When following the tutorial https://learn.microsoft.com/en-us/azure/application-gateway/create-ssl-portal (using Free Trial as subcription) I always fail for the error
ErrorCode: AuthorizationFailed
ErrorMessage: The client '<mai e-mail address>' with object id'xxx' does not have authorization to perform action 'Microsoft.Compute/virtualMachines/extensions/write' over scope '/subscriptions/yyy/resourceGroups/myResourceGroupAG/providers/Microsoft.Compute/virtualMachines/myVM/extensions/IIS' or the scope is invalid. If access was recently granted, please refresh your credentials.
ErrorTarget:
StatusCode: 403
ReasonPhrase: Forbidden
OperationID : zzz
When runnig the command
Set-AzVMExtension `>> -ResourceGroupName myResourceGroupAG `
>> -ExtensionName IIS `
>> -VMName myVM `
>> -Publisher Microsoft.Compute `
>> -ExtensionType CustomScriptExtension `
>> -TypeHandlerVersion 1.4 `
>> -SettingString '{"commandToExecute":"powershell Add-WindowsFeature Web-Server; powershell Add-Content -Path \"C:\\inetpub\\wwwroot\\Default.htm\" -Value $($env:computername)"}' `
>> -Location 'West US 2'
According to the portal Access control I (JM in the picture) should have role Virtual machine Contributor, but it doesn't help.
I tried with same PowerShell script command it is perfectly working for me.
You can try to run Disconnect-AzAccount and Clear-AzContext as a solution, so that the context of all the user are deleted and after that you can again login to azure from powershell by Connect-Azaccount.
The Owner Access in Subscription level is sufficient to perform the operation that you are trying to perform so , Separately giving the Virtual Machine Contributor Role is not required.
OR
To workaround this issue you can manually install IIS server .
Step 1: Login to you VM.
Step 2 : Manage->Add role and feature
Step 3 : Select Webserver IIS -> Next->Install
Related
I have an Azure runbook where I am trying to deallocate VMs. When I run the runbook I get the error
Stop-AzureVM : No default subscription has been designated. Use Select-AzureSubscription -Default <subscriptionName> to
set the default subscription.
I have used the below in my script.
Add-AzureRmAccount
Select-AzureRMSubscription
After calling the select, it prints out
PSComputerName : localhost
PSSourceJobInstanceId :
Account :
Environment :
Subscription :
Tenant :
with the correct subscrption and tenant information so it seems the select is working correctly, but for some reason I still cannot use the Stop-AzureVM cmdlet.
Any ideas?
The command Stop-AzureVM is Azure Service Management PowerShell command. It just can be used to stop Azure classic VM. But the command Add-AzureRmAccount is Azure Resource Management PowerShell command. After running the command, we just can manage Azure Resource Management resources. For more details, please refer to here and here.
So with Azure ARM VM, please use the command Stop-AzureRmVM to stop it. Meanwhile, regarding how to stop Azure classic VM, please refer to the following steps
Create Azure Classic Run As Account
Script
$ConnectionAssetName = "AzureClassicRunAsConnection"
# Get the connection
$Conn = Get-AutomationConnection -Name $ConnectionAssetName
# Authenticate to Azure with certificate
$CertificateAssetName = $Conn.CertificateAssetName
$AzureCert = Get-AutomationCertificate -Name $CertificateAssetName
Set-AzureSubscription -SubscriptionName $Conn.SubscriptionName -SubscriptionId $Conn.SubscriptionID -Certificate $AzureCert
Select-AzureSubscription -SubscriptionId $Conn.SubscriptionID
#stop VM
Stop-AzureVM -ServiceName "ContosoService01" -Name "MyVM" -Force
Besides, regarding how to check if the VM is classic, please refer to the blog
Try Running the below :
Get-Module AzureRm.Profile -ListAvailable
This issue might occur when there is multiple instances of the module. If there are multiple instance remove the older modules and retain the new module.
To remove the old module : Uninstall-Module -Name AzureRm.Profile -RequiredVersion 4.6.0#(olderversion if you have any)
In Azure, I want to rename a SQL database with a PowerShell automation runbook with the command:
Set-AzureRmSqlDatabase -ResourceGroupName <ResourceGroupName>
-ServerName <ServerName> -DatabaseName <DatabaseName> -NewName <NewName>
according to the documentation https://learn.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqldatabase?view=azurermps-6.13.0
This command works fine in the Launch Cloud Shell from the top navigation of the Azure portal.
