How do I add Azure Scale Set to Log analytics. From log analytics I am able to see the VM but unlike VMs the connect button is not enabled. What do I need to do. to enable this connection.
There is a MSDN post regarding this issue:
https://blogs.msdn.microsoft.com/timomta/2018/04/09/how-to-add-the-oms-client-to-a-vm-scale-set/
As mentioned in the post, we explain how to do this for VMs but not for VMSS. You can accomplish this via PowerShell and the linked blog above describes how to achieve it.
I will add the script below for users who don't want to follow the link
select-azurermsubscription -subscriptionid ‘your subscription id’
$PublicSettings = #{"workspaceId" = "your oms workspace id"}
$ProtectedSettings = #{"workspaceKey" = "your big base64 oms key"}
# Get information about the scale set
$vmss = Get-AzureRmVmss -ResourceGroupName 'VMSSRESOURCEGROUP' `
-VMScaleSetName 'VMSSNAME'
Add-AzureRmVmssExtension `
-VirtualMachineScaleSet $vmss `
-Name "Microsoft.EnterpriseCloud.Monitoring" `
-Publisher "Microsoft.EnterpriseCloud.Monitoring" `
-Type "MicrosoftMonitoringAgent" `
-TypeHandlerVersion 1.0 `
-AutoUpgradeMinorVersion $true `
-Setting $PublicSettings `
-ProtectedSetting $ProtectedSettings
# Update the scale set and apply the Custom Script Extension to the VM instances
Update-AzureRmVmss `
-ResourceGroupName $vmss.ResourceGroupName `
-Name $vmss.Name `
-VirtualMachineScaleSet $vmss
# Only needed for manual update VMSS – warning tells them all to update, so modify to suit
$jobs=#()
Get-AzureRmVmssVM -ResourceGroupName $vmss.ResourceGroupName -VMScaleSetName $vmss.Name | foreach {
$jobs+=Update-AzureRmVmssInstance -ResourceGroupName $vmss.ResourceGroupName -Name $vmss.Name -InstanceId $_.InstanceId -AsJob
}
$jobs | Wait-Job
$jobs | Receive-Job
Kudos to the author https://social.msdn.microsoft.com/profile/Tim+Omta
Related
When I run this cmdlet using a powershell script,
New-AzResource -ResourceId "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/will-vnet-rg/providers/Microsoft.AAD/DomainServices/xxxxx.xxxxxxxx.com" -Location eastus2 -Properties #{"DomainName"="xxxxx.xxxxxxxx.com"; "SubnetId"="/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/will-vnet-rg/providers/Microsoft.Network/virtualNetworks/will-vnet/subnets/will-core-subnet"} -ApiVersion 2017-06-01 -Force -Verbose
I get this error,
New-AzResource : The operation failed because resource is in the: 'Failed' state. Please check the logs for more details.
At C:\tf\advantage\dev\deploy\scripts\Azure-Functions.ps1:89 char:5
+ New-AzResource -ResourceId "/subscriptions/$subscription/resource ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-AzResource], InvalidOperationException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceCmdlet
The resources it depends on exist, earlier in my script I create them. I am able to create the Domain Service manually through the Azure Portal, however, using the powershell cmdlet to create it does not work.
In the portal, the resource says "The managed domain is in a failed state. Contact support with your Azure AD tenant ID and the domain name of the managed domain."
Failed Domain in the portal
To create the Azure Active Directory Domain Service with powershell, you could use the built-in powershell command New-AzADDomainService directly, also, you need to create some required Azure AD resources firstly.
