Develop Reference

Unable to query Azure WAF logs

I have been asked to use Powershell to query Azure WAS logs for blocked requests. I found https://cloudrobots.net/2021/03/07/download-azure-wav-v2-blocking-logs-w-powershell/ but am having some trouble.
First, I created a new service principal and assigned it the Contributor role assignment. I also created a secret and granted it "AuditLog.Read.All" API permission.
Now I am using the following code:
$TenantId = '<tenant id>'
$AzureADCred = Get-Credential -UserName <tenant id> -Message "Enter secret value"
Connect-AzAccount -ServicePrincipal -Credential $AzureADCred -TenantId $TenantId
$WorkspaceID = '<workspace id>'
$UserPrincipalName = 'user#domain.com'
#Create the query for log analytics workspace for last sign in for user which goes back 180 days
$query = 'SigninLogs | Where-Object TimeGenerated > ago(180d) | Where-Object UserPrincipalName == "' + $UserPrincipalName + '" | summarize signInCount = count() by UserPrincipalName | Sort-Object by signInCount desc'
#Create the query for log analytics workspace for top matched rules
$query = 'AzureDiagnostics | where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog" | summarize count() by ruleId_s, bin(TimeGenerated, 1m) | where count_ > 10 | render timechart'
$result = Invoke-AzOperationalInsightsQuery -WorkspaceId $WorkspaceID -Query $query
Disconnect-AzAccount
But I only get back:
Invoke-AzOperationalInsightsQuery : Operation returned an invalid
status code 'BadRequest'
What gives?

Recursively list all resource tags within Azure Resource Groups

We have a large number of Azure Subscriptions which currently run into the hundreds.
I'm looking to generate a report (ideally using Azure Powershell or Azure CLI) to recursively extract a list of all tags assigned to every single resource within every resource group, for between 40-50 of the subscriptions.
Currently, I can list all tags assigned at Resource Group level, but I simply can't find a way to list the tags assigned to the individual resources within each Resource Group. The list of subscriptions and resource groups on which I'd like to extract this report, are saved in a CSV file which includes two columns displaying the Subscription name and Resource Group respectively.
Any tips on how to achieve the above would be fantastic and most appreciated.

Not detailed code but the idea here.
1.You should write a loop, in the loop, change the subscription each time by using this cmdlet:
Set-AzContext -Subscription $subscription_name.
2.Then get all the resource group in the specified subscription by using this cmdlet:
$resource_groups = Get-AzResourceGroup
3.Then write a nested loop(loop for each resource group), in this nested loop, use this cmdlet to get all azure resources within a resource group:
foreach($rg in $resource_groups){
$azure_resources = Get-AzResource -ResourceGroupName $rg.ResourceGroupName
}
4.Write another nested loop in step 3, this loop is used to go though all the azure resources within the specified resource group. Then use the code below to fetch tags for each azure resource within the resource group:
foreach($r in $azure_resources){
#the following code can get all the tags for one resource
$r.tags
}

