I would like to run a PowerShell script during deployment using a PowerShell Script Task in VSTS release. I need to do some operation with Azure Active Directory, but right now I have no access to it, although running locally works fine.
For example running Get-AzureRmADApplication gives "Insufficient privileges to complete the operation".
Any solutions or suggestions to this issue?
P. S. Actually I was using Azure PowerShell task.
I can reproduce the issue, there is a similar issue: New-AzureRmADApplication: Access denied to the specified API version
I submit a new issue Get-AzureRmADApplication Access denied to the specified API version, you can follow up it.
When running commands against Azure Active Directory you will have to give the application it is running under Read Directory rights in Azure Active Directory.
Related
I am using powershell to connect to azure interactively, where i will give my username and password and script will fetch the secrets from the key vault . I am not suppose to use the app id here . I was using azure module and powershell 5.1 where the Connect-AzAccount command used to work , open a browser and let me feed my details .
From last 3 days , i am seeing the below error . It is not showing up any browser window
WARNING: Unable to acquire token for tenant 'organizations' with error 'InteractiveBrowserCredential authentication
failed: Retry failed after 4 tries.'
I have tried to delete the azure context files and try again but facing the same issue
You may try the suggestion in comment.
If not,it may occur due to different reasons,some times it may also be due to network issue and delay.
Some work arounds that you may try.
Please clear the cache and try running the following command in order :
Install-Module Az Import-Module Az Connect-AzAccount with” Windows PowerShell ISE".
As you were saying it worked previously, It may have had upgraded to newer version say 2.2.8.Try down grading the Az.Accounts package to version example:1.6.Or you may try the other way around by upgrading.
PowerShell developer reference for Azure Functions | Microsoft Docs
Try to install AZ module on your PowerShell and set your execution policy to remote signed.
Give your tenant ad directly Connect-AzAccount -TenantId cf2a0-*******
Try "Connect-AzAccount -UseDeviceCode" or "Connect-AzureAd"
Check if Grant API permissions to read or read/write on Azure Active Directory to the application.ex:Directory.ReadWriteAll is done. Make sure Managed Service Identity (MSI) has been turned on, and in Keyvault is granted the MSI access policies.And check if user is assigned role .
Try to run your powershell as admin, update the module with Update-Module -Name Az, then login again.
You may use "Connect-AzAccount -Identity -ErrorAction Stop" To catch the error
If issue is not resolved you may raise a support request.
References:
Troubleshoot Azure Automation runbook issues| Microsoft Docs
Using Azure Key Vault with PowerShell
Other SO reference
We were originally using Start-AzureWebsite and Stop-AzureWebsite in a powershell script to start and stop web apps in Azure before publishing. In the VSO build it was using Azure Powershell, the connection type was Azure Classic. Microsoft recommended switching to Start-AzureRmWebApp and Stop-AzureRmWebApp which uses the Azure Resource Manager. We modified the Azure Powershell step in the build to have a connection type of Azure Resource Manager, and selected the correct subscription. When it calls our external script using the script path, it appears as though the authentication is not being passed on to the script, we get the error "Run Login-AzureRmAccount to login." when it tries to execute the command to start/stop the websites. How do we get the authentication to persist down to the script being called?
Not sure why the connection get lost, it should work if you dotsource the script to invoke it. However:
I would suggest to create a service principal within the AAD that is linked to your subscription and grant it access to your web app. Then you should use the existing Azure App Service Manage Task to start / stop your app:
By the way, starting / stopping / deploying a web app should be part of a Release Definition / Step - not build.
-
Turns out instead of using Connect-AzureRMAccount i needed to be using Add-AzureRmAccount, once i changed that i can now connect and start/stop App Services! Thank you for the help. – Link
I am setting up an integration tests build where I am just trying to start up a windows service.
I have used the InvokeProcess command to run the powershell scripts which just does the following
Start-Service ServiceName
The script fails when I run the build process but when I executed the same script outside TFS it works. I get the following error in TFS logs
Start-Service : Service 'ServiceName (ServiceName)' cannot be started due to the following error: Cannot open ServiceName
service on computer '.'.
