I'm trying to deploy a build to Azure WebApp.
In Azure (http://manage.windowsazure.com) I linked the web app to my Visual Studio Online(VSTS) account.
In VSTS I've created a release definition with a single task (Azure Web App Deployment); the task is configured to use the endpoint defined in the administration module. The service endpoint is configured to use credentials. The credential is using a Microsoft account.
The release is failing with the below error:
2015-12-02T18:17:35.4422685Z AzurePSCmdletsVersion= 0.9.8.1
2015-12-02T18:17:35.5692677Z Get-ServiceEndpoint -Name foo -Context Microsoft.TeamFoundation.DistributedTask.Agent.Worker.Common.TaskContext
2015-12-02T18:19:07.5877546Z Username= ********
2015-12-02T18:19:07.5887893Z azureSubscriptionId= foo-foo-foo-foo-foo
2015-12-02T18:19:07.5907904Z azureSubscriptionName= Pay-As-You-Go
2015-12-02T18:19:07.6278127Z Add-AzureAccount -Credential $psCredential
2015-12-02T18:19:09.7755541Z ##[error]-Credential parameter can only be used with Organization ID credentials. For more information, please refer to http://go.microsoft.com/fwlink/?linkid=331007&clcid=0x409 for more information about the difference between an organizational account and a Microsoft account.
2015-12-02T18:19:09.9664413Z ##[error]There was an error with the Azure credentials used for deployment.
How can I setup the release to use a Microsoft account for Azure credential?
There isn't any way to use a Microsoft Account Credential to connect to Azure from VSO service endpoint for now. You need to use an Organization account. If you don't have one, you can use "Certificate Based" authentication to connect to Azure easily. Click this link to get your subscription file and then paste the certification string in the subscription file into VSO "Management Certificate" area.
Add-AzureAccount cmdlet, uses Azure Active Directory (Azure AD) authentication access tokens and Azure AD uses Organizational Accounts.
Microsoft account credentials, formerly known as LiveIDs will not work in Azure AD authentication scenarios.
This is reported here as a suggestion and by design as of now:
https://github.com/Azure/azure-powershell/issues/477
Related
When I run the below on my local pc via powershell it completes successfully.
Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName $resourceGroupName -ServerName $serverName -DisplayName 'AAD_GAOUAT_SQLADMIN' -ObjectId 'd9c6b5a7-079e-44b4-8911-bd0451bfb59a'
Now when I run the same command (via Azure Powershell) in DevOps, I get the below error
Any ideas why this fails from Azure DevOps?
When you run the command in devops azure powershell task, it will let you use a service connection to auth, I suppose you didn't use a correct service principal located in the correct tenant(i.e. the subscription of the sql server located).
Please follow the steps below to fix the issue.
1.In devops, navigate to the Project Settings -> Service connections -> New service connection -> Azure Resource Manager -> Service principal (manual).
If you don't have an AD App, you can also select Service principal (automatic) above, then fix the values with correct information .e.g subscription. If you select Service principal (manual), please make sure the service principal has an RBAC role in the subscription to set the sql server AAD admin e.g. Owner, Contributor.
2.After creating the service connection, click it and select Manage Service Principal.
It will open a page for the related AD App -> API permissions -> Add a permission -> add Directory.Read.All Application permission of Azure Active Directory Graph like below(Not Microsoft Graph), At last, don't forget to click Grant admin consent for xxx button.
This step is because Set-AzSqlServerActiveDirectoryAdministrator will call the AAD Graph to check the object you input, so you need to give the permission.
3.Then in the azure powershell task, select the service connection we created.
Run it, it works fine.
I have an Azure AD tenant which is not associated to a subscription. When I login from the Azure portal I am able see and get to it using "switch directories".
When I log in from PowerShell, I do not see it, it only shows my subscription not by Azure AD tenant.
How do I connect to the Azure AD tenant which has no subscription?
Neither the Azure AD PowerShell nor the Azure PowerShell modules require that the tenant have an Azure subscription in order to connect.
If you are using the Azure AD PowerShell module, you simply connect:
Connect-AzureAD
If you are using a user account which is a member of multiple tenants, it's best to be explicit about which tenant you'd like to connect to:
Connect-AzureAD -TenantId "{other-tenant-id}"
For registering and managing apps in Azure AD I recommend using the Azure AD PowerShell module. However, if you need/want to use the Azure PowerShell module instead, the process is very similar:
Connect-AzAccount
And, if you need to be explicit:
Connect-AzAccount -TenantId "{other-tenant-id}"
My pipe in bitbucket:
- pipe: microsoft/azure-cli-run:1.0.2
variables:
AZURE_APP_ID: $AZURE_APP_ID
AZURE_PASSWORD: $AZURE_PASSWORD
AZURE_TENANT_ID: $AZURE_TENANT_ID
Where is AZURE_APP_ID? On Azure -> App Services I can see a table with my apps but no application id. And what password is it? I haven't set a password anywhere. And tenant id?
First you need to create an Azure service principal in your azure subscription to enable connecting bitbucket to azure services.
When you create the service principal you will get a set of information after successful creation from which you can extract the app ID and tenant ID. This is via azure CLI.
az ad sp list --show-mine --query '[].{"id":"appId", "tenant":"appOwnerTenantId"}'
This information along with your azure password is what you need to supply to the bitbucket pipeline to enable deployment from your repo to azure.
I am trying to use Microsoft.Azure.Management.Logic.LogicManagementClient to programmatically create a Logic App workflow in Azure. Authentication has already worked, but when I call logicManagementClient.Workflows.CreateOrUpdateAsync(), I am getting a CloudException saying that the client does not have authorization to perform action 'Microsoft.Logic/workflows/write'.
How can I give the app the required permissions?
I have already given it (in the Azure Portal) all permissions for Azure AD and Microsoft Graph. But when I try to add permissions for Windows Azure Service Management API (which I assume is the relevant API here), it says "No application permissions available":
You need to give your app at least Contributor access to the resource group via the Access Control (IAM) tab.
To manage Azure resources through the ARM API, you always need a role via RBAC.
I did this via PowerShell. I assigned the Contributor role to my App Registration. Here are the commands.
az login
az account set --subscription "YOURSUBSCRIPTIONNAME"
NOTE: Had to create Resource Group in Portal, Use the Application (client) ID of the App Registration Client
New-AzRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName Application(client)ID -ResourceGroupName YOURRESOURCEGROUPNAME
I want to run a template on Microsoft Azure using ansible script. For that I have to set the client_id, secret and tenant_id. I am not sure where can I find it on Microsoft Azure?
Well, for that you have to create an Azure AD Application and use that as an Identity. Here's how you do it: https://azure.microsoft.com/en-us/documentation/articles/resource-group-create-service-principal-portal/
I see no point I
in typing all of the article here.
So the clientID is the ID of an application you can look up on the portal. Secret is what you create (that is visible only when you create it, after that you can't look it up). And the tenantID is the tenantID of your Azure AD
please be sure what client_id orother things you want.
If you asking about get in connection with Azure account then it provides 2 things:
Azure Publish setting file and your subscription id.
So you can check for subscription_id (under settings on Azure portal)
HTH