Is there a way to authenticate to Azure without any login on an Azure VM? Same feature like amazon instance profile so I can run azure commands without authentication
I don't think it is possible to communicate with Azure cloud without authentication like AWS using the instance profile. In Azure you have to use service principle with respective role(Reader, contributor or owner) assigned. Once service principle is created you can use it for authentication with Azure SDK or REST API. You can automate once you have service principle details.
You can use Azure CLI.
The authentication can be done using the Publish Settings file.
This is useful if you wish to use Azure CLI commands in a script etc.
You can download the file by using
azure account download
Make sure you keep this file safe as it provides direct access to your azure account.
Then authentication is a simple process of importing the file using
azure account import /path/to/.publishsettings_file
Now deployment commands can be run on the command line without logging in.
Scroll to the section public settings file in the link for more info on how to use the publish settings file.
Related
All the instructions I've found for enrolling devices in Azure AD require the user to manually log a machine in to Azure AD themselves to enroll.
Is there any way to enroll machines from Powershell? I'm looking at enrolling about 200 machines and not looking forward to having users login to Azure AD one by one manually.
Thanks!
For your scenario you should use something called bulk enrollment.
Steps are:
Create configuration file called provisioning package (*.ppkg) using Windows Configuration Designer tool. More info: https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-bulk-enroll#create-a-provisioning-package.
Don't use the desktop wizard here, since bulk Azure AD deployment can only be configured via advanced configuration.
Deploy the *.ppkg file using PowerShell command Add-ProvisioningPackage. More info is here: https://learn.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-powershell
I have an Azure CDN. It has a custom domain, and I attempting to register my own certificate for HTTPS support.
I am attempting to follow the instructions here: https://learn.microsoft.com/en-us/azure/cdn/cdn-custom-ssl?tabs=option-2-enable-https-with-your-own-certificate
I have uploaded my Certificate to a Key Vault. That should be good. I am now trying grant my Azure CDN Profile access to my Key Vault in order for it to get the certificate. That is this step in the tutorial (Register Azure CDN, step #2)
That step shows a GUID (205478c0-bd83-4e1b-a9d6-db63a3e1e1c8). Where is that coming from? Is that the identifier for my Azure CDN Profile? If so, where would I get that?
I also just noticed there are two commands there: The text shows New-AzADServicePrincipal, but the screenshot shows New-AzureRmADServicePrincipal. Presumably, the latter is the (older?) command based on Resource Manager. But, which one should I be using?
Also, I don't think I have Azure Powershell installed. Can I do this using Cloud Shell via the Azure Portal?
What I see when I attempt to run the command from Cloud Shell
That step shows a GUID (205478c0-bd83-4e1b-a9d6-db63a3e1e1c8). Where is that coming from? Is that the identifier for my Azure CDN Profile? If so, where would I get that?
The GUID is the Application ID of the multi-tenant AD App in the Microsoft tenant(microsoft.onmicrosoft.com), when you use the New-AzADServicePrincipal with the GUID, it will create a service principal related to this AD App in your AAD tenant, which represents your CDN.
When you run the New-AzADServicePrincipal successfully, you could find it in the portal -> Azure Active Directory -> Enterprise applications in your tenant.
I also just noticed there are two commands there: The text shows New-AzADServicePrincipal, but the screenshot shows New-AzureRmADServicePrincipal. Presumably, the latter is the (older?) command based on Resource Manager. But, which one should I be using?
The New-AzureRmADServicePrincipal belongs to the old AzureRM module, New-AzADServicePrincipal belongs to the new Az module. You could use both of them, but I recommend you to use New-AzADServicePrincipal, because the AzureRM module was deprecated and will not be updated any more.
Also, I don't think I have Azure Powershell installed. Can I do this using Cloud Shell via the Azure Portal?
Of course, you can. Just run that in the cloud shell, no need to install any module manually.
I am writing an auto deployment service and I am already able to create my App Service resource via ARM Template using the ARM API but now I need to deploy the content there, Im planning use the Kudu Zip deployment API (https://github.com/projectkudu/kudu/wiki/Deploying-from-a-zip-file) but Im missing how to set or get the deploy username and password automatically through some api based process (not using the UI).
I know the site credentials are actually account-tied users, if you know a different kind of credential can be used to deploy, please point me the direction that would allow me release without a specifc person-oriented credential (an app credential instead)
If you want to get the publish credentials, you could use the
Web Apps - List Publishing Credentials Rest API to do that.
POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}/config/publishingcredentials/list?api-version=2016-08-01
About how to call the Azure Resource Manager REST API, please refer to this tutorial.
We also could use Azure SDK to get the publish credentials. For more information about how to use Kudu API or Azure SDK to get the publish credential, please refer to another SO thread.
Is this even possible? I have a couple web apps and a couple of Azure Functions running under the same App Service Plan. I'd like to (ideally) have them use a specific Storage plan, so I can keep everything in one place. I envision them in different containers under the same plan.
If that's not possible...then where are the files? Are they on the storage that's built into the App Service Plan itself? If so, can I connect to this somehow, so I can manage the files through something like Storage Explorer?
Today when playing with the Azure Az Powershell tool I found I was able to provision a Function App without a Azure Storage back-end. This cannot be done via the UI. An easy way to provision a Function App with a storage account backend is by leveraging the Azure UI for provisioning.
When a Function App is provisioned via command line, the bits seem to be stored within the function app itself. There is an FTP URL given if you download the publish profile. The files can be read and written to using an FTP tool like WinSCP (as alternative to Kudu)
I'd like to (ideally) have them use a specific Storage plan, so I can keep everything in one place. I envision them in different containers under the same plan. If that's not possible...then where are the files?
Every Azure Web App has a home directory stored/backed by Azure Storage. More detail info please refer to Azure WebApp sandbox. It is owned by Azure WebApp Service, we are not able to choose Azure Storage to setup WebApp by ourselves currently. But we could config storage account for Azure WebApp Diagnostic logs.
Are they on the storage that's built into the App Service Plan itself? If so, can I connect to this somehow, so I can manage the files through something like Storage Explorer?
Different WebApp Service Plan has different volume of the storage. We could use Kudu tool (https://yoursite.scm.azurewebsites.net) to manage the files. More detail info about Kudu please refer to the document.
Update:
We could access the home directory with the Kudu tool. More details please refer to the snapshoot
I created an empty Azure cloud service and I want to allow other developers to deploy to it. So far the only route I can see is adding the developers as Azure subscription administrators. I would rather give them more specific access to the cloud services only.
No such functionality exist today which will allow you to grant/revoke permissions at the cloud service level. Once a developer is provided access to the subscription, they would have access to all the resources under that subscription.
There's a REST API behind cloud service deployments and all the tools (including Windows Azure Portal and Visual Studio) consume this API for creating deployments. One possible solution would be to build your own solution consuming this API. In this solution you will implement access control based on your requirements so that when your user use this service, they will only see the cloud service they're assigned to and can only manage that cloud service. There's a managed library for consuming this API. You can find more information here: http://www.bradygaster.com/post/getting-started-with-the-windows-azure-management-libraries.
It seems that if the original developer downloads the publish profile from Azure (it's an xml file that with a .PublishSettings extension), you can copy the userPWD from that file, give it to another developer and they can paste it into the password field in the Connection section of the Publish dialog.
The userPWD is a string that looks something like this:
EFFCLfDqDKHlXcA2YDZPvX4BZXWFaobxaLN0aPJd4HCfa8WxlqEkt2yywBsx