I am trying to run a powershell script against all VMs in an azure subscription. I used AzureRunAsConnection to connect to the service principal. Using Get-AzureVM gives an error that I haven't set the default Subscription. When I try to set it using Select-AzureSubscription I am given an error message stating the subscription doesn't exist. Here's what I am using in the runbook.
'''
$conn = Get-AutomationConnection -Name 'AzureRunAsConnection'
Add-AzureRmAccount -ServicePrincipal -TenantId $conn.TenantID -ApplicationID $conn.ApplicationID -CertificateThumbprint $conn.CertificateThumbprint
Select-AzureSubscription -SubscriptionName *********
'''
The exact error message is:
'''
Select-AzureSubscription : The subscription name ***** doesn't exist.
Parameter name: id
At line:3 char:1
+ Select-AzureSubscription -Current -SubscriptionName "******** ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Select-AzureSubscription], ArgumentException
+ FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.Profile.SelectAzureSubscriptionCommand
'''
What am I doing wrong to keep getting this error?
There are three generations of Azure powershell modules, "Azure", "AzureRM", and "AZ". Looks like you've got multiple installed. Try
Select-AzureRmSubscription
instead.
#david is right you are confusing the commands, Classic (Azure) vs AzureRM.
If the goal is to get VM in subscripts below are sample code for Calssic and AzureRM
Classic
$ConnectionAssetName = "AzureClassicRunAsConnection"
$connection = Get-AutomationConnection -Name $connectionAssetName
$Conn = Get-AutomationConnection -Name $ConnectionAssetName
$CertificateAssetName = $Conn.CertificateAssetName
$AzureCert = Get-AutomationCertificate -Name $CertificateAssetName
Set-AzureSubscription -SubscriptionName $Conn.SubscriptionName -SubscriptionId $Conn.SubscriptionID -Certificate $AzureCert
Select-AzureSubscription -SubscriptionId $Conn.SubscriptionID
Get-AzureVM
AzureRM
$connectionName = "AzureRunAsConnection"
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
Add-AzureRmAccount -ServicePrincipal -TenantId $servicePrincipalConnection.TenantId -ApplicationId $servicePrincipalConnection.ApplicationId -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
Get-AzureRMVM
Also keep in mind that connections are tied to a subscription so for AzureRM you do not needed to select a subscription. If you want to select one (Select-AzureRmSubscription) it should be the same as the one in the connection properties.
Related
I have an Azure Analysis Services with S1 SKU. There is an SPN who has OWNER RBAC over the AAS. I am trying to use a PowerShell 5.1 Runbook through an Automation Account to run the Restart-AzAnalysisServicesInstance cmdlet.
When I run the Runbook, I get to see the error:
Restart-AzAnalysisServicesInstance : Response status code does not indicate success: 401 (Unauthorized).
However, when I run the cmdlet locally, using my credentials to Connect-AzAccount in Windows Powershell ISE, it works. I am also an OWNER over the AAS.
Here's the Runbook:
# Init
$ErrorActionPreference = 'Stop'
$AutomationAccountConnectionName = "Name of my Connection that uses the Owner SPN"
# Get Automation connection (SPN connection details)
$servicePrincipalConnection = Get-AutomationConnection -Name $AutomationAccountConnectionName
Write-Output "Connected using SPN:"
$servicePrincipalConnection
# Connect using SPN
Write-Output "Connecting to AZ using the SPN connection:"
$Connection | ConvertTo-Json
$azContext = Connect-AzAccount -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-Tenant $servicePrincipalConnection.TenantId -ServicePrincipal
Write-Output ("Connected to azure using certificate with app id : " + $Connection.AppId)
# Get AAS
$aasServer = "test113aas"
$subscriptionId = "GUID of my azure subscrition"
Select-AzSubscription -Subscription $subscriptionId
$resourceObj = Get-AzAnalysisServicesServer -Name $aasServer
$ResourceObj
$AnalysisServer = $resourceObj.Name
$AnalysisServerLocation = 'northeurope'
$ModelName = 'adventureworks'
# # Connect AAS Account => This did not help as well
# Write-Host "Adding AAS Account"
# Add-AzAnalysisServicesAccount -RolloutEnvironment "$AnalysisServerLocation.asazure.windows.net" `
# -ServicePrincipal -ApplicationId $servicePrincipalConnection.ApplicationId `
# -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint -TenantId $servicePrincipalConnection.TenantId
# Restart AAS server
Write-Host "Server's full name is $($resourceObj.ServerFullName)"
Write-Host "$AnalysisServer : Preparing to Restart the Analysis Server"
$result = Restart-AzAnalysisServicesInstance –Instance $resourceObj.ServerFullName -PassThru # returns true if successful
$result
Any idea as to what I am missing out here? Documentation: https://learn.microsoft.com/en-us/powershell/module/az.analysisservices/restart-azanalysisservicesinstance?view=azps-7.2.0
I even tried running the same within an Azure PowerShell Core Function, since the documentation is for PowerShell 7+, but to no avail.
