I need to write PowerShell script for AzureDevOps pipeline which will export solution from Dynamics organization (online version). Also it's important to use 'Service Principal/client secret (supports MFA)' auth type.
I have found some examples, https://d365dotblog.com/2020/05/04/powershell-scripts-to-export-and-import-the-dynamics-365-ce-solution/ - it is one of them, but it doesnt work inside pipeline and has another type of auth.
I am newbie in PowerShell and dont know how to write script by myself. Also I haven't found info about my question in the internet. Can you give me example?
Related
I am trying to run following cmdlet- Set-UnifiedGroup but it is not available in ExchangePowerShell 0.11.0
Is there a way to import it to Automation Account module in different way?
If this cmdldet is not available, any tip on changing group email from Azure Automation?
We Have Automated scripts that we would like to build and Test on Azure DevOps but our pipeline cannot run our Test Scripts on Azure
We have a Database Service Account that we want to configure on Azure but we don't know how to go about it. Please assist.
Here is a well explained video (by Hassan Habib from Microsoft) on exactly how to run a console app (you create) in an Azure Pipeline that securely gets credentials to immediately do stuff in Azure (https://youtu.be/ht0xhQyF1x4?t=1688)
He basically, in a handful of minutes shows exactly how to:
Link Pipeline Variables to KeyVault Secrets, so when accessed, the variables do a get() from KeyVault and return that value.
Securely links Pipeline Variables to Azure Environment Variables.
As a step in the release pipeline the console app reads the Azure Environment Variables to get credentials to do stuff in Azure.
In his case he created an Azure Resource Group in Azure.
In your case if I’m understanding correctly. You could possibly make a simple console app that runs in the pipeline, that gets creds\connections strings for your database to do whatever in the DB and could possibly test your scripts.
I am trying to wrap up my mind around this process.
I have a SQL Server in azure. This server has a Azure Active Directory Admin enable using an azure group to authenticate using MFA.
Further more, in the same blade, I have enabled the Support only Azure Active Directory Authentication for this server.
Everything works just fine, and I am able to connect to my server by using MFA as I am part of the Active directory.
Now, I am a disaster and most of the time I forget to update my database schema, and when I deploy some tests, everything explodes.
I have been looking around for an automation process to authenticate with azure DevOps and run a sql script every time my release pipeline is triggered.
I came across this documentation
https://learn.microsoft.com/en-us/powershell/module/sqlserver/invoke-sqlcmd?view=sqlserver-ps
Which seems to be just what a need as it has the --InputFile.
but I am having some problems to understand how I can authenticate my release pipeline and perform those changes using an AAD to access the DB without having to expose username and password.
If anyone can help me to understand what its the best approach here iw ill be grateful.
And please if my question is not 100% clear, just let me know and I will explain better
An alternative would be to write a script which will do all the sql queries instead of doing it in pipeline. This way we can using azure ad to authenticate.
Register the sql service to the azure ad then we can get tokens to authenticate the sql queries.
finally run the script in pipeline using command line task
Reference:
how to run script
authenticate using azure ad
Example, I want to Offboard Tiger from Azure Develops Organization BigZoo (Tiger has 3 Azure organization, BigZoo, SmallZoo, middleZoo--I only want to remove tiger from BigZoo)
Use this Azure CLI in the Azure Cloudshell Powershell will be working
az devops user remove --user tiger
[--org BigZoo]
[--yes]
But it does not work in Azure function-->Azure function use PowerShell environment--> CloudPowerShell can read AzureCLi but Powershell In AzureFunction cannot read anything related with Az
So, if I only want use powershell without any help from Azure CLI, there are some module but all imported module is remove user from all Organizations--> Not remove user from specific organization
Any suggestion? Remove user from specific AzureDevops Organization. Using API seems too complex . Any good idea?
Thanks
I've not tried this but there is the VSTeam powershell module in the PowerShell gallery which wraps the Azure Devops API.
This has a function called: Remove-VSTeamUserEntitlement
Docs here:
https://methodsandpractices.github.io/vsteam-docs/docs/modules/vsteam/commands/Remove-VSTeamUserEntitlement
Module here:
https://www.powershellgallery.com/packages/VSTeam/
Add the module to the Requirements.psd1 file of your azure functions project and you should be able to utilise it.
To authenticate to Azure and use the Azure Resource Manager cmdlets, I currently use the methods outlined here, namely using an Azure Active Directory account, encrypting the password, storing the encrypted string in a text file, and reading that into a credential object when using it in the script.
But I get the sense that maybe I should be using management certificates instead.
There is a documented method to use a publish settings file, but apparently that doesn't work for AzureRm cmdlets, only older cmdlets.
I have seen examples for using Powershell to create an application_id and service principal, and for authenticating a C# app, for instance, but I can't seem to find anything showing how to use management certificates for authentication in a powershell script, to use AzureRm cmdlets.
Maybe the secure string password storage method is the right one. But I don't have a good sense for that.
What do you use?
The best way to do it? It depends what is important to you. Ease of use, security, scripting?
Microsoft Azure Tooling (Visual Studio, Azure Powershell and CLI) lately moved to a more fine-granular, role-based access control approach based on Azure AD. This is currently a pretty good way to do it, since Management certificates allow owners to manage at subscription level and have proven to be rather difficult in environments like Azure Automation.
Refs
https://azure.microsoft.com/de-de/blog/azure-automation-authenticating-to-azure-using-azure-active-directory/
https://azure.microsoft.com/en-us/documentation/articles/cloud-services-certs-create/#what-are-management-certificates
http://blogs.msdn.com/b/cloud_solution_architect/archive/2015/03/17/rbac-and-the-azure-resource-manager.aspx
https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure/
https://azure.microsoft.com/en-us/documentation/articles/resource-group-rbac/#concepts
You should have a look to Service Principal
https://azure.microsoft.com/en-us/documentation/articles/resource-group-create-service-principal-portal/
https://azure.microsoft.com/en-us/documentation/articles/resource-group-authenticate-service-principal/