But in a runbook, it does not work with this error:
Set-AzureRmSqlDatabase : A parameter cannot be found that matches parameter name 'NewName'.
It seems that -NewName is missing in a runbook
Set-AzureRmSqlDatabase `
-DatabaseName <System.String> `
-ResourceGroupName <System.String> `
[-ElasticPoolName <System.String>] `
[-Tags <System.Collections.Generic.Dictionary`2[System.String,System.String]>] `
[-RequestedServiceObjectiveName <System.String>] `
-ServerName <System.String> `
[-Edition <Microsoft.Azure.Commands.Sql.Database.Model.DatabaseEdition>] `
[-MaxSizeBytes <System.Int64>]
I'm expecting that you are running the runbook from an Azure Automation Account.
Depending on when you created the Azure Automation Account, your accounts modules might be outdated.
A simple way to prove this is to create a new runbook and put this into it:
Get-Command Set-AzureRmSqlDatabase
Execute the runbook from the portal and view the output. You will be surprised to see what module version it will report back to you.
Luckily I had an very old Automation Account laying around to prove it for you:
Results:
After the update
The results are:
I am trying to use Get-AzureRmSqlDatabaseRestorePoints and New-AzureRmSqlDatabaseRestorePoint for managing Azure Datwarehouse restore points and restore process using Powershell. I am getting authorisation error when I call this command. I have contributor privileges at subscription and sql server level.
What I noticed that subscription id in the https request for API call is different from my selected subscription.
How can I force these commands to use my active subscription or can I pass subscription when I call this command.
Error details
Body:
{
"error":
"code": "AuthorizationFailed",
"message": "The client 'xxxxxxx' with object id 'xxxx-xxxx-xxxx-xxxx' does not have authorization to perform action 'Microsoft.Sql/servers/databases/restorePoints/read' over scope
'/subscriptions/Subscription B/resourceGroups/DataWarehouse-SIT-rg/providers/Microsoft.Sql/servers/servername/databases/DataWarehouse'."
}
}
Full Code
$subscription = "Subscription A"
Login-AzureRmAccount -Subscription $subscription
Get-AzureRmSubscription
Select-AzureRmSubscription -Subscription $subscription
$resourceGroup = Get-AzureRmResourceGroup -Name $resourceGroupName
$server = Get-AzureRmSqlServer -ResourceGroupName $resourceGroup.ResourceGroupName -ServerName $serverName
$database = Get-AzureRmSqlDatabase -ServerName $server.ServerName -ResourceGroupName $resourceGroup.ResourceGroupName -DatabaseName $databaseName
New-AzureRmSqlDatabaseRestorePoint -RestorePointLabel $restorePointName -ResourceGroupName $resourceGroup.ResourceGroupName -ServerName $server.ServerName -DatabaseName $database.DatabaseName
Thanks!
The error itself states that your account don't have READ permission to your restorepoints(Microsoft.Sql/servers/databases/restorePoints/read). Can you verify your permissions or try with another account?
Check whether do you have enough permission in your Subscription IAM
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
Subscription IAM Policy
Add your Email
Add your Role(s)
P.S: You need to contact your Subscription Owner in order to perform the above steps.
Issue was resolved after upgrading AzureRM module. Issue exists in module version 5.7.0 but it is resolved in version 6.6.0.
I have created some Azure VMs using the new Resource Manager and i'd like to stop them everyday.
To do so, i've published a runbook to stop aboth classic and ARM VMs, and i created a scheduler which runs the runbook every night :
workflow Stop-AzureVMs
{
$cred = Get-AutomationPSCredential -Name 'Cred'
Add-AzureAccount -Credential $cred
Select-AzureSubscription -Current 'SubscriptionName'
Get-AzureVM | Stop-AzureVM –Force
Get-AzureRmVM | Stop-AzureRmVM -Force
}
I have imported the AzureResourceManager module to my Azure Automation account :
But i am getting this error :
Exception
At line:34 char:2
+ Get-AzureRMVM | Stop-AzureRMVM -Force
+ ~~~~~~~~~~~~~ Cannot find the 'Get-AzureRMVM' command. If this command is defined as a workflow, ensure it is defined before the workflow that calls it. If it is a command intended to run directly within Windows PowerShell (or is not available on this system), place it in an InlineScript: 'InlineScript { Get-AzureRMVM }'
How is that possible ?
