I am needing to check when a key vault (not a key) was created in Azure. Keyvault show does not seem to get me that info. Can anyone point me in the right direction?
az keyvault show --name
thanks
You could use az group deployment show to get the deployment of the keyvault in the resource group, the timestamp is that you want.
az group deployment show --name <keyvualt-name> --resource-group <resource-group-name>
Note: The command above just works for the keyvault created in the portal or via ARM template(need change the name parameter), if you use the powershell or cli command to create the keyvault, there is no deployment information in the group, the option is to use az monitor activity-log list to get the logs of your group, but the log is existing just for 90 days, and the operation will just appear as Update Key vault, so we could not know whether it’s Create or Update actually.
You have to call the REST API directly to get this functionality. You can list resources of type Microsoft.KeyVault/vaults and use $expand=createdTime. See https://learn.microsoft.com/en-us/rest/api/resources/resources/list for more info.
Here is an example at subscription scope, but you can also do it at resource group scope if you know where your target Key Vault exists.
az rest --method GET --uri "https://management.azure.com/subscriptions/1237f4d2-3dce-4b96-ad95-677f764e7123/resources?$expand=createdTime&$filter=resourceType eq 'Microsoft.KeyVault/vaults'&api-version=2020-06-01"
{
"value": [
{
"createdTime": "2019-11-07T22:02:10.6437781Z",
"id": "/subscriptions/1237f4d2-3dce-4b96-ad95-677f764e7123/resourceGroups/CSSAutomation-xxx/providers/Microsoft.KeyVault/vaults/CSSAutomationVault-xxx",
"location": "centralus",
"name": "CSSAutomationVault-xxx",
"resourceGroup": "CSSAutomation-xxx",
"tags": {},
"type": "Microsoft.KeyVault/vaults"
},
{
"createdTime": "2019-11-04T14:57:25.8974771Z",
"id": "/subscriptions/1237f4d2-3dce-4b96-ad95-677f764e7123/resourceGroups/rgKeyVault/providers/Microsoft.KeyVault/vaults/KeyVaultTestyyy",
"location": "northcentralus",
"name": "KeyVaultTestyyy",
"resourceGroup": "rgKeyVault",
"tags": {},
"type": "Microsoft.KeyVault/vaults"
}
]
}
Related
I'm trying to write an ARM template to deploy a connection to the storage account for my Logic App. The problem is that my Logic App belongs to one resource group & the storage account in another.
When I run the deployment pipeline I get the following deployment error:
The Resource 'Microsoft.Storage/storageAccounts/StorageAccountName'
under resource group 'Logic App Resource Group' was not found.
I understand that the storage account does not belong to this resource group but how do I write the ARM template to look for the storage account from another group?
Here is my template for the connection:
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[parameters('storageConName')]",
"location": "[parameters('logicAppLocation')]",
"properties": {
"displayName": "[parameters('storageConName')]",
"parameterValues": {
"accountName": "[parameters('storageAccountName')]",
"accessKey": "[listKeys(variables('storageAccountId'),'2019-06-01').keys[0].value]"
},
"api": {
"id": "[concat('/subscriptions/',parameters('resourceGroupId'),'/providers/Microsoft.Web/locations/northeurope/managedApis/azureblob')]"
}
}
}
I've worked out what was wrong, the properties:api:id was using the logic App resource group id where it should be using the storage accounts resource group id.
I misunderstood that this was the resource group where I wanted the connection to be created.
How to link an existing B2C tenant programatically via Azure CLI? Running this line:
az resource create --resource-group <rg> --resource-type Microsoft.AzureActiveDirectory/b2cDirectories --name <tenant>.onmicrosoft.com --location Europe --properties "{\"tenantId\": \"<tenantId>\", \"sku\": { \"name\": \"Standard\", \"tier\": \"A0\" } }"
Returns BadRequestError: The 'sku' property is required for creating a b2c directory resource but it is there
The ARM "B2C Link Resource" looks like this:
{
"type": "Microsoft.AzureActiveDirectory/b2cDirectories",
"apiVersion": "2017-01-30",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"tags": {},
"sku": {
"name": "Standard",
"tier": "A0"
},
"properties": {
"tenantId": "[parameters('tenantId')]"
}
}
Further Information:
I have tried different variations regarding the sku portion such as leaving it out completely or moving it as a dedicated parameter --sku Standard etc but none of them seem to work
Removing an existing link via az resource delete --ids /subscriptions/<subscriptionId>/resourceGroups/<rg>/providers/Microsoft.AzureActiveDirectory/b2cDirectories/<tenant>.onmicrosoft.com works perfectly fine
Why do we need this? We automate our infra deployment with Terraform. We're aware of the limitations automating B2C tenants (see here, here or here) so we aim for removing/adding the b2c link via pipeline to at least keep the subscription clean on destroying/applying infra.
Linking an existing B2C tenant via Azure Portal looks like this
Any advice appreciated. Thanks for your help!
I don't think Azure CLI currently can have the ability to manage B2C tenants.
As you are aware already, there is a detailed discussion done https://github.com/Azure/azure-cli/issues/12058
Other Programmatic Approach:
I had captured Fiddler Traces to understand the flow / or the endpoint that is responsible. I was able point to the below endpoint. I was checking for the create a new Azure B2C Tenant.
