What is difference between Azure AD Module and MS Online module - powershell

I am trying to understand difference between two modules, Azure AD and MS Online modules. Currently on my windows 10 machine I can use get-azureaccount cmdlet that returns my current Azure account. And there is bunch of cmdlets that I can use right now. Then why I need MS Online module.
Please help me to understand the purpose of these two modules.

Get-AzureAccount / Get-AzureRMAccount is a part of the "Azure" module.
When working with Azure AD (Active directory commands; not a part of the built-in modules) in Azure you will need the MSOnline module - which also happens to be the same module as for working with Office365. Usually MSOnline is referred to as the Azure Active Directory module for Windows Powershell.
Eg. if you install the Azure Active Directory module from example here: Microsoft - Active Directory Module for Windows Powershell 64-bit - you will get the MSOnline module installed on your machine. You can actually inspect / unpack the msi installer and you will see that the package here is Microsoft.Online.Administration.MSOnline.psd1
In order to work with Azure AD from Powershell, you'll then need to import this module (which contains a set of functions to work with Azure AD).
To list commands within this module after installing the module you can do the following:
Get-Command -Module MSOnline
Hope this clears the confusion.

Connect-Azure: allows user to manage Active Directory objects only, [where directory is hosted in Azure].
Connect-Msoline: apart from managing Active Directory allows more administrative tasks such as Domain management, configure single sign-on etc.
Hope this clarifies your doubt.
Reference
https://learn.microsoft.com/en-us/powershell/module/azuread/connect-azuread?view=azureadps-2.0
https://learn.microsoft.com/en-us/powershell/azure/active-directory/install-msonlinev1?view=azureadps-1.0

In my opinion, it's a matter of selecting the best tool for the job. And the way to select the tool is based on
What you're going to do with it &
what does the tool do
If we take a look at the properties offered by get-msoluser
(get-msoluser)[0] | gm -MemberType Properties
we get a slightly different set than we do when we query get-azureaduser with
(get-azureaduser)[0] | gm -MemberType Properties
and the same can be said when we review the methods available to the objects:
(get-azureaduser)[0] | gm -MemberType Method
or
(get-msoluser)[0] | gm -MemberType Method
Now, since the general idea is to get things done quickly and simply. It then becomes clear to use the one that directly supports what you intend to achieve. And if they both cover the job then I would base my decision of which additional cmdlets in the module support the task I want to achieve without needing to load a whole stack of modules.
So I hope this helps find the right tool for the job.
Have fun,
Porky

Related

PowerShell - ActiveDirectory Module

I need the ability to have users run a script that requires the ActiveDirectory module. I copied over the following:
"C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory", "Microsoft.ActiveDirectory.Management.resources.dll", "Microsoft.ActiveDirectory.Management.dll".
The script runs two Get-ADUser commands, 1 without the -Server parameter and the other with. The issue is that the former is working but the latter is not.
Is there another module that I need to copy over?
I don't like the idea of installing administrative tools for non-admins. Even if you could get away with copying files and not doing the full-blown RSAT installation. Not the least of reasons is you are dramatically increasing the attack surface for malicious actors. The better solution is (Just Enough Administration) JEA, or a philosophically similar approach.
JEA / Contrained endpoints can get complicated, but a summary of what you can do looks something like this:
New-PSSessionConfigurationFile -Path 'C:\PSSessionConfigs\DemoPSEndpointConfig.pssc' -ModulesToImport ActiveDirectory -VisibleCmdlets "Get-ADUser"
Register-PSSessionConfiguration -Path 'C:\PSSessionConfigs\DemoPSEndpointConfig.pssc' -ShowSecurityDescriptorUI -Name DemoPSEndPoint
Run these commands on a system that has the ActiveDirectory module (likely the whole RSAT component) installed, it doesn't need to be a Domain Controller. It will create a new PowerShell remoting endpoint configuration that exposes only the commands you wish. The Register-PSSessionConfiguration command will display a security dialog where you can permission which users you want to allow to connect, you want to grant them read & execute permission. Once that's done, you can get the results with an Invoke-Command command like this:
Invoke-Command -ComputerName <ServerName> -ConfigurationName DemoPSEndPoint -ScriptBlock { Get-ADUser <UserName> }
You can add the -Server parameter in the command without issue. You can expand the cmdlets you are allowing in the New-PSSessionConfiguration command.
Again this is very much a summary of a more complex topic but should be enough to get what you want.
Personally, I don't use configuration files as much as I use startup scripts. I think the latter is more flexible. You can get some information about that here. If you really want to dig into this there are references at the end of the article including a link to the PowerShell JEA documentation. There's also a link to some of the MVP articles I used to develop my own endpoints.
The ActiveDirectory module is dependent on the RSAT (remote server administration tool). This is avalible to install/activate through powershell: https://mikefrobbins.com/2018/10/03/use-powershell-to-install-the-remote-server-administration-tools-rsat-on-windows-10-version-1809/
With this installed you automatically also get the Activedirectory module installed.

