I am trying to automate the addition of azure virtual machines to azure ad security groups.
Add-AzureADGroupMember -ObjectId -RefObjectId
I am trying to find out the input for parameter -RefObjectId but no luck.
Is there a way to find out the refrence objectid of an azure virtual machine?
You need to enable MSI for the VM, then it will generate a service principal, I suppose you want to add the service principal of the VM to the AAD security group.
Follow the doc to enable MSI, then navigate to your VM -> Identity, you will see the Object ID, that is the property you need to pass to -RefObjectId.
#Joy wang
Thanks, that worked. apparently, i didnot automate identity on on the machines. I modified the arm script to turn on the identity on and i took the id from the output of
Get-AzureADserviceprincipal -searchstring "vmname"
Related
I am trying to put some auto start policy on my VM on Azure.
So, I used automation account and power shell script to do this from this link: https://adamtheautomator.com/azure-vm-schedule/
But on testing it give me error of Run Login-AzureRmAccount to login
Please suggest how to fix this?
## Get the Azure Automation Acount Information
$azConn = Get-AutomationConnection -Name 'AzureRunAsConnection'
## Add the automation account context to the session
Add-AzureRMAccount -ServicePrincipal -Tenant $azConn.TenantID -ApplicationId $azConn.ApplicationId -CertificateThumbprint $azConn.CertificateThumbprint
## Get the Azure VMs with tags matching the value '10am'
$azVMs = Get-AzureRMVM | Where-Object {$_.Tags.StartTime -eq '10am'}
## Start VMs
$azVMS | Start-AzureRMVM
Regards
ESNGSRJ
This can happen when the Run As account isn't configured appropriately. You will need to create one to provide authentication for managing resources on the Azure Resource Manager using Automation runbooks.
When you create a Run As account, it performs the following tasks:
Creates an Azure AD application with a self-signed certificate, creates a service principal account for the application in Azure AD, and assigns the Contributor role for the account in your current subscription.
Creates an Automation certificate asset named AzureRunAsCertificate in the specified Automation account.
Creates an Automation connection asset named AzureRunAsConnection in the specified Automation account.
Please note the following requirements from the referenced link:
You must have an Azure Automation Account with an Azure Run As account already prepared. If you don’t have this yet, learn how to create one when you go to Create a new Automation account in the Azure portal.
The Azure PowerShell module must be installed. If you don’t have this yet, please go to the Install the Azure PowerShell module page for more information.
Note: You can configure your Runbook to use managed identities as well and it has added benefits as compared to using Run As accounts. You can get started with this tutorial to use managed identity.
I would like to add an Azure app as member of the Azure Group. I am owner of the Group but when I click on Add-->Member , it only lists individual users and there is no option for adding an app:-
I am not trying to provide access to the SG so it can access the app (for that I will have to go to the specific app page) rather I am trying to make the app as the 'member' of an Azure group that I already own. But I just don't see an option for doing that.
If your group is an Office group, it does not support to add the service principal as a member(i.e. the MSI of your datafactory, which is essentially a service principal created by azure automatically in general, see this link).
If you want to add the service principal to the group, you need to use the Security group, see this link.
If your User type is member, but you are not able to create the Security group, the UsersPermissionToCreateGroupsEnabled setting should be set with false in your Azure AD tenant.
See To restrict the default permissions for member users:
For more details, refer to this link.
You need to run this command first from powershell to create the managed identity
Set-AzDataFactoryV2 -ResourceGroupName <resourceGroupName> -Name <dataFactoryName> -Location <region>
https://learn.microsoft.com/en-us/azure/data-factory/data-factory-service-identity
When using Azure Key Vault management REST API or cmdlet Add-AzureRmKeyVaultNetworkRule to allow a virtual network to access a key vault, I get the following error:
The client '{guid}' with object id '{guid}' does not have authorization to perform
action 'microsoft.network/virtualnetworks/taggedTrafficConsumers/validate/action'
over scope '/subscriptions/{guid}/resourcegroups/{resource-group}/providers/microsoft.network/virtualnetworks/{vnet-name}/taggedTrafficConsumers/Microsoft.KeyVault'
What is wrong?
