I am now using the current Azure Dev Pack (18.03). When following the tutorial for connection there is now the following error when trying to connect:
The problem is, that the tutorial is only mentioning the following dialog for connecting a storage:
where the ARM endpoint has to be set to "https://adminmanagement.local.azurestack.external".
But after this dialog another dialog is shown which is not mentioned in the documenation at all:
Here it is not clear what is meant by the "Sign in ressource id" or the "ARM resource id".
I found something, which might be at least the "ARM resource id":
So finally: What to insert for "Sign in resource id" and "ARM resource id"?
EDIT:
So after the answers below I requested these IDs manually:
But I still don't know exactly how to insert it. Doing it the following way:
still ends up in another error message:
EDIT 2:
So what I corrected was, that I again checked to use a base64 encoded Certificate. Further it appeared to be an issue that in above screenshot I had ARM Endpoint for "adminmanagement..." and the resource ids I requested were for "management...". So I altered the Rest call for the ID to (Invoke-RestMethod -Uri https://adminmanagement.local.azurestack.external/metadata/endpoints?api-version=1.0).authentication.audiences[0].
IT appears to be an improvement, because it ends up in a brand new error message:
Additional hint: If I now use a nonesense login not available at the stack, I get the Unable to sign in: access_denied: AADSTS65005: Invalid resource error message in the popup at the top border of the Azure explorer.
From an internal program manager, This seems to be caused by some known regression issue in Storage Explorer 0.9.6 version that Sign in resource id and ARM resource id aren’t fetched properly during sign-in.
As a workaround, user can execute the sample cmdlet for ASDK below and then input the returned value for these two resource ids.
For multi-node integrated system, the Azure Stack endpoint needs to be changed according to the environment configuration.
PowerShell:
Invoke-RestMethod -Uri (https://management.local.azurestack.external/metadata/endpoints?api-version=1.0 -Method Get).authentication.audiences[0]
There is also a new release of Storage Explorer to fix this bug soon.
Second Fix:
This issue could also happen when the incorrect certificate type is exported. The certificate must be exported in Base-64 x.509 format:
Try entering the invoke command like this:
(Invoke-RestMethod -Uri https://Adminmanagement.3171r06a.azcatcpec.com/metadata/endpoints?api-version=1.0).authentication.audiences[0]
or
(Invoke-RestMethod -Uri https://Adminmanagement.3171r06a.azcatcpec.com/metadata/endpoints?api-version=1.0).authentication
Returned results for me. Replace you region and dns with what you have deployed.
The problems have been solved together with Azure Storage Explorer v1.0.
Related
Within Azure, we set up our OATH2.0 credentials in AAD with three separate AppRegistrations.
I will be referring to these below.
1: Client : this is the main registration.
2: Read: This one holds the AppRole 'Read'
3: Write: This one holds the AppRole 'Write'
Here's some pictures to clearify:
3 Registrations
enter image description here
AppRole inside Read:
enter image description here
enter image description here
I am trying to automate adding these last two as APIpermissions to the first one with powershell.
I have found this command:
Add-AzADAppPermission and took a good look at the documentation here:https://learn.microsoft.com/en-us/powershell/module/az.resources/add-azadapppermission?view=azps-9.3.0
However, Either I am missing something, or this maybe cannot be done with custom appregistrations?
I keep getting the message
"Resource does not exist or one of its queried reference-property objects are not present."
I have checked that I am on the correct Tenant, and I have sufficient rights.
There are four parameters to consider, some more clear to me then others.
APIid: Which I assume, based on the documentation, should be Client.AppId
ApplicationId: Could be ObjectId/ ApplicationId from Read, but perhaps it's from it's corresponding ServicePrincipal (External Application)?, the documentation is not very clear on this one.
ObjectId: Can replace ApplicationId, but I have the exact same question. the documentation does not specify anything other then "The unique identifier in Azure AD."
PermissionId: The documentation says but in the examples they use Guids. I have seen other examples with Strings like "User.Read", so I figure this could be my DisplayName from the appRole inside my Read / Write AppRegistrations.
I've looked for other examples beside the documentation, but so far I've found only examples regarding Built-in appRoles in MsGraph.