Difference between WebCommitDelay and IISCommitDelay

What is the difference between WebCommitDelay and IISCommitDelay?
MS docs says the same for both:
Instructs the IIS configuration system to delay the commitment of changes.
So what should I prefer and why? It looks like they have some differences indeed, because if I use WebCommitDelay, I can't use New-WebApplication ... -Force if the same application is exists, but I can do this if I use IISCommitDelay.
As far as I know, the IISAdministration PowerShell module which was a new way to manage IIS.
This module included numerous improvements over the existing WebAdministration cmdlets.
So the IISCommitDelay is the new method which is used to management the IIS.
Detials, you could refer to this article.

Can't get Move-AzureResource working

I'm trying to move some of my resources (Azure Web Apps, Azure SQLs, Redis caches) from one resource group to another. I'm using the Azure Resource Manager PowerShell cmdlets.
Here's what I've tried:
PS C:\> Move-AzureResource -DestinationResourceGroupName NewResourceGroup -ResourceId "/subscriptions/someguid/resourceGroups/Default-Web-WestEurope/providers/Microsoft.Web/sites/somesite"
Or:
PS C:\> Get-AzureResource -ResourceName somesite | Move-AzureResource -DestinationResourceGroupName NewResourceGroup
Or:
just Move-AzureResource, hitting enter and supplying the parameters one by one.
None of the commands seems to work. They just don't do anything. No error, no output.
When I changed the debug preference to $DebugPreference = "Continue" I got only the following:
DEBUG: 12:16:06 - MoveAzureResourceCommand begin processing with ParameterSet '__AllParameterSets'.
DEBUG: 12:16:06 - using account id 'my#account.tld'...
Please note that I'm able to create a new resource group (New-AzureResourceGroup), list resource groups (Get-AzureResourceGroup), list resources (Get-AzureResource), etc.
Note: you have to call Switch-AzureMode AzureResourceManager before you can use the cmdlets. The authentication is done by Add-AzureAccount.
Articles I've been referring to:
Moving resources between Azure Resource Groups
Move-AzureResource
Using Azure PowerShell with Azure Resource Manager
GitHub - Using Azure PowerShell with Azure Resource Manager
Reading this azure forum it looks like they have implemented the cmdlet but not all resources support being moved yet.
We have released a new powershell cmdlet to move resources across resource groups. Not all resources have support yet, but the "main" ones do like hosted services, virtual machines & storage accounts.
Looking back at the example I was following, this does only use VM's. So based on this I think websites aren't supported yet. That fact that no error or warning is returned for unsupported resources is a bit poor.
Though not all resources are currently supported, I understand the current version - 0.9.1 - does have a bug which means that even a supported resource may not be moved with the symptoms as seen by the author of the question. I understand this is being worked on for the next release, but in the interim (as a temp. work around) the previous powershell cmdlets release of 2 versions ago should work fine. https://github.com/Azure/azure-powershell/releases
The original issue is fixed in the 0.9.4 release. I just tried and it works.
FYI. To move a VM using Move-AzureResourceGroup you need to move the containing cloud service and all its VMs at the same time. For example:
Get-AzureResource -ResourceGroupName OriginalResourceGroup | where { $_.ResourceType -match 'Microsoft.ClassicCompute' } | Move-AzureResource -DestinationResourceGroupName NewResourceGroup
By default, the resources in a cloud service are put in a resource group with the same name as the DNS name of the cloud service.
For some reason, Azure PowerShell Version 1.0 has trouble moving over web apps from one Resource Group to another. If you follow the instrctions below, you will be able to move the web app over via powershell.
Download Azure PowerShell Version 1. The below instructions only work for this version. Type the commands below in order.
1) **Login-AzureRmAccount** (a login window will pop up asking for your azure credentials, type them in)
2) **Get-AzureRmResource -ResourceGroupName "NameOfResourceGroup" -ResourceName "WebAppName"** (if you are moving over a website, you will see 2 files, you need the one that is a resource type of Microsoft.Web/sites)
3) **Get-AzureRmResource -ResourceGroupName "NameOfResourceGroup" -ResourceName "WebAppName" -ResourceType "Microsoft.Web/sites"**
4) Assign value 3 to a variable of your name choice. I Chose $a, so **$a = Get-AzureRmResource -ResourceGroupName "NameOfResourceGroup" -ResourceName "WebAppName" -ResourceType "Microsoft.Web/sites"**
5) **Move-AzureRmResource -DestinationResourceGroup "DestinationResourceGroup" -ResourceId $a.ResourceId**
6) It will ask you if you are sure type "Y" and hit enter.