Sample:
# Change the following values to match your deployment.
$AaddsAdminUserUpn = "admin#contoso.onmicrosoft.com"
$ResourceGroupName = "myResourceGroup"
$VnetName = "myVnet"
$AzureLocation = "westus"
$AzureSubscriptionId = "YOUR_AZURE_SUBSCRIPTION_ID"
$ManagedDomainName = "aaddscontoso.com"
# Connect to your Azure AD directory.
Connect-AzureAD
# Login to your Azure subscription.
Connect-AzAccount
# Create the service principal for Azure AD Domain Services.
New-AzureADServicePrincipal -AppId "2565bd9d-da50-47d4-8b85-4c97f669dc36"
# First, retrieve the object ID of the 'AAD DC Administrators' group.
$GroupObjectId = Get-AzureADGroup `
-Filter "DisplayName eq 'AAD DC Administrators'" | `
Select-Object ObjectId
# Create the delegated administration group for Azure AD Domain Services if it doesn't already exist.
if (!$GroupObjectId) {
$GroupObjectId = New-AzureADGroup -DisplayName "AAD DC Administrators" `
-Description "Delegated group to administer Azure AD Domain Services" `
-SecurityEnabled $true `
-MailEnabled $false `
-MailNickName "AADDCAdministrators"
}
else {
Write-Output "Admin group already exists."
}
# Now, retrieve the object ID of the user you'd like to add to the group.
$UserObjectId = Get-AzureADUser `
-Filter "UserPrincipalName eq '$AaddsAdminUserUpn'" | `
Select-Object ObjectId
# Add the user to the 'AAD DC Administrators' group.
Add-AzureADGroupMember -ObjectId $GroupObjectId.ObjectId -RefObjectId $UserObjectId.ObjectId
# Register the resource provider for Azure AD Domain Services with Resource Manager.
Register-AzResourceProvider -ProviderNamespace Microsoft.AAD
# Create the resource group.
New-AzResourceGroup `
-Name $ResourceGroupName `
-Location $AzureLocation
# Create the dedicated subnet for AAD Domain Services.
$SubnetName = "DomainServices"
$AaddsSubnet = New-AzVirtualNetworkSubnetConfig `
-Name DomainServices `
-AddressPrefix 10.0.0.0/24
$WorkloadSubnet = New-AzVirtualNetworkSubnetConfig `
-Name Workloads `
-AddressPrefix 10.0.1.0/24
# Create the virtual network in which you will enable Azure AD Domain Services.
$Vnet=New-AzVirtualNetwork `
-ResourceGroupName $ResourceGroupName `
-Location $AzureLocation `
-Name $VnetName `
-AddressPrefix 10.0.0.0/16 `
-Subnet $AaddsSubnet,$WorkloadSubnet
$NSGName = "aaddsNSG"
# Create a rule to allow inbound TCP port 3389 traffic from Microsoft secure access workstations for troubleshooting
$nsg201 = New-AzNetworkSecurityRuleConfig -Name AllowRD `
-Access Allow `
-Protocol Tcp `
-Direction Inbound `
-Priority 201 `
-SourceAddressPrefix CorpNetSaw `
-SourcePortRange * `
-DestinationAddressPrefix * `
-DestinationPortRange 3389
# Create a rule to allow TCP port 5986 traffic for PowerShell remote management
$nsg301 = New-AzNetworkSecurityRuleConfig -Name AllowPSRemoting `
-Access Allow `
-Protocol Tcp `
-Direction Inbound `
-Priority 301 `
-SourceAddressPrefix AzureActiveDirectoryDomainServices `
-SourcePortRange * `
-DestinationAddressPrefix * `
-DestinationPortRange 5986
# Create the network security group and rules
$nsg = New-AzNetworkSecurityGroup -Name $NSGName `
-ResourceGroupName $ResourceGroupName `
-Location $AzureLocation `
-SecurityRules $nsg201,$nsg301
# Get the existing virtual network resource objects and information
$vnet = Get-AzVirtualNetwork -Name $VnetName -ResourceGroupName $ResourceGroupName
$subnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $SubnetName
$addressPrefix = $subnet.AddressPrefix
# Associate the network security group with the virtual network subnet
Set-AzVirtualNetworkSubnetConfig -Name $SubnetName `
-VirtualNetwork $vnet `
-AddressPrefix $addressPrefix `
-NetworkSecurityGroup $nsg
$vnet | Set-AzVirtualNetwork
# Enable Azure AD Domain Services for the directory.
$replicaSetParams = #{
Location = $AzureLocation
SubnetId = "/subscriptions/$AzureSubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Network/virtualNetworks/$VnetName/subnets/DomainServices"
}
$replicaSet = New-AzADDomainServiceReplicaSetObject #replicaSetParams
$domainServiceParams = #{
Name = $ManagedDomainName
ResourceGroupName = $ResourceGroupName
DomainName = $ManagedDomainName
ReplicaSet = $replicaSet
}
New-AzADDomainService #domainServiceParams
Reference - Enable Azure Active Directory Domain Services using PowerShell
If you are also experiencing this issue, I have figured out a workaroud. I am not sure what is wrong with the New-AzResource cmdlet that I wrote, but I ended up creating the domain service manually in the portal, and then downloading the JSON template. I tried converting it to BICEP using the decompiler, but for whatever reason, it wouldn't take it. So to fix, I manually wrote a BICEP file to create the Domain Service.
New-AzResourceGroupDeployment -ResourceGroupName $vnetResourceGroup -TemplateFile "C:\dev\pub\Bicep Files\domain.bicep" -shortName $shortName -managedDomainName $managedDomainName -location $location -subnetAddressPrefix "$($coreSubnet.AddressPrefix)"
Use this link if you need help to write a BICEP file for a domain service.
I have setup a Shared Image Gallery and added a VM image to it. I can provision a new VM in my subscription from it. A friend wants to use that same image to provision the same VM in his subscription, a totally different Azure account. He has added me temporarily as an owner to his subscription and I can change directory from my azure portal to access and work with it no problem.
When I try to create a VM, I can't find the gallery in my subscription/account from his subscription (a totally different Azure account).
I have tried making an application registration and even added permissions for the application in his subscription too (contributor). Still can't see it.
Is this possible at all or am I doing something wrong?
thank you much
At the moment, we have no way to use the portal to deploy a VM from an image in another azure tenant. To create a VM from an image shared between tenants, you must use the Azure CLI or Powershell. For more details, please refer to here
For example
create a service principal in the tenant 1
Give Tenant 2 access
a. Register the sp into tenant 2
we can implement it by requesting a sign-in using a browser
https://login.microsoftonline.com/<Tenant 2 ID>/oauth2/authorize?client_id=<Application (client) ID>&response_type=code&redirect_uri=https%3A%2F%2Fwww.microsoft.com%2F
b. Assign Azure RABC role Contributor to the sp
Create VM
a. Log into both tenants using the application ID, secret and tenant ID.
$applicationId = '<App ID>'
$secret = <Secret> | ConvertTo-SecureString -AsPlainText -Force
$tenant1 = "<Tenant 1 ID>"
$tenant2 = "<Tenant 2 ID>"
$cred = New-Object -TypeName PSCredential -ArgumentList $applicationId, $secret
Clear-AzContext
Connect-AzAccount -ServicePrincipal -Credential $cred -Tenant $tenant1
Connect-AzAccount -ServicePrincipal -Credential $cred -Tenant $tenant2
b. Create VM
$resourceGroup = ""
$location = ""
$vmName = ""
# Set a variable for the image version in Tenant 1 using the full image ID of the shared image version
$image = "/subscriptions/<Tenant 1 subscription>/resourceGroups/<Resource group>/providers/Microsoft.Compute/galleries/<Gallery>/images/<Image definition>/versions/<version>"
# Create user object
$cred = Get-Credential -Message "Enter a username and password for the virtual machine."