Turns out that we need to whitelist the client's IP before calling the cmdlet.
The error message could have been more precise.
Working on this as below - Using a power-shell script inside the Automation Account for run-book. The power-shell script will help in adding a rule inside the resource of the function-app of the networking rule. But somehow the following happens -
Not able to login the azure account
And it says Subscription ID doesn't exists. (Login is done via Service principle)
Code for reference
$azureAplicationId="XXXX"
$azureTenantId="XXXXX"
$azurePassword=ConvertToSecureString "XXXXXX" -AsPlainText -Force
$psCred=New-Object System.Management.Automation.PSCredential($azureAplicationId ,$azurePassword)
Login-AzureRmAccount -Credential $psCred -TenantId $azureTenantId -ServicePrincipal
Select-AzureSubscription -SubscriptionId "XXXXXX"
Add-AzWebAppAccessRestrictionRule -ResourceGroupName "XXXXX" -WebAppName "XXXXX" -Name "iprule" -Priority 100 -Action Allow -IpAddress x.x.x.x/x –
I'm trying to use Azure Automation Account to run some jobs, but I'm struggling with the AzureRM Module installed. I manually installed some Az Modules but PowerShell ISE still using the AzureRM, like in trying to establish RunAs connectio below,
$RunAsConnection = Get-AutomationConnection -Name AzureRunAsConnection;try {$Login=Add-AzureRmAccount -ServicePrincipal
-TenantId $RunAsConnection.TenantId -ApplicationId $RunAsConnection.ApplicationId -CertificateThumbprint $RunAsConnection.CertificateThumbprint -ErrorAction Stop}catch{Sleep 10;$Login=Add-AzureRmAccount -ServicePrincipal -TenantId $RunAsConnection.TenantId -ApplicationId $RunAsConnection.ApplicationId -CertificateThumbprint $RunAsConnection.CertificateThumbprint};Set-AzureRmContext
-SubscriptionId $RunAsConnection.SubscriptionID
Then, I have to modify it manually to below code and it works.
$RunAsConnection = Get-AutomationConnection -Name AzureRunAsConnection;try {$Login=Add-AzureRmAccount -ServicePrincipal -TenantId $RunAsConnection.TenantId -ApplicationId $RunAsConnection.ApplicationId -CertificateThumbprint $RunAsConnection.CertificateThumbprint -ErrorAction Stop}catch{Sleep 10;$Login=Add-AzAccount -ServicePrincipal -TenantId $RunAsConnection.TenantId -ApplicationId $RunAsConnection.ApplicationId -CertificateThumbprint $RunAsConnection.CertificateThumbprint};Set-AzContext -SubscriptionId $RunAsConnection.SubscriptionID
How to fix this and how to force the automation account to use Az instead of Azure RM ?
Thanks!
After import Az module, you can use Connect-AzAccount for authentication, then use other Az cmdlet directly.
An example is using Get-AzWebApp(need to import Az.Websites modules as mentioned before) to get azure web app details, in automation runbook:
$connection = Get-AutomationConnection -Name AzureRunAsConnection
$connectionResult = Connect-AzAccount -ServicePrincipal -Tenant $connection.TenantID -ApplicationId $connection.ApplicationID -CertificateThumbprint $connection.CertificateThumbprint
#the cmdlet to get azure web app details
Get-AzWebApp -ResourceGroupName xxx
I am currently trying to write a powershell script which logs into azure and then deletes an SQL database.
