Azure - How to deploy to guest directory via Powershell - powershell

I have created an ARM template that I would like to deploy via Powershell to Azure directory where I am guest - meaning, I have contributor access to one particular resource group. How do I do that?
Normally, when using my own subscription, I just go Login-AzureRMSubscription and Select-AzureRMSubscription -SubscriptionId myidblabla and then New-AzureRMResourceGroupDeployment -name blabla -TemplateFile mypath -ResourceGroupName somenmae
But how do I target the directories where I am invited? Using Get-AzureRMSubscriptions, I can see also where I am guest but I cannot switch to them.
Any help with this would be greatly appreciated!
Thanks!
Edit: I have tried to Select-AzureRmSubscription -TenantId but the reply I get is details about my own subscription including my tenant Id and I still cannot see the resource group that I have access to. Note - If I login to the portal, I can easily switch to the directory and see my resource group in the resource group sections and deploy resources to it.

According to your description, we can use this command to login Azure and change directory.
Select-AzureRmSubscription -SubscripitionID <ID of sub> -TenantId <ID of Azure Tenant>
We can actually just specify the tennant ID to select the directory, without a subscription ID.
Select-AzureRmSubscription -TenantId <ID of Azure Tenant>

Related

set azuresqlserveractivedirecoty admin to ADgroup in azure sqlsever using azure powershell inline task in azure devops

I am trying to execute below command in azure devops to set the AD group as setsqlserveradmin.
Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName "xyz" -ServerName "xyzsqlserver" -DisplayName "ADgroup" -ObjectId "27f75d8c-xxxx-xxxx-xxxx-xxxxxxxxxx"
Below is the Error logs
2020-05-07T15:55:05.2211587Z ##[command]Disconnect-AzAccount -Scope Process
ErrorAction Stop 2020-05-07T15:55:05.6167436Z ##[command]Clear-AzContext -Scope Process - ErrorAction
Stop 2020-05-07T15:55:05.9479005Z ##[error]Cannot find the Azure Active Directory object 'Adgroup'.
Please make sure that the user or group you are authorizing is registered in the current
subscription's Azure Active directory. To get a list of Azure Active Directory groups use Get-
AzADGroup, or to get a list of Azure Active Directory users use Get-AzADUser. 2020-05-
07T15:55:06.0117846Z ##[section]Finishing: Azure PowerShell script: InlineScript
Note - I checked Adgroup and correponding objectid is correct.
powershell task 4.0 and version 3.1.0
I can reproduce your issue, first, make sure the group is in the same tenant of your service connection.
Then navigate to the Azure portal -> Azure Active Directory -> App registrations -> find the AD App Registration related to your service connection, follow the steps below to add the Application permission Directory.Read.All of Azure Active Directory Graph(not Microsoft Graph), don't forget to click the Grant admin consent for xxx button at last.
After adding the permission, there is some delay(30m - 1h), then test the command, it works.

Use multiple subscription in a single Azure Power shell command

I am using following command :
Select-AzureRMSubscription -SubscriptionId $subscriptionID
Set-AzureRmSqlDatabaseAuditingPolicy -ResourceGroupName $resourceGroupName -ServerName $servername -DatabaseName $dbServer.DatabaseName -StorageAccountName $storageAccount
Storage Account and DB server belong to different subscriptions , how can I execute a command that will allow to access resources from multiple subscription
how can I execute a command that will allow to access resources from
multiple subscription
We can share your resource groups to different subscriptions, to achieve this, we should invite user B(subscription 2) to AAD (subscription 1), and grant resource group permission to user B, then we can use PowerShell to get the resource groups.
Here a similar case about you, please refer to it.
You can use following command to select subscription :-
az account set --subscription "Subscription Name or Subscription Id"

Still requiring Login-RmAzureAccount even after importing PublishSettings in Azure

I am attempting to login to an Azure account through a PowerShell script by means of making use of a publishsettings file; However, I am still finding that it is requiring me to login to my account using Login-AzureRmAccount, regardless of having those credentials.
My step-by step looks something like this:
Clear out all accounts that may be available:
Get-AzureAccount | ForEach-Object { Remove-AzureAccount $_.ID -Force }
Download the PublishSettings file: Import-AzurePublishSettingsFile –PublishSettingsFile $PublishSettingsFileNameWithPath
Select the Azure subscription using the subscription ID:
Select-AzureRMSubscription -SubscriptionId $SubscriptionId
And finally, create a new resource group in the subscription before deploying it: New-AzureRmResourceGroup -Name $ResourceGroupName -Location $ResourceGroupLocation -Verbose -Force 2>> .\errorCIMS_RG.txt | Out-File .\rgDetailsCIMS_RG.txt
However, this is when an error is thrown: Run Login-AzureRmAccount to login.
Assuming I have the PublishSettings file, and it hasnt expired, why would this be giving back an error?
As Mihail said, we should check Azure PowerShell version first, and install the latest version.
We can run this command to list Azure PowerShell version:
Get-Module -ListAvailable -Name Azure -Refresh
By the way, Import-AzurePublishSettingsFile work for ASM, New-AzureRmResourceGroup is ARM command, so if you want to create resource group, you should Login-AzureRmAccount first.
Note:
The AzureResourceManager module does not support publish settings
files.
More information about Import-AzurePublishSettingsFile, please refer to this link.
I solved this problem by updating to last version of azure powershell cmdlet.
You can find last one here:
https://github.com/Azure/azure-powershell/releases