# Create a resource group
New-AzResourceGroup -Name $resourceGroup -Location $location
# Networking pieces
$subnetConfig = New-AzVirtualNetworkSubnetConfig -Name mySubnet -AddressPrefix 192.168.1.0/24
$vnet = New-AzVirtualNetwork -ResourceGroupName $resourceGroup -Location $location `
-Name MYvNET -AddressPrefix 192.168.0.0/16 -Subnet $subnetConfig
$pip = New-AzPublicIpAddress -ResourceGroupName $resourceGroup -Location $location `
-Name "mypublicdns$(Get-Random)" -AllocationMethod Static -IdleTimeoutInMinutes 4
$nsgRuleRDP = New-AzNetworkSecurityRuleConfig -Name myNetworkSecurityGroupRuleRDP -Protocol Tcp `
-Direction Inbound -Priority 1000 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * `
-DestinationPortRange 3389 -Access Allow
$nsg = New-AzNetworkSecurityGroup -ResourceGroupName $resourceGroup -Location $location `
-Name myNetworkSecurityGroup -SecurityRules $nsgRuleRDP
$nic = New-AzNetworkInterface -Name myNic -ResourceGroupName $resourceGroup -Location $location `
-SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id -NetworkSecurityGroupId $nsg.Id
# Create a virtual machine configuration using the $image variable to specify the shared image
$vmConfig = New-AzVMConfig -VMName $vmName -VMSize Standard_D1_v2 | `
Set-AzVMOperatingSystem -Windows -ComputerName $vmName -Credential $cred | `
Set-AzVMSourceImage -Id $image | `
Add-AzVMNetworkInterface -Id $nic.Id
# Create a virtual machine
New-AzVM -ResourceGroupName $resourceGroup -Location $location -VM $vmConfig
I want to create automation schedule for Azure Automation Runbook from PowerShell. I don't want it to be run by default on Azure, but on Hybrid Worker, which is present in my Hybrid worker groups.
So I have that commands:
Import-AzureRmAutomationRunbook -Name $runbookName `
-Path $scriptPath `
-ResourceGroupName $automationResourceGroupName `
-AutomationAccountName $automationAccountName `
-Type PowerShellWorkflow
Publish-AzureRmAutomationRunbook -Name $runbookName `
-AutomationAccountName $automationAccountName `
-ResourceGroupName $automationResourceGroupName
New-AzureRmAutomationSchedule -Name $runbookName `
-AutomationAccountName $automationAccountName `
-StartTime $StartTime `
-ExpiryTime $EndTime `
-DayInterval 1 `
-ResourceGroupName $automationResourceGroupName
It can be done manually from the Azure portal:
but I need it to be done from PowerShell. I couldn't find it on MS docs.
If you are using the AzureRm module, just use the Start-AzureRmAutomationRunbook, specify the -RunOn parameter with the name of your Hybrid Worker group.
Start-AzureRmAutomationRunbook –AutomationAccountName "MyAutomationAccount" –Name "Test-Runbook" -RunOn "MyHybridGroup"
Reference(it uses the new Az command) - https://learn.microsoft.com/en-us/azure/automation/automation-hrw-run-runbooks#start-a-runbook-on-a-hybrid-runbook-worker
Update:
To schedule the runbook, you could use Register-AzureRmAutomationScheduledRunbook, specify the -RunOn parameter.
Register-AzureRmAutomationScheduledRunbook -AutomationAccountName "Contoso17" -Name "Runbk01" -ScheduleName "Sched01" -ResourceGroupName "ResourceGroup01" -RunOn "MyHybridGroup"
The following script runs okay, I can see it doing the designed task (deploying 500 virtual machines) but I get a warning from New-AzVM that tells me that it's using the most sane storage account that it can reach. I've been having a lot of problems with the virtual machines that it spins up, and they are spinning up very slowly (at a speed of about 10 per hour) and I was wondering if the problem might be that I'm unable to designate a storage account as part of the configuration.
I've done quite a few google searches, looking through the microsoft documentation on these scripts, and haven't found a way to specify the configuration I want.