Your subscription is not giving Microsoft.KeyVault resource provider permission to access Microsoft.Network resources. The fix is to register your subscription to Microsoft.KeyVault again:
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.KeyVault
This will add required permissions for Microsoft.KeyVault and Microsoft.Network integrations, including the ability to limit access to a given Virtual Network.
For more information: https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-supported-services
This are the steps required to solve it:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#azure-portal
You just need to register the resource provider in the subscription, this doesn't only happens with Key Vault, my issue was with Sql Server as well :)
So I leave this answer here in case someone else needs it
This feels like a bug/limitation in both the Azure Portal and Azure CLI. We ran into this when trying to allow a subnet of a VNET in subscription X to access a storage account in subscription Y.
For us, the workaround was to look-up the name of the service principal that was mentioned in the error in our Azure AD directory using the "Search your tenant" box on the "Overview" tab of the directory (NOT the subscription but the Azure AD directory for the tenant). The name of the SP turned out to be "Storage Resource Provider" (yours may be different, so that's why you need to look it up in Azure AD), so we granted that SP "Owner" role (temporarily) in the other subscription. Then provisioning worked!
There should be a finer-grained set of permissions you need to grant than just "Owner" but when we granted just the "validate" permission, we got a new error:
Failed to save firewall and virtual network settings for storage account 'XXX'. Error: An operation is currently performing on this storage account that requires exclusive access.
Also experienced this error when adding a vnet to a storage-account in another subscription.
Fixed by adding a storage-account to the subscription using the portal. Then the vnet could be added to the storage-account.
Note: the result is the same as #fernacolo does with a powershell command.
I have a Azure Key Vault in which I want to add access policies for my MSI enabled App Service using powershell.
Using portal it's straightforward. As you can see below, I am searching by my app service name and I see app service and app registrations both.
in above example I selected app service directly without registrating it in Azure AD and it's working awesome.
I just need guidance to do the same using Azure Powershell(which will run VSTS SPN).
Please help.
Thanks
Set-AzureRmKeyVaultAccessPolicy -VaultName $valutName -UserPrincipalName 'PattiFuller#contoso.com' -PermissionsToKeys create,import,delete,list -PermissionsToSecrets set,delete -PassThru
Make sure you have logged in from the PowerShell and selected the resource group where the resource exists before you run the command.
Refer documentation for more.
You need to use the the Set-AzureRmKeyVaultAccessPolicy command but with ObjectId parameter.
Set-AzureRmKeyVaultAccessPolicy -VaultName my-keyvault -ResourceGroupName my-resource-group -ObjectId 15faf32d-146a-4985-a315-640527b6c489 -PermissionsToSecrets get
Bear in mind that MSI apps are registered as Enterprise Apps.
EDIT: Curious, what are you trying to achieve?
I looked for multiple solutions but could not find a proper solution for the creation of Azure AD application using PowerShell. I'm not looking to create an Azure AD itself but an application inside it.
Yes, you can do it through PowerShell. Please look at New-AzureADApplication Cmdlet: https://msdn.microsoft.com/en-us/library/dn986794.aspx.
Yes, you can use the Azure ARM commandlets:
https://msdn.microsoft.com/en-us/library/dn757692.aspx
You should look specifically at:
New-AzureADApplication - https://msdn.microsoft.com/en-us/library/mt603747.aspx
New-AzureADServicePrincipal - https://msdn.microsoft.com/en-us/library/mt603780.aspx
Here's an example of how you'd run them:
Login-AzureRmAccount
$app = New-AzureRmADApplication –DisplayName "My App" – HomePage "http://myapp" –IdentifierUris "http://myapp"
New-AzureRmADServicePrincipal –ApplicationId $app.ApplicationId
Note that the "classic" Azure Portal (manage.windowsazure.com) only shows "Service Principals" in the Applications tab. So if you only create the AD Application without creating the Service Principal, you won't see an entry in the portal.
You can find more info about Application Principals and Service Principals here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-objects/
Key points from that article: Application object: This object represents a definition for your app. You can find a detailed description of its properties in the Application Object section below.
ServicePrincipal object: This object represents an instance of your app in your directory tenant. You can apply policies to ServicePrincipal objects, including assigning permissions to the ServicePrincipal that allow the app to read your tenant’s directory data. Whenever you change your Application object, the changes are also applied to the associated ServicePrincipal object in your tenant.