Edit : Below is the solution
$cred = Get-AutomationPSCredential -Name 'Cred'
Add-AzureRmAccount -Credential $cred
Select-AzureRmSubscription -Name 'SubscriptionName' -SubscipritionId 'SubscriptionId'
Get-AzureRmVM | Stop-AzureRmVM -Force
All workflows i found didn't mention the use of Add-AzureRmAccount and Select-AzureRmSubcription instead of the standard Add-AzureAccount and Select-AzureSubscription. I thought that the authentication process to our Azure account was the same.
Update : It is now possible to combine both ASM and ARM cmdlets within the same runbooks, see this post for more informations about ARM supported by default on Azure Automation
Looks like you imported the old version of the ARM cmdlets (before Azure PS 1.0) into Azure Automation. This was before the *-AzureRm* renaming. So tt should be Stop-AzureVM not Stop-AzureRmVM.
However, that makes it ambiguous as to whether you are trying to call Azure Service Management or Azure Resource Manager cmdlets -- which is exactly why the cmdlet names were renamed in Azure PS 1.0. I recommend you follow the guidance here.
As per my understanding ASM mode is default. If you are going for ARM command firstly switch mode is required using Switch-AzureMode
One more confusion is what is the purpose of Get-AzureRMVM command. I googled but coulndn't find anything -
The Get-AzureRMVM cmdlet is in the AzureRM.Compute module... The AzureRM* cmdlets are still in preview, I don't think they are available in Azure Automation yet.
The two modules in your screenshot above likely correspond to the 0.9.x version of the cmdlets and there were indeed two different modules (Azure=ASM and AzureResourceManager=ARM) behind Switch-AzureMode. Switch-AzureMode just unloads one and loads the other.
If Automation is still using the 0.9.x version of the cmdlets then you should be able to just use Get-AzureVM for ARM VMs using the AzureResourceManager module.
Below is the solution
$cred = Get-AutomationPSCredential -Name 'Cred'
Add-AzureRmAccount -Credential $cred
Select-AzureRmSubscription -Name 'SubscriptionName' -SubscriptionId 'SubscriptionId'
Get-AzureRmVM | Stop-AzureRmVM -Force
It is not yet possible to combine ARM and ASM cmdlets in same runbook apparently ... So you have to use only ARM cmdlet or ASM cmdlet.
Also, all workflows i found didn't mention the use of Add-AzureRmAccount and Select-AzureRmSubcription instead of the standard Add-AzureAccount and Select-AzureSubscription.
I thought that the authentication process to our Azure account was the same.
The Following code will work for both old style and new Style VM's but be aware this will shut down all machines with no warning.
{
# TODO: update to the name of the credential asset in your Automation account
$AutomationCredentialAssetName = "AzureAutomationRG"
# Get the credential asset with access to my Azure subscription
$Cred = Get-AutomationPSCredential -Name $AutomationCredentialAssetName
# Authenticate to Azure Service Management and Azure Resource Manager
Add-AzureAccount -Credential $Cred
Add-AzureRmAccount -Credential $Cred
"`n-Old Style VMS-`n"
# Get and output Azure classic VMs
$VMs = Get-AzureVM
$VMs.Name
Get-AzureVM | Stop-AzureVM -Force
"`n-New Style Resource Group VMs-`n"
# Get and output Azure v2 VMs
$VMsv2 = Get-AzureRmVM
$VMsv2.Name
Get-AzureRmVM | Stop-AzureRmVM -Force
}
For new Azure RM VMs use access extensions the following command:
Set-AzureRmVMAccessExtension -ResourceGroupName "ResourceGroupName" -VMName "VMName" -Username "Admin User Name" -Password "Admin Password" -Name "Extension Name"
Please note the -Name parameter is the arbitrary extension name.
This might be late to the party, but I would recommend you check out this link:
https://www.attosol.com/start-or-stop-all-vms-of-a-resource-group-in-azure/
Basically, you can create a script and write some aliases with switches to make your job super easy.
I am trying to add the Antimalware extension to a virtual machine for protection but when i try to add the extension in the Azure portal i get the following error:
Failed to add extension to virtual machine. The virtual machine request is invalid The specified source image is a user image. The image must be a platform image.
I have installed the VMAgent.