How to get some file from smb share in DSC script?

I am trying to copy one file from share in my custom dsc script. This code below works great in powershell, but not working in dsc resource.
PS C:\Users\user> $wc = New-Object System.Net.WebClient
PS C:\Users\user> $wc.DownloadFile("\\DC1\Downloads\en_sql_server_2012_enterprise_edition_with_service_pack_2_x64_dvd_
4685849.iso", "C:\SQL2012SP2.iso")
Powershell 4/5 has native commandlets for get files from smb share? Or any variants?
As #arco444 alluded to, the way you're doing this is bananas. Why not use Copy-Item?
That aside, I think you would have the problem with Copy-Item as well.
DSC runs under the context of SYSTEM, so you should make sure that your share allows access from the machine account of the machine on which the DSC is to be executed.
Alternatively, you can grant read access to Authenticated Users (which includes all other users as well), or Domain Computers if you're in a domain and want all of the computers to be able to read the contents.
The Credential parameter in file resource is used to connect to the source - so you can specify credentials for the share.
However make sure that credentials are secured as described in this article - [link] http://blogs.msdn.com/b/powershell/archive/2014/01/31/want-to-secure-credentials-in-windows-powershell-desired-state-configuration.aspx

Get Azure VM Detail by PowerShell

I am trying to run Get-AzureVM PowerShell command, it is running fine but not return any output.
Also tried in following flavor but still blank result any idea?
Get-AzureVM -Name "vmname" |Select-Object name,instancesize,location
You should call Select-AzureSubscription "subscription name" first.
It likely is defaulting to a subscription that doesn't have any virtual machines in it.
To view your current subscription names call:
Get-AzureSubscription | select SubscriptionName
Actually the answer above is only semi-correct.
This had me pulling my virutal hair out trying to do automation (which took 7 hours of manual fudging to get working!).
Simply, you have two types of virtual machine in Azure; Classic, and Resource Manager.
If you Switch-AzureMode -name AzureServiceManagement then use Get-AzureVM you will list all of the classic VM's you have created.
If you Switch-AzureMode -name AzureResourceManager then use Get-AzureVM you will list all of the Resource Manager (or new) VM's you have created.
And remember, if you are trying to do automation, then you need the VM's in the new mode available through the portal, your old VM's (classic) that you created through management are not visable in this mode and you will have to recreate them.
Azure has two types of Management System: AzureServiceManagement (ASM) and AzureResourceManager (ARM)
In order to control these two different type of management systems you should switch between them as described in the main page of the Azure Powershell Github project page, but this is true for the azure powershell versions lower than 1.0.0, you can find more explanation in here
For those who are interested to control ARM (AzureResourceManager) with the powershell version greter than 1.0.0, they should use all Cmdlets with the following format : [Verb]-AzureRm[Noun], for example New-AzureVm becomes New-AzureRmVm, in our case Get-AzureVM became Get-AzureRmVm
In summary:
Powershell versions lower than 1.0.0 you should switch between modes and use Get-AzureVM, which is very confusing in my and lots of others opinion
Powershell versions equal or greater than 1.0.0 you should use Get-AzureVM for ASM and Get-AzureRmVm for ARM.
I know this question has been answered but I tried the answer given and it did not work for me. I found, I needed to switch my AzureMode.
To resolve, I ran the following powershell script.
Switch-AzureMode -Name AzureResourceManager
Switching Azure Powershell mode between AzureServiceManagement and AzureResourceManger is a possible solution if your script is using older features as well as new Azure Resource Manager cmdlets. The switch is needed only for Microsoft Azure Powershell version 0.9.8 or older.

Categories