The fact that the message is twofold (either it is not there OR something is missing) does not help either.
Bottom line is, I can't figure out which Guid goes where.
I have tried numerous combinations of parameters and AAD Guids, be it ObjectIds and AppIds from both AppRegistrations and their respective Service Principles.
I tried to reproduce the same in my environment and got the same error as below:
Note that: By using Add-AzADAppPermission, one can add the API permissions to the Application, but it is not possible to add
custom roles as API permissions.
Add-AzADAppPermission -ObjectId ObjectID -ApiId APIIdofthepermissions -PermissionId GUIDofAPIPermission
I am trying to add Group.Read.All Microsoft Graph API permission like below:
Add-AzADAppPermission -ObjectId ObjectID -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId 5f8c59db-677d-491f-a6b8-5f174b11ec1d
I'm in the process of migrating from Cloud Service (classic) to Cloud Service (extended support) in Azure. Unfortunately, CS extended support documentation is very scarce and often inaccurate, so the process if very much not straight forward. At this point, I'm working on the deployment pipelines. With CS classic, we used management APIs to deploy/update/etc. The API for extended support is more straight forward, however, again, the documentation is lacking. The best I found was this page: Cloud Service - create or update. While this provides fairly good starting points, I'm struggling to find any info on the following points:
ServiceConfiguration element - what format is this in? Is it pure XML (encoded within JSON, of course) or something else? For classic API, service configuration was passed as a BASE64 encoded XML.
The request body (JSON) contains some of the same elements as in the service configuration - what happens if they don't match?
Package URL - what format is this in? The package is stored in an azure storage account - so how do I reference it? Also, for authentication, I can't grant the CS any permissions to the storage account, as it's not created yet (it doesn't exist!) - but it seemingly needs this permission in order to be created.
RDP extension - what format is "password" in? Is this really just a plain password? For classic, RDP password was encrypted using a certificate, which was separately uploaded into the service.
SSL certificate from the vault - how is authentication going to work? Again, the CS doesn't exist yet, so I can't grant it any permissions in the vault.
On authentication front, I managed to send the auth request and get the oauth2 token, which I would then use for this API - could this be enough? Of course, I can try this, but need to understand the other things first (i.e. format of some elements).
Note separately that deployment pipeline is executed from Jenkins and must stay that way - I don't have any control over that.
UPDATE: I tested this as best I could with service configuration being plain xml, with content matching the rest of json input, plain text password for RDP extension, and hoping for the auth to use bearer token. The response I received was 400, with the following details:
{
"error": {
"code": "InvalidParameter",
"message": "The value of parameter packageUrl is invalid."
}
}
So, back to my point 3 above - what is the format of package url?
UPDATE 2: After some experimenting, it did accept the package URL with the SAS token. Now I'm stuck with this error:
{
"error": {
"code": "StandardPublicIPAddressNotSupportedCloudService",
"message": "Standard public IP not supported for cloud services."
}
}
Web search for that string returns 0 matches. The template I'm using is copy/paste from MS documentation; the process I'm using is exactly per MS documentation. Any further help massively appreciated.
This isn't exactly what you're after, but I used the following article to help with generating a template.json and parameter.json file which then could be used through Powershell.
https://techcommunity.microsoft.com/t5/azure-paas-blog/how-to-use-azure-devops-to-publish-cloud-service-extended/ba-p/3675180
This is what my Powershell script eventually looked like:
New-AzResourceGroupDeployment -ResourceGroupName "cses-rg" -TemplateFile DeployArm.template.json -TemplateParameterFile DeployArm.parameter.json -packageSasUri $cspkg -configurationSasUri $cscfg -cloudServiceName cldcsestest -deploymentLabel myDeploymentLabel -publicIPName 'MyPublicReservedIp' -rdpPassword $rdpPassword
I only used the Powershell script locally for quicker testing, but my goal was to get it working with Azure Dev Ops.
I am trying to run a PowerShell script that calls Get-AzKeyVaultSecret using examples provided per Microsoft and keep getting an error stating No such host is known.
Generically, the error is simple enough but the fact that I'm not specifying a host address or IP during the call makes the error seem very abstract from the actual issue.