Then I tried changing the way I am starting the service and used SC.exe with parameters "Start ServiceName" in the InvokeProcess and I get Access Denied error in TFS as follows:-
SC start ServiceName.
[SC] StartService: OpenService FAILED 5:
Access is denied.
I am using Network Service account to run the build.
After searching a while, I have come to the conclusion that I have to run the InvokeProcess with elevated privileges but I don't know how would I do that with in TFS.
Any help is much appreciated.
We run our build agent as a custom service account and give that domain account admin access on the servers we deploy to.
I have resolved the issue by adding Network Service account to the administrator group. I might not go with this solution as it seems wrong to assign administrative rights to Network Service account but I don't know how to assign Service Start/Stop permissions to Network Service without adding this account to Administrator group.
In short, I agree with the answer that a custom service account must be used to run the build with appropriate privileges.
In VSTS I have a release definition, which needs to run a PowerShell script as administrator.
The release agent is configured to run as an account, which is a local administrator and has the required permissions, but UAC is restricting those permissions, unless PowerShell is executed "as administrator".
Can I run PS as admin from VSTS without disabling UAC completely on the server?
I don't think there is a way to do that using PS task. Can you try "Run PS on target servers" and provide admin creds. You will need to provide the machine name of the agent (so this is not ideal) as an input to the task. That might not require UAC. We will file this as a feature request.
I ran into this same problem. To fix it I did this (YMMV):
I uninstalled the Azure DevOps agent
Verified that the agent user was an admin
Reinstalled the Azure DevOps agent
When I originally installed the agent, the user the agent was running as was not an admin (I added that user to the Builtin\Administrators group after I installed the agent). I'm not sure if that caused a problem, but uninstalling/reinstalling solved it for me.
I do not think that the Inline or Path options are the issue. Maybe installing an Agent in the Deployment Environment Machine, assigning in the installation process the credentials of a user you are sure has administrative privileges on the SharePoint farm could help you. Then in VSTS verify that the agent is Online and working in the Deployment Group Section.
We got around not being able to use elevated Powershell commands by creating a light .Netcore Worker service with http request capability running in an elevated service privilege state. You can send a Invoke-RestMethod command from a regular Powershell YML task and it will trigger your custom logic on the other end of the ASP controller. We use it to remove Appx packages before re-installing for our Unit tests. The repo is located at, AzureAdmin
I have been trying to install the Azure Active Directory Module for Windows for Powershell. So far I have not been able to find a combination of the Sign-In Assistant and Powershell module versions that allows me to create a connection in a Powershell session. My measure for success has been to run the Connect-MsolService cmdlet to create such a connection. I have tried it both from the command line and in a script. The (few) forum and blogs posts that reference this functionality have been very contradictory.
I am using the same credentials that I use to log into manage.windowsazure.com.
As to the specifics I have the following configuration:
Windows Server 2012R2
Powershell version 4.0 ($PSVersionTable.PSVersion)
Microsoft Online Services Sign-In Assistant version 7.250.4556.0
Windows Azure Active Directory Module for Windows Azure version
1.0.8362. The version number is based on the command (get-item C:\Windows\System32\WindowsPowerShell\v1.0\Modules\MSOnline\Microsoft.Online.Administration.Automation.PSModule.dll).VersionInfo.FileVersion
My questions are as follows:
What versions work on Windows Server 2012R2?
Is there a specific .Net version that I might be missing?
Am I looking at it wrong? For example is the cmdlet
Connect-MsolService not the metric to be using? Is there another way
that I might verify that I have a connection?
My understanding is that the Powershell cmdlets, as well as all the other methods for managing Azure, are based on the REST API's. Would that be a better way to go? Of course I would not be able to dynamically enter commands, but I would be able to validate credentials etc.
Are you trying to authenicate with an MSA account? Try connecting with a Global Admin AAD account (eg. globaladminuser#tenant.onmicrosoft.com).