Executing Select-AzureRmSubscription works from one of my (client) machines but not in an other

Context
I have a Microsoft account, an I have and Azure subscription for it. I've got access rights (added as user: owner) to other Microsoft account's other subscriptions.
All works OK, when I log with my one and only credential in to the Azure portal, I can see the directories (tenants?) listed in the top right menu, so I can switch. After switching to a directory I can see the subscription(s) for that directory.
I would like to use this credential similarly in PowerShell. So far I used Select-AzureRmSubscription with success, and interestingly I experienced, that I can omit -TenanttId parameter even the subscription is under other tenant as my default directory. (I suppose Select-AzureRmSubscription iterates though all the tenant's all subscriptions to find the guid I providing in -SubscrptionId parameter. (or was this only a "bug"?). Anyway now I've switched to an other client computer, and freshly installed AzureRM PowerShell modules, and the very same Select-AzureRmSubscription does not work there. So I thought this "bug" was "fixed" and now I must use the -TenantId parameter too. However I still got error.
NOTE: All works from my older developer machine: I can switch between subscriptions of different tenants just by using Select-AzureRmSubscription (even not using -TenantId parameter)
What I've tried:
$subscriptionId = "42940206-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
$tenantId = "ce8a477c-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
Login-AzureRmAccount
Select-AzureRmSubscription -SubscriptionId $subscriptionId -TenantId $tenanId
I've got the following error message:
Set-AzureRmContext : Cannot validate argument on parameter 'SubscriptionId'. The argument "42940206-xxxx-xxxx-xxxx-xxxxxxxxxxxx" does not
belong to the set "0692a8b8-xxxx-xxxx-xxxx-xxxxxxxxxxxx" specified by the ValidateSet attribute. Supply an argument that is in the set and then try the command again.
What is this 0692a8b8-xxxx-xxxx-xxxx-xxxxxxxxxxxx" specified by the ValidateSet attribute. It is neither any of my subscription ids, neither any my tenantIds...
Differences between the two client machines
Working: Poweshell 5, approx half year old AzureRM modules, installed by PowerShellGet's Install-Module
Not Working: Poweshell 4, latest AzureRM modules, installed by PowerShellGet's Install-Module
The trivial next step would be to install PowerShell 5 on the new machine, but it is a production machine many of stabilized and day by day running PowerShell scripts, so I would not like to risk to break the production processes...
I ran into similar issue. I was only experiencing the issue if the subscriptions were in different tenants.
The cure, for me, was to get the subscription object, then select it. So, using your example above, where you have $subscriptionId setup with your subscription ID value you want, you'd do:
Get-AzureRmSubscription -SubscriptionId $subscriptionId | Select-AzureRmSubscription

How to manage multiple AzureRM accounts with Powershell

I tried to use Login-AzureRmAccount and Add-AzureRmAccount to login to my Azure Accounts. I have two of them, it was easy to add both of them via Add-AzureAccount and manage the active and default one using Select-Azuresubscription.
With the RM cmdlets every time I do Add-AzureRmAccount it overrides the previous authenticated one. This makes it hard for me to switch between a private and a company azure account.
Are there any solutions for that ?
I am using the PowerShell Gallery to update the Azure and AzureRM Modules and using the latest ones.
The official way is to do something like this
$profile1 = Login-AzureRmAccount
$profile2 = Login-AzureRmAccount
Select-AzureRmProfile -Profile $profile2
You can then save the profiles to disk using
Save-AzureRmProfile -Profile $profile1 -Path e:\ps\profile1.json
You can then load with
Select-AzureRmProfile -Path e:\ps\profile1.json
My personal approach though was to create a module that gave a cmdlet with profile1,profile2 etc as parameters. It would then download and decrypt credentials and feed them into Add-AzureRMAccount (this way I can use the same credential file from assorted locations)
Use Login-AzureRMAccout to login two accounts respectively. Then use Get-AzureRmSubscription to check the subscription info and note down the two TenantIds.
To switch between a private and a company azure account, you can specify the TenantId parameter using
$loadersubscription = Get-AzureRmSubscription -SubscriptionName $YourSubscriptionName -TenantId $YourAssociatedSubscriptionTenantId