Line |
14 | Get-AzKeyVaultSecret -VaultName $KeyVaultName -Name $SecretName
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| No such host is known.
I have tried just about everything I can think of to get this working and this is the error I receive everytime. I've checked that I have the appropriate privileges in Azure Access Policies and also check that I have the Access Control roles and etc. So I don't understand the error message.
I was previously attempting this using the AzureRM Powershell module but since realizing it is soon due for deprecation within a couple of years; I opted to go this route but it doesn't seem to be working.
What exactly does no such host mean and how do I resolve the problem? I am running under PowerShell 7
Because of the 1st comment regarding posting the remainder of the Script; I'll add that I receive the same error when calling the method directly in the PowerShell window.
PS C:\SQL Scripts\PowerShell> Get-AzKeyVaultSecret -VaultName 'myKeyVaultName' -Name 'myKeyVaultSecretName'
Get-AzKeyVaultSecret: No such host is known.
SHORT VERSION ANSWER:
The environment needs to be specified when working within private sectors such as Government, Education and etc.
LONG ANSWER/EXPLANATION:
The comment by #Ked Mardemootoo led me to view the issue from a different perspective. In a manner of sorts, the issue was determined to be somewhat network related and perhaps arguably a "DNS" issue but not a DNS issue as it were to relate to the system from where the call is being made.
The Get-AzKeyVaultSecret module performs some work underneath the hood which includes resolving the FQDN of the requested resource among other things using the Credentials provided to connect via the Connect-AzAccount module
In most common scenarios these requests are routed to Azure on the public networks but on a comparatively smaller scale where Azure is on a private sector/network e.g. Educational, Government and etc. there is an additional parameter switch where the Environment needs to be specified.
Connect-AzAccount
Connects User within public domain
Connect-AzAccount -Environment
Connects User within the private domain/sector specified with the Environment switch
If you have an Azure account, both methods will log you onto the Azure platform but if you're on a private sector and attempt to subsequently use modules to acquire information or resources without having designated the environment; you will receive the no such host is known
The error is somewhat cryptic and abstract and in my opinion should have been more specific to better clue the user as to the actual problem. Such as Resource not found or something similar.
Once I specified the Environment (something that isn't front and center in the documentation that I accessed); the module functioned as expected.
Hopefully this information helps others from falling into this pit of obscurity.
It appears there's something wrong with the DNS resolution on your machine.
I'd suggest running the command from a different device or from the Azure CloudShell to narrow it down further.
I've tried to replicate it on my end (within my context/subscription) to see what kind of error message shows up in different scenarios.
Wrong KV name shows clear error message:
PS /Users/kedmardemootoo> Get-AzKeyVaultSecret -VaultName 'kv-wrong-name' -Name 'correct-secret-name'
Get-AzKeyVaultSecret: nodename nor servname provided, or not known
Correct KV name but wrong Secret doesn't show any error/output:
PS /Users/kedmardemootoo> Get-AzKeyVaultSecret -VaultName 'kv-correct-name' -Name 'wrong-secret-name'
Correct KV and secret name but no access via access policies:
PS /Users/kedmardemootoo> Get-AzKeyVaultSecret -VaultName 'kv-correct-name' -Name 'wrong-secret-name'
Get-AzKeyVaultSecret: Operation returned an invalid status code 'Forbidden'
Correct KV and secret name with the right access policies:
PS /Users/kedmardemootoo> Get-AzKeyVaultSecret -VaultName 'kv-correct-name' -Name 'correct-secret-name'
Vault Name : kv-correct-name
Name : correct-secret-name
Version : 0abbb10de45a1235f5544
Id : https://kv-correct-name.vault.azure.net:443/secrets/correct-secret-name/0abbb10de45a1235f5544
Enabled : True
Expires : 06/03/2022 05:20:05
Not Before :
Created : 06/03/2022 05:29:07
Updated : 06/03/2022 05:34:09
Content Type :
Tags :
Get-AzKeyVaultSecret -VaultName 'myKeyVaultName' -Name 'myKeyVaultSecretName' -Debug
You can toggle -Debug switch to see the "Absolute Uri". You will see something like:
https://myKeyVaultName.vault.azure.net/secrets/myKeyVaultSecretName
You will get an error (no such host is known) if there is a typo in the VaultName or the VaultName does not exist.