Based on Ivan Yang's logic. I have built the PowerShell Script;
#---------DECLARE VARIABLES------------------------------------#
$bnsSubscription = Get-AzSubscription
$day = Get-Date -Format " ddMMMyyyy"
$tagPath = "C:\mytempfolder\"+"$day-Tag-Details.csv"
$tagFolderPath = "C:\mytempfolder\"
#---------DECLARE VARIABLES------------------------------------#
function Get-ResourceTag {
foreach ($subs in $bnsSubscription) {
Select-AzSubscription -SubscriptionName $subs.Name | Out-Null
Write-Host 'The selected Subscription is' ($subs).Name
New-Item -ItemType file -Path "$tagFolderPath\$($subs.Name).csv" -Force
$resource_groups = Get-AzResourceGroup
$resource_groups_details = Get-AzResourceGroup | Sort-Location ResourceGroupName | Format-Table -GroupBy Location ResourceGroupName,ProvisioningState,Tags
Write-Host 'The selected Resource Group is' ($resource_groups).Name 'and the tag information as follows'
#$resource_groups_details
$resource_groups | Select-Object ResourceGroupName,Tags | Export-CSV -Path "$tagFolderPath\$($subs.Name).csv" -Append
$OutputFile = #()
foreach($rg in $resource_groups){
$azure_resources = Get-AzResource -ResourceGroupName $rg.ResourceGroupName
$TestTags = $Resource.Tags.GetEnumerator()
foreach($r in $azure_resources){
Write-Host 'The selected resource is' ($r).Name 'and the information as follows'
$RGHT = New-Object "System.Collections.Generic.List[System.Object]"
$RGHT.Add("RGName",$r.ResourceGroupName)
$RGHT.Add("ResourceName",$r.name)
$RGHT.Add("Location",$r.Location)
$RGHT.Add("Id",$r.ResourceId)
$RGHT.Add("ResourceType",$r.ResourceType)
$RGHT.Add("ResourceTags",$r.Tags)
$OutputFile += New-Object psobject -Property $RGHT
$OutputFile | Export-Csv -Path "C:\mytempfolder\test22.csv" -append -NoClobber -NoTypeInformation -Encoding UTF8 -Force
}
}
}
}
#---------CALL FUNCTION------------------------------------#
Get-ResourceTag

ForEach-Object return all objects three times in powershell (Azure VM)

I have this Powershell line which should list all virtual machines from selected subscription and I have total of 3 subscriptions.
$azureSubscriptionID = "xxxxx-xxxxx-xxxxx-xxxx"
foreach ($subs in $azureSubscriptionID)
{
Write-Output "Collecting VM facts from subscription $subs"
$vms += Get-AzureRMSubscription | ForEach-Object {Select-AzureRMSubscription $_ | Out-Null; Get-AzureRmVM -WarningAction SilentlyContinue}
}
Issue is that when running the script and using $vms is that it will list all available vms subscriptions three times in a row like this:
VM A VM B VM C
VM A VM B VM C
VM A VM B VM C
What am I doing wrong and how to fix that? or are there alternative ways to get all vms from X subscription in few lines? Using this in Azure runbook.

If you just want to cycle through all of your subscriptions and list all of the VMs, you can do the following:
Get-AzureRMSubscription | ForEach-Object {
$sub = Select-AzureRMSubscription $_
Write-Output "Collecting VM facts from subscription $($sub.Subscription.Id)"
Get-AzureRmVM
}
The issue with your attempt is you are getting all subscriptions (Get-AzureRmSubscription) during each loop iteration regardless of the value(s) contained in $azureSubscriptionID. To fix your code, you would need to run Get-AzureRMSubscription -SubscriptionId $subs or Select-AzureRMSubscription -SubscriptionId $subs.
If you want to do further processing with the data you have gathered, I would consider some alternative approach for when you explicitly target known subscriptions.
$azureSubscriptionIDs = "xxxxx-xxxxx-xxxxx-xxxx","yyyyy-yyyyy-yyyyy-yyyy","zzzzz-zzzzz-zzzzz-zzzz"
# $vms is an array of custom objects
# each custom object contains a subscription ID and the associated VMs Names
$vms = foreach ($sub in $azureSubscriptionIDs) {
$null = Select-AzureRMSubscription -SubscriptionId $sub
$subvms = Get-AzureRmVM | Select -Expand Name
$sub | Select #{n='Subscription';e={$_}},#{n='VMs';e={$subvms}}
}
# You can access the subscription ID now with the Subscription property
# You can access the VMs Names with the VMs property
# List all vms under subscription 'xxxxx-xxxxx-xxxxx-xxxx'
$vms | Where Subscription -eq 'xxxxx-xxxxx-xxxxx-xxxx' | Select -Expand VMs
# List all vms for each subscription with a custom console message
foreach ($sub in $vms) {
Write-Output "Here are all the VMs for subscription $($sub.Subscription)"
$sub.VMs
}

Get-AzureRmConsumptionUsageDetail limited response to 1000 items

I've discovered this azure PS command Get-AzureRmConsumptionUsageDetail that as per docs is able to "get usage details of the subscription".
I performed some tests on my MSDN account with success. When tried with the Enterprise account (with many more resources) I've seen that it is always returning a max of 1000 items in all cases.
I tried to set -MaxCount to a higher than 1000 value without success.
The only workaround I see is try to identify all the resources in my subscription and query each one with the hope that no one individually has more than a thousand entries. Bad news is that I cannot do that for deleted items.
This behavior is not mentioned on the MS docs page so, any idea how this command should be properly used?