As extra information i have tried using powershell commands to install the extension by using the following commands and getting the respective responses:
$vm = Get-AzureVM –ServiceName "MyServiceName" –Name "MyVMName"
VERBOSE: ... - completed operation: Get Deployment*
Set-AzureVMExtension -Publisher Microsoft.Azure.Security -ExtensionName IaaSAntimalware -Version 1.* -VM $vm.VM
WARNING: The resource extension reference list is null or empty
AvailabilitySetName :
ConfigurationSets : {Microsoft.WindowsAzure.Commands.ServiceManagement.Model.NetworkConfigurationSet}
DataVirtualHardDisks : {"MyVMName"}
Label :
OSVirtualHardDisk : Microsoft.WindowsAzure.Commands.ServiceManagement.Model.OSVirtualHardDisk
RoleName : "MyVMName"
RoleSize : Large
RoleType : PersistentVMRole
WinRMCertificate :
X509Certificates :
NoExportPrivateKey : False
NoRDPEndpoint : False
NoSSHEndpoint : False
DefaultWinRmCertificateThumbprint : F4CF28C735C5E557C7B47742E4F16A08959272F1
ProvisionGuestAgent :
ResourceExtensionReferences : {IaaSAntimalware}
DataVirtualHardDisksToBeDeleted :
Update-AzureVM -Name "MyServiceName" -ServiceName "MyVMName" -VM $vm.VM
VERBOSE: 11:15:10 - Completed Operation: Get Deployment
VERBOSE: 11:15:10 - Begin Operation: Update-AzureVM
VERBOSE: 11:15:42 - Completed Operation: Update-AzureVM
OperationDescription OperationId OperationStatus
-------------------- ----------- ---------------
Update-AzureVM 387b77a2-c8fc-233a-913d-cd364c855429 Succeeded
After i run the commands i check and VMAgent is installed on the VM but no extension.
Does anyone have any ideas?
Thanks!!
The cause might be your first line
$vm = Get-AzureVM –ServiceName "MyServiceName" –Name "MyVMName"
When -servicename and -name are not specified, Get-AzureVM returns no VM object
Set-AzureVMextension only works with -VM input
Try this:
https://gist.github.com/andreaswasita/428fc5519b0ddac76b01
In my experience, this warning is due to the Azure Guest agent not being deployed on the VM, not running on the VM, or being out-of-date. If the VM doesn't have a healthy (and current) guest agent, you won't be able to deploy extensions.
You can check the guest agent status with:
$vm.GuestAgentStatus
You'd be looking for a "Status" of "Ready"; anything else and the extension is likely to fail. Extending Klaad's code then...
# Azure Cloud Service and Azure VM Name
$service= Read-Host -Prompt 'Azure Cloud Service:'
$name = Read-Host -Prompt 'Azure VM:'
# Get the Cloud Service and Azure VM
$vm = Get-AzureVM –ServiceName $service –Name $name
# Check for health of the agent
If ($vm.GuestAgentStatus.Status -ne "Ready") {
Write-Error "The VM agent appears to not be installed or is in an unhealthy state."
}
Else {
# Add Microsoft Antimalware Agent to the Azure VM
Set-AzureVMExtension -Publisher Microsoft.Azure.Security -ExtensionName IaaSAntimalware -Version 1.* -VM $vm.VM
# Update the Azure VM and install the Antimalware Agent
Update-AzureVM -Name $name -ServiceName $service -VM $vm.VM
}
To check if the agent is there, you can look for the following three processes on the server:
WaAppAgent.exe
WindowsAzureGuestAgent.exe
WindowsAzureTelemetryService.exe
You can download the agent from here (current version at time of edit is 2.6.1198.718).
Installation requires two steps (Source: Zach Millis):
Install the agent. This requires you to run PowerShell as an Administrator and execute the installer from within the PowerShell prompt. (Do not run directly)
Update Azure so it knows about the agent. This requires the following code to be executed:
Code:
# Azure Cloud Service and Azure VM Name
$service= Read-Host -Prompt 'Azure Cloud Service:'
$name = Read-Host -Prompt 'Azure VM:'
# Get the Cloud Service and Azure VM
$vm = Get-AzureVM –ServiceName $service –Name $name
# Provision the guest agent so Azure knows about it
$vm.VM.ProvisionGuestAgent = $TRUE
# Update the Azure VM and install the Antimalware Agent
$vm | Update-AzureVM
# Refresh the connection to the VM to get the new status
$vm = Get-AzureVM –ServiceName $service –Name $name
# Check status - should now be "Ready"
$vm.GuestAgentStatus
That should be it.