When it gets to the database deletion it gives an error:
Remove-AzureSqlDatabase : No default subscription has been designated. Use Select-AzureSubscription -Default <subscriptionName> to set the default
subscription.
When i try to add a default subscription with Select-AzureSubscription -Default -SubscriptionName Pay-As-You-Go i get an error aswell:
Select-AzureSubscription : The subscription name Pay-As-You-Go doesn't exist.
I'm confused as to what the problem is and have tried connecting to the account via connect-AzAccount aswell.
The full script is:
$passwd = ConvertTo-SecureString password -AsPlainText -Force
$pscredential = New-Object System.Management.Automation.PSCredential('accountname', $passwd)
Connect-AzureRmAccount -Credential $pscredential -Tenant "tenant string"
# Set-AzContext -SubscriptionId "subscription id"
Select-AzureSubscription -Default -SubscriptionName Pay-As-You-Go
# Get-AzureSubscription -SubscriptionName “Pay-As-You-Go” | Select-AzureSubscription -Default
Remove-AzureSqlDatabase -ServerName migrate -DatabaseName "AWS-Copy"
You could not mix the three powershell module Azure, Az, AzureRm together, and if you have installed the Az module, I recommend you to uninstall the AzureRm module, it was deprecated and will never be updated.
To remove sql db with Az module, your script should be like below. Make sure your account has an RBAC role(e.g. Owner, Contributor) of your subscription/SQL Server.
$passwd = ConvertTo-SecureString password -AsPlainText -Force
$pscredential = New-Object System.Management.Automation.PSCredential('accountname', $passwd)
Connect-AzAccount -Credential $pscredential -Tenant "<tenant-id>"
Set-AzContext -Subscription "<subscription-id>"
Remove-AzSqlDatabase -ResourceGroupName "<ResourceGroupName>" -ServerName "<ServerName>" -DatabaseName "<DatabaseName>"
Simply, I'm running Connect-AzureRmAccount using runbook automation in Azure, it gives me the error below:
Unable to find an entry point named 'GetPerAdapterInfo' in DLL
'iphlpapi.dll'.
I already imported the Azureprofile module and I can not figure out what is the issue.
If you want to connect to the Azure account with the PowerShell command Connect-AzureRmAccount in your Runbook, then it is really unnecessary. Just as I said in the comment, when you use the Runbook, you are already in an exact subscription of the tenant with an account. So just run your script without connecting the account.
If you really want to connect with the PowerShell, you can use the service principal like this:
Disable-AzureRmContextAutosave –Scope Process
$Conn = Get-AutomationConnection -Name AzureRunAsConnection
Connect-AzureRmAccount -ServicePrincipal -Tenant $Conn.TenantID -ApplicationID $Conn.ApplicationID -CertificateThumbprint $Conn.CertificateThumbprint
But I really suggest you can just run the PowerShell script in your Runbook directly.
Update
When you create the Runbook, there will be a connection for you to run the PowerShell script. Or you can create the connection as your requirement. See Connection assets in Azure Automation. You could just use the default connection use the code like this:
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
I had the same problem, in my case I was trying to simply use the Azure Cmdlet Get-AzVm.
I previously used code similar to what Charles posted above, the problem is that doesn't work with the Az Cmdlets as you can't use both the AzureRM and the new Azure modules at the same time.
I replaced all of that with the following and now it works:
Disable-AzContextAutosave –Scope Process
$Conn = Get-AutomationConnection -Name AzureRunAsConnection
Connect-AzAccount -ServicePrincipal -Tenant $Conn.TenantID `
-ApplicationId $Conn.ApplicationID -CertificateThumbprint $Conn.CertificateThumbprint
$AzureContext = Select-AzSubscription -SubscriptionId $Conn.SubscriptionID
I found this in the following article: https://learn.microsoft.com/en-us/azure/automation/automation-first-runbook-textual