PUT https://management.azure.com/subscriptions/SUBSCRIBTION/resourceGroups/RESOURCEGROUP/providers/Microsoft.AzureActiveDirectory/b2cDirectories/contosoorganiztion.onmicrosoft.com?api-version=2019-01-01-preview
{"location":"United States","sku":{"name":"Standard","tier":"A0"},"properties":{"createTenantProperties":{"displayName":"Contoso Organization","countryCode":"US"}}}
However, I was not able to check the "Link to existing the Tenant" (for your requirement) option at my end due to permissions at my end. But I am assuming there should be a similar endpoint responsible for the same. You could capture Fiddler traces with Https decrypted (or any tool that will help capturing the decrypted HTTPS Traffic), trying to link an existing tenant to understand the endpoint and the request body.
Note :
Keep mind this API/endpoint is not supported and subject to change thus not recommended for production environments:
You will need access token in order to hit the endpoint.
To obtain token, resource id of the Azure portal would be :74658136-14ec-4630-ad9b-26e160ff0fc6
az account get-access-token --resource 74658136-14ec-4630-ad9b-26e160ff0fc6
I am trying to configure a VPN in Azure Powershell following the procedure here. When running the following command
$connection6 = Get-AzureRmVirtualNetworkGatewayConnection -Name <myconnectionname> -ResourceGroupName <myresourcegroupname>
I receive the error
Get-AzVirtualNetworkGatewayConnection: Resource group '' could not be found.
But when I run the command:
az group show --name "<myresourcegroupname>"
The return value is the object description of the resource group:
> {
> "id": "/subscriptions/<active subscription id>/resourceGroups/<myresourcegroupname>",
> "location": "<mylocation>",
> "managedBy": null,
> "name": "<myresourcegroupname>",
> "properties": {
> "provisioningState": "Succeeded" },
> "tags": null,
> "type": "Microsoft.Resources/resourceGroups"
>}
Clearly, the resource group exists and is accessible to powershell through the active subscription (and I confirmed that the active subscription does contain this resource group).
How can I properly identify the resource group for this command to run?
Thank you to the people who commented. I ended up speaking with Azure support -- the network engineer initially ran into the same problem, and tried a few different options.
Ultimately, the solution ended up being fairly simple, as the issue was the fact that multiple subscriptions were under the account. The solution was just to run
Select-azsubscription -SubscriptionID <subscriptionid>
with the proper parent subscription id. As #Joy Wang suggested, updating all the cmdlets to the newer az versions also helped clear up errors.
Hi I am trying to deploy the resource using ARM template of type "Microsoft.Sql/servers/administrators"
below is the template
{
"type": "Microsoft.Sql/servers/administrators",
"apiVersion": "2019-06-01-preview",
"name": "[concat(parameters('sqlServerName'), '/ActiveDirectory')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('sqlServerName'))]"
],
"properties": {
"administratorType": "ActiveDirectory",
"login": "[parameters('activeDirectoryUserGroupName')]",
"sid": "",
"tenantId": "[subscription().tenantId]"
}
}
I am passing the active directory user group name as parameter, "sid" is the objectId of that active directory group. So is there any way to fetch the objectId in ARM template
We have no way to get the Azure AD group object id in Azure ARM template. Because the Azure AD group is Azure AD resource. It is not Azure resource. But the ARM template is only used to manage Azure resources. For more details, please refer to the document and the document
If the want to get the AD group object id, you can use Azure Powershell command $groubId=(Get-AzADGroup -DisplayName <groupName>).Id.
I am trying to enable diagnostic settings on existing automation accounts in different subscriptions.
So far my script exist out of the following topics.
Retrieve all Automation Accounts
Loop through every single on of them.
Change the value of the parameters in the ARM template to the value of the retrieved automation account
Deploy the ARM template that enable diagnostic settings on that specific automation account.
{
"name": "[parameters('AutomationAccountName')]",
"type": "Microsoft.Automation/automationAccounts",
"apiVersion": "2015-10-31",
"properties": {
"sku": {
"name" : "Basic"
}
},
"location": "[parameters('location')]",
"resources": [
{
"type": "providers/diagnosticSettings"
Enabling all sort of logs in the diagnostic settings ..
This works fine.
But the problem I am facing right now is that the sku is set to basic right here. But I can't be sure that is the case to every single automationaccount I retrieve with the get-AzAutomationAccount command.
I have searched to get the plan value from the get-AzAutomationAccount and save this inside the ARM template but seems to be empty.
Is there any other way to retrieve the sku of each Azure Automation account.
ALSO the SKU object normally is not required if I read the official doc of Microsoft. But whenever I delete the sku object or leave it empty the deployment fails.
Is there anyone who know how to fix this ?
The command Get-AzAutomationAccount will not return the sku property, it just returns the Plan.
If you want to get the sku, you could use the command as below.
$sku = (Get-AzResource -ResourceGroupName "<resource group name>" -ResourceType Microsoft.Automation/automationAccounts -ResourceName "<automation account name>").properties.sku
$sku | ConvertTo-Json