The script I'm using is this:
$rgn = "VolumetricTest"
$passwd = ConvertTo-SecureString "password" -AsPlainText -Force
$logincred = New-Object System.Management.Automation.PSCredential("xadminx",$passwd)
$vnet = Get-AzVirtualNetwork -Name volumetric-vnet -ResourceGroupName VolumetricTest
$loc = "East US"
$nsg_rdp_in = New-AzNetworkSecurityRuleConfig -name "RDP_in" -Protocol Tcp -Direction Inbound -Priority 300 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow
$nsg_rdp_out = New-AzNetworkSecurityRuleConfig -name "RDP_out" -Protocol Tcp -Direction Outbound -Priority 301 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow
$suffixes = #()
1..500 | ForEach-Object { $nm = $_.ToString("000"); $suffixes += #("$nm") }
Foreach ( $suffix in $suffixes) {
Write-Host $suffix
$vmname = "SCLD-VT-W$suffix"
Write-Host $vmname
$nsg = New-AzNetworkSecurityGroup -Name "nsgW$suffix" -ResourceGroupName VolumetricTest -Location 'East US' -SecurityRules $nsg_rdp_in
Write-Host $nsg.Id
$net = New-AzNetworkInterfaceIpConfig -name "WNetAddr$suffix" -Subnet $( Get-AzVirtualNetworkSubnetConfig -Name default -VirtualNetwork $vnet ) -Primary
$nic = New-AzNetworkInterface -Name "WNetif$suffix" -ResourceGroupName VolumetricTest -Location 'East US' -IpConfiguration $net -NetworkSecurityGroupId $nsg.Id
Write-Host $nic.Id
$vmconfig = New-AzVMConfig -VMName $vmname -VMSize "Standard_B2s" | Set-AzVMOperatingSystem -Windows -ComputerName $vmname -Credential $logincred | Set-AzVMSourceImage -PublisherName "microsoftwindowsdesktop" -Offer "Windows-10" -skus 'rs1-enterprise' -Version latest | Add-AzVMNetworkInterface -Id $nic.Id
New-AzVM -ResourceGroupName $rgn -Location "East US" -VM $vmconfig
}
(details replaced with filler of course)
results like:
014
SCLD-VT-W014
/subscriptions/00000000-0000-0000-0000-00000000/resourceGroups/VolumetricTest/providers/Microsoft.Network/networkSecurityGroups/nsgW014
/subscriptions/00000000-0000-0000-0000-00000000/resourceGroups/VolumetricTest/providers/Microsoft.Network/networkInterfaces/WNetif014
WARNING: Since the VM is created using premium storage or managed disk, existing standard storage account, volumetrictestbootdiag, is used for boot diagnostics.
This machine was created in about 2 minutes.
Some machines seem to take less than a minute to spin up, while others take upwards of 10.
It selects the proper storage account I want to use, at least.
When you create a VM if you enable diagnostics you have to specify a storage account. In this case if you doesn't specify a SA it will create a storage account for you or select any existing storage account.
You could use Set-AzureRmVMBootDiagnostics to modifies boot diagnostics properties of a virtual machine to specify the storage configuration.
Set-AzureRmVMBootDiagnostics -VM $VM -Enable -ResourceGroupName "ResourceGroup11" -StorageAccountName "DiagnosticStorage"
How to check stopped virtual Machines with different resources by azure powershell script
iam tried to do that script please help me
To get status of the vm’s you can try the below script:
#login
Connect-AzureRmAccount
Select-AzureRmSubscription –SubscriptionName 'subscription-name'
Get-AzureRmVM -Status | Format-Table
If you want ResourceGroup group wise you try this script:
Connect-AzureRmAccount
Select-AzureRmSubscription –SubscriptionName 'subscription-name'
$RG = "ResourceGroupName"
$VM = "vmname"
$VMStats = (Get-AzureRmVM -Name $VM -ResourceGroupName $RG -Status).Statuses
($VMStats | Where Code -Like 'PowerState/*')[0].DisplayStatus