Develop Reference

Is it possible to run a report to see who has access to the Application Insights instances on the Azure Subscriptions?

Is it possible to run a report to see who has access to the Application Insights instances on the Azure Subscriptions?
If yes , then how to get it?

You can use the below PowerShell script to check contributor & owner of a particular application insights under a specific resource group.
$resourceGroup = "RGNAME"
$resourceName = "AppInsightsName"
$resourceType = "microsoft.insights/components"
(Get-AzRoleAssignment -ResourceGroup $resourceGroup -ResourceType $resourceType -ResourceName $resourceName | Where-Object {$_.RoleDefinitionName -in #('Owner', 'Contributor') } | Select -ExpandProperty SignInName | Sort-Object -Unique) -Join ", "
If a particular user is assigned with Application Insights component contributor role he will be having access to all the application insights that were present under a particular subscription.
If any of the user has any of the below RBAC roles that were listed in documentation will be able to access the application insights.
As per the RBAC roles you can try making changes to the PowerShell script according to your requirement.
For more information about Resources, roles, and access control in Application Insights you refer this documentation.

Use Powershell List All Azure Storage Accounts & Network Rules

I have about 50 Azure storage accounts in a client tenant. I need to go through and update the storage accounts so the network access is restricted to specific virtual networks. A few storage account have network restrictions in place but most do not.
Rather than manually selecting all storage accounts one at a time in the Azure Portal I need a way to select all storage accounts and then list the network rules in place (if any) for each storage account. The storage accounts are also in different resource groups. I ran a basic command to get a list of all storage accounts but now i'm looking to display the network rules applied to each storage accounts:
Get-AzureRMStorageAccount | Export-CSV C:\....
Get-AzureRmStorageAccountNetworkRuleSet -ResourceGroupName "allRG's" -AccountName "allStorageAccounts"
I'm not sure how to issue the Get-AzureRmStorageAccountNetworkRuleSet command and have it select each storage account and its respective resource-group. Any help would be appreciated, thanks!

You can use the below powershell script to get all the storage account present in your subscription and then the Network rule set property.
Connect-AzAccount
$Result=#()
$Storageaccounts = Get-AzStorageAccount
$Storageaccounts | ForEach-Object {
$storageaccount = $_
Get-AzStorageAccountNetworkRuleSet -ResourceGroupName $storageaccount.ResourceGroupName -AccountName $storageaccount.StorageAccountName | ForEach-Object {
$Result += New-Object PSObject -property #{
Account = $storageaccount.StorageAccountName
ResourceGroup = $storageaccount.ResourceGroupName
Bypass = $_.Bypass
Action = $_.DefaultAction
IPrules = $_.IpRules
Vnetrules = $_.VirtualNetworkRules
ResourceRules = $_.ResourceAccessRules
}
}
}
$Result | Select Account,ResourceGroup,Bypass,Action,IPrules,Vnetrules,ResourceRules
Output:

Azure PIM for VM Admin Role

I am new to Azure PIM and exploring its capabilities.
I have a use case in hand wherein I need to make the VM Admin role requestable via PIM. I am trying to build a custom role so that I can attach a single VM in the role as part of scope but am unable to do so. All the VMs that are present in the subscription/resource group are getting attached to the role which is not the requirement.
So, in short, is it possible to create a custom role with scope defined for a single VM only though there are multiple VM's in the subscription and(or) resource group.

Yes. You could do that with Az PowerShell cmdlet New-AzRoleDefinition.
Please refer to second example here. (Modify $subs = '/subscriptions/{subscription_id}/resourceGroups/{resourceGroup_name}/providers/Microsoft.Compute/virtualMachines/{VM_name}')
$role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new()
$role.Name = 'Virtual Machine Operator 2'
$role.Description = 'Can monitor and restart virtual machines.'
$role.IsCustom = $true
$perms = 'Microsoft.Storage/*/read','Microsoft.Network/*/read','Microsoft.Compute/*/read'
$perms += 'Microsoft.Compute/virtualMachines/start/action','Microsoft.Compute/virtualMachines/restart/action'
$perms += 'Microsoft.Authorization/*/read'
$perms += 'Microsoft.ResourceHealth/availabilityStatuses/read'
$perms += 'Microsoft.Resources/subscriptions/resourceGroups/read'
$perms += 'Microsoft.Insights/alertRules/*','Microsoft.Support/*'
$role.Actions = $perms
$role.NotActions = (Get-AzRoleDefinition -Name 'Virtual Machine Contributor').NotActions
$subs = '/subscriptions/{subscription_id}/resourceGroups/{resourceGroup_name}/providers/Microsoft.Compute/virtualMachines/{VM_name}'
$role.AssignableScopes = $subs
New-AzRoleDefinition -Role $role
Then you can assign this custom role to users in Azure Portal -> this VM -> Access control (IAM).
You can also use cmdlet New-AzRoleAssignment to assign the role.
New-AzRoleAssignment -ObjectId {objectID of the user} -RoleDefinitionName 'Virtual Machine Operator 2' -Scope /subscriptions/{subscription_id}/resourceGroups/{resourceGroup_name}/providers/Microsoft.Compute/virtualMachines/{VM_name}
Make sure the value of -Scope here is the same as AssignableScopes in the first script.
BTW:
In fact, I don't think it's necessary to attach a single VM in the role as part of scope.
When you assign the role to a user, you need to specify the scope as the second script above shown. You can create the custom role with all the VMs that are present in the subscription/resource group getting attached. When you assign the role, you specify only one particular VM as the scope. Then the user can only manage this VM, but not any other VMs.