To partially solve my problem I developed a quick and dirty script that is able to ask for all the current subscription resources and then iterate through all them to get the billing details. It should be strange for a single resource to overpass the 1000 rows limit as resources are usually billed per day.
The drawbacks are the amount of api calls it has to perform and thus the time as well as that deleted resources are not included.
$resources = Get-AzureRmResource
Write-Output "Found $($resources.Count) in the subscription"
$consumption = #()
$i = $resources.Count
foreach($resource in $resources) {
$consumption += Get-AzureRmConsumptionUsageDetail -InstanceId $resource.ResourceId
$i--
Write-Output "$i - $($resource.ResourceId)"
}
$consumption | Group-Object InstanceId | %{
New-Object psobject -Property #{
ResourceGroup = ([regex]::Match($_.Name, ".*\/resource[gG]roups\/(.*?)\/.*$")).Groups[1].Value.ToUpper();
Cost = ($_.Group | Measure-Object PretaxCost -Sum).Sum
}
} | Group-Object ResourceGroup | %{
New-Object psobject -Property #{
ResourceGroup = $_.Name;
Total = ($_.Group | Measure-Object Cost -Sum).Sum
}
} | Export-Csv cost_report.csv

Azure Application Insights, how to change daily cap by Azure CLI

I'm trying to change daily cap for data transfer for all my Application Insights on Azure. Is there any way to change it for all of them?
I can't find how to do it by using Azure CLI.
Thank you.

You can change the daily cap with the Azure PowerShell cmdlet Set-AzureRmApplicationInsightsDailyCap.
Login-AzureRmAccount
Set-AzureRmContext -SubscriptionName "Your Sub Name"
function Set-DailyCap {
$AI = Get-AzureRmApplicationInsights | Select ResourceGroupName, Name
$AI | foreach {
write-output ("Attempting to set daily cap for App Insights in resource group {0} instance {1}" -f $_.ResourceGroupName, $_.Name)
Set-AzureRmApplicationInsightsDailyCap -ResourceGroupName $_.ResourceGroupName -Name $_.Name -DailyCapGB 0.2
}
}
Set-DailyCap

Here is a modified version of #RonDBA's solution, which includes some logic to parse the names and set limits based on their name. Using this script, I was able to update hundreds of daily caps in a matter of seconds.
import-module azurerm.applicationinsights
Login-AzureRmAccount
Set-AzureRmContext -SubscriptionName "yoursubscription here"
$ai = Get-AzureRmApplicationInsights | select ResourceGroupName, Name
$AI | foreach {
$cap = 1
$color = 'red'
if($_.Name -match 'dev'){
$cap = .12
$color = 'green'
}
if($_.Name -match 'stg'){
$cap = .24
$color = 'blue'
}
if($cap -eq 1)
{
if($_.Name -match 'api'){
$cap = 1.4
$color = 'yellow'
}
else{$cap = 2.9}
}
write-host ("Attempting to set daily cap at $cap for {0} instance " -f $_.ResourceGroupName) -NoNewline
write-host $_.Name -ForegroundColor $color
Set-AzureRmApplicationInsightsDailyCap -ResourceGroupName $_.ResourceGroupName -Name $_.Name -DailyCapGB $cap
}

There is no way you can change the daily cap of your application insights component using Azure CLI or even Azure REST APIs as of today.
To change it, use the Daily volume cap blade, linked from the Data
Volume Management blade (see below). Note that some subscription types
have credit which cannot be used for Application Insights. If the
subscription has a spending limit, the daily cap blade will have
instructions how to remove it and enable the daily cap to be raised
beyond 32.3 MB/day.
Data source/Reference:
https://learn.microsoft.com/en-us/azure/application-insights/app-insights-pricing#data-rate