://blogs.msdn.microsoft.com/tfssetup/2016/04/01/build-and-deploy-azure-web-apps-using-team-foundation-serverservices-vnext-builds/.
I have no issues deploying the web app manually from Visual Studio using PublishingSettings and Publish option. I just want to automate the process and I am stuck at this step:
The article clearly advises
Select the Certificate Based connection. This is very important when
you are trying to deploy. Credential based Microsoft Account
(#outlook, #hotmail) are no longer supported and only Organizational
accounts are. Even then, if they use Two-Factor Authentication(2FA),
the build will fail trying to connect to Azure.
This is correct and if I try to use Credentials, my deployment fails with unknown_user_type: Unknown User Type
There was an error with the Azure credentials used for deployment. message.
So >> Certificate. But in my PublishSettings file there is no Management Certificate and as per this article
Azure Management Certificates and Publishing Setting files (...) are
only intended and limited to manage Azure Service Management (ASM)
resources
I tried this option:
But VSTS is not connected to the Azure environment (considering that Azure belongs to one Customer and VSTS to another, is it even possible?).
My questions:
* Is it the deployment somehow possible with PublishSettings file?
* Should the "Credentials" option work if I am using an organizational account Me#Company.com?
* How else can I try?
EDIT
Your solution could be creating a service principal in Azure and connect it to VSTS. The automatic Build from VSTS should then be published to Azure automatically. Here you find how to setup the service principal and connect it to VSTS: https://www.petri.com/connect-visual-studio-team-services-azure-using-service-principal-name
I am not sure right now, whether you are using TFS or VSTS?! When I publish a Web App in VSTS, the ARM Service Endpoints works well:
Is there a way to authenticate to Azure without any login on an Azure VM? Same feature like amazon instance profile so I can run azure commands without authentication
I don't think it is possible to communicate with Azure cloud without authentication like AWS using the instance profile. In Azure you have to use service principle with respective role(Reader, contributor or owner) assigned. Once service principle is created you can use it for authentication with Azure SDK or REST API. You can automate once you have service principle details.
You can use Azure CLI.
The authentication can be done using the Publish Settings file.
This is useful if you wish to use Azure CLI commands in a script etc.
You can download the file by using
azure account download
Make sure you keep this file safe as it provides direct access to your azure account.
Then authentication is a simple process of importing the file using
azure account import /path/to/.publishsettings_file
Now deployment commands can be run on the command line without logging in.
Scroll to the section public settings file in the link for more info on how to use the publish settings file.