How to create an azure custom role

I am looking for someone who's created a custom role in Azure for Network Administrators, that would be willing to share their handiwork. Why re-invent the wheel?
Thanks,
Rick

You can create a custom role like this:
$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "Virtual Machine Operator"
$role.Description = "Can monitor and restart virtual machines."
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Storage/*/read")
$role.Actions.Add("Microsoft.Network/*/read")
$role.Actions.Add("Microsoft.Compute/*/read")
$role.Actions.Add("Microsoft.Compute/virtualMachines/start/action")
$role.Actions.Add("Microsoft.Compute/virtualMachines/restart/action")
$role.Actions.Add("Microsoft.Authorization/*/read")
$role.Actions.Add("Microsoft.Resources/subscriptions/resourceGroups/read")
$role.Actions.Add("Microsoft.Insights/alertRules/*")
$role.Actions.Add("Microsoft.Support/*")
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/c276fc76-9cd4-44c9-99a7- 4fd71546436e")
$role.AssignableScopes.Add("/subscriptions/e91d47c4-76f3-4271-a796-21b4ecfe3624")
New-AzureRmRoleDefinition -Role $role
It starts with an already existing role and then adds read permissions to compute, storage, etc.
Have a look at link for more information on how to create and configure custom roles.

How programatically restart a Azure VM role (PaaS VM)

I have a PaaS VM role that need to be restart using Azure Management libraries. I tried following codes but failed with "BadRequest: The operation is not supported on a role of type MyPaaSVmName". But I successfully restarted IaaS VM using below Method1.
Is it possible to restart a PaaS VM role using Azure Management Libraries?
if not, is there any other way to achieve it using c#.
1.
ComputeManagementClient client = new ComputeManagementClient(cloudCredentials);
client.VirtualMachines.Restart(hostedServiceName, deploymentName, vmName);
2.
ComputeManagementClient client = new ComputeManagementClient(cloudCredentials);
VirtualMachineOperationsExtensions.Restart(client.VirtualMachines, hostserviceName, deploymentName, vmName);
Thank you.

Found the issue,
Method1 should be like this as I am restarting a Role Instance. Method2 is wrong.
client.Deployments.RebootRoleInstanceByDeploymentName(hostserviceName, deploymentName, roleName);

Here's how you can do it using Azure Powershell:
ReSet-AzureRoleInstance -ServiceName "MySvc1" -Slot Staging -InstanceName "MyWebRole_IN_0" –reboot
https://msdn.microsoft.com/en-us/library/azure/dn495202.aspx
And here's a snippet from an Azure Automation Runbook which can reboot all cloud service's instances, per update domain (so you have no downtime):
https://gallery.technet.microsoft.com/Reboot-Cloud-Service-PaaS-b337a06d
$roleInstances = Get-AzureRole -ServiceName $cloudServiceName -Slot Production -InstanceDetails
Write-Output "Retrieved all role instances for cloud service: $cloudServiceName. Number of instances: " + $roleInstances.Count
# Group instances per update domain
$roleInstanceGroups = $roleInstances | Group-Object -AsHashTable -AsString -Property InstanceUpgradeDomain
Write-Output "Number of update domains found: " + $roleInstanceGroups.Keys.Count
# Visit each update domain
foreach ($key in $roleInstanceGroups.Keys)
{
$count = $perDomainInstances.Count;
Write-Output "Rebooting $count instances in domain $key"
$perDomainInstances = $roleInstanceGroups.Get_Item($key)
foreach -parallel($instance in $perDomainInstances)
{
$instanceName = $instance.InstanceName
Write-Output "Rebooting instance $instanceName"
Reset-AzureRoleInstance -ServiceName $cloudServiceName -Slot Production -InstanceName $instanceName -Reboot -ErrorAction Stop
}
}