I'm getting the below error during validation when trying to deploy an ARM template via private offer (cleansed):
{"code":"MarketplacePurchaseEligibilityFailed","details":[{"code":"BadRequest","message":"Offer with PublisherId: 'PUBLISHER', OfferId: 'OFFER' cannot be purchased due to validation errors. For more information see details. Correlation Id: 'ID' Sku 'SKU' of offer 'OFFER' by publisher 'PUBLISHER' is not available to you for deployment per the policy set by your IT Admin.
I went through powershell and accepted the terms but still having the issue. Microsoft's responses so far are based on the browser. I've tried in Firefox, Chrome, and Edge to no avail. The Azure environment is pretty basic with no specific policies for anything so I'm not sure why it's saying this. Any help would be greatly appreciated.
Thanks!
There could be multiple reasons why you are getting this validation failure.
These are:
Programmatic deployment for the Marketplace is not configured.
Undefined task failed while creating or updating the template deployment.
Offer with PublisherId, and OfferId is not found. Doesn't exist anymore. As example, publisher revoked it.
Marketplace purchase is not enabled.
Unknown payment instrument(s) is unsupported for offer with OfferId, PlanId.
Organization is in deleted state.
etc.
Based on your failure details "is not available to you for deployment per the policy set by your IT Admin.", it seems your subscription is not registered and approved to deploy this specific image.
I'd recommend to do the next steps to resolve the issue:
Go to https://learn.microsoft.com/he-il/marketplace/manage-private-azure-marketplace-powershell#add-an-offer-to-a-private-marketplace
Click on try me button next to Add an Offer the private marketplace.
Login to the relevant tenant.
Use PowerShell and run the commands:
(a) Install-Module -Name Az.Marketplace
(b) Get-AzMarketplacePrivateStore - to get the privateStore Id
(c) use the private store id from step b
`$Params = #{
privateStoreId = 'PrivateStoreId'
offerId = 'paloaltonetworks.vmseries-flex'
SpecificPlanIdsLimitation = #('byol')
}
Set-AzMarketplacePrivateStoreOffer #Params`
I look forward to your response. Please let me know if you have any questions.
I'm desperate here with Powershell and Azure.
I use PowerShell 7.0.1 and AZ 4.1.0.
When I try to connect (by the way, as global admin via 'Connect-AzAccount'), I get this prompt every time: "WARNING: To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code xxxxxxxxx to authenticate."
Of course I do that and then I get this error message every time:
Connect-AzAccount: xxxxxxxxxxxxx: Device authentication is required.
Trace ID: xxxxxxxxxxxxxxxxxxxxxxxxx
Correlation ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Timestamp: 2020-05-20 09:12:18Z: Response status code does not indicate success: 401 (Unauthorized).
Does anyone have an idea why this does not work? I have also tried it temporarily without MFA, with the same result.
As Allen pointed, the right thing to do in this case is to engage the ActiveDirectory authentication team.
Meanwhile, can you try the preview of the new authentication experience here.
This uses a vastly updated authentication experience, and may unblock you while we work out the underlying issue.
Use the below script to install Az.Accounts 2.0.1-preview module.
Install-Module -Name Az.Accounts -AllowPrerelease
For more details, you could refer to this issue.
I have installed Az.Accounts 2.0.1-preview, but now a different error message appears. After connecting all seams working fine, but after calling a function it comes to an error again:
PS> Connect-AzAccount -Subscription 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
WARNING: Attempting to launch a browser for authorization code login.
WARNING: We have launched a browser for you to login. For the old experience with device code flow, please run 'Connect-AzAccount -UseDeviceAuthentication'.
WARNING: Unable to acquire token for tenant 'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy'
Account SubscriptionName TenantId Environment
------- ---------------- -------- -----------
michael.kristen#inhouse.wko.at INH-Subscription xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx AzureCloud
PS> Get-AzDefault
Get-AzDefault: Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials.