How to manage multiple AzureRM accounts with Powershell - powershell

I tried to use Login-AzureRmAccount and Add-AzureRmAccount to login to my Azure Accounts. I have two of them, it was easy to add both of them via Add-AzureAccount and manage the active and default one using Select-Azuresubscription.
With the RM cmdlets every time I do Add-AzureRmAccount it overrides the previous authenticated one. This makes it hard for me to switch between a private and a company azure account.
Are there any solutions for that ?
I am using the PowerShell Gallery to update the Azure and AzureRM Modules and using the latest ones.

The official way is to do something like this
$profile1 = Login-AzureRmAccount
$profile2 = Login-AzureRmAccount
Select-AzureRmProfile -Profile $profile2
You can then save the profiles to disk using
Save-AzureRmProfile -Profile $profile1 -Path e:\ps\profile1.json
You can then load with
Select-AzureRmProfile -Path e:\ps\profile1.json
My personal approach though was to create a module that gave a cmdlet with profile1,profile2 etc as parameters. It would then download and decrypt credentials and feed them into Add-AzureRMAccount (this way I can use the same credential file from assorted locations)

Use Login-AzureRMAccout to login two accounts respectively. Then use Get-AzureRmSubscription to check the subscription info and note down the two TenantIds.
To switch between a private and a company azure account, you can specify the TenantId parameter using
$loadersubscription = Get-AzureRmSubscription -SubscriptionName $YourSubscriptionName -TenantId $YourAssociatedSubscriptionTenantId

Related

Best way to authenticate an Azure Automation Powershell script

I'm trying to implement a fairly simple PowerShell query, hosted in Azure Automation, to manage External Identities
I've set up a System Managed Identity and have successfully connected using Connect-AzAccount -Identity
But when I run it, it says You must call the Connect-AzureAD cmdlet before calling any other cmdlets
The next cmdlet is Get-AzureADPolicy, which I think triggered the above message
Following this blog, I tried this:
$AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext -ErrorAction Stop
Connect-AzureAD -TenantId $AzureContext.Tenant.TenantId -AccountId $AzureContext.Account.Id
and I get this: Unable to find an entry point named 'GetPerAdapterInfo' in DLL 'iphlpapi.dll'
Am not at all sure now what to do; any help appreciated
PS: I'm aware there are quite few related questions, but I have not been able to find an answer to this particular query ...
I was having the same issue and I resolved it by using the below commands. I have added comments to underline what each statement is meant for.
# Ensures you do not inherit an AzContext in your runbook. Out-Null is used to disable any output from this Cmdlet.
Disable-AzContextAutosave -Scope Process | Out-Null
# Connect to Azure with system-assigned managed identity.
$AzureContext = (Connect-AzAccount -Identity).context
# set and store context. Out-Null is used to disable any output from this Cmdlet.
Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext | Out-Null
With help from M/S support, I can now clarify the issue. The core point is that it is not possible to authenticate for AzureAD (with Connect-AzureAD) using Managed Identity; a Run As account must be used, at least currently
Further, for our use case, the Run As account had to have "Global Admin" role; "Owner" was not sufficient
It is of course possible to use Managed Identity for managing other Azure Resources (using Connect-AzAccount)

Azure - How to deploy to guest directory via Powershell

I have created an ARM template that I would like to deploy via Powershell to Azure directory where I am guest - meaning, I have contributor access to one particular resource group. How do I do that?
Normally, when using my own subscription, I just go Login-AzureRMSubscription and Select-AzureRMSubscription -SubscriptionId myidblabla and then New-AzureRMResourceGroupDeployment -name blabla -TemplateFile mypath -ResourceGroupName somenmae
But how do I target the directories where I am invited? Using Get-AzureRMSubscriptions, I can see also where I am guest but I cannot switch to them.
Any help with this would be greatly appreciated!
Thanks!
Edit: I have tried to Select-AzureRmSubscription -TenantId but the reply I get is details about my own subscription including my tenant Id and I still cannot see the resource group that I have access to. Note - If I login to the portal, I can easily switch to the directory and see my resource group in the resource group sections and deploy resources to it.
According to your description, we can use this command to login Azure and change directory.
Select-AzureRmSubscription -SubscripitionID <ID of sub> -TenantId <ID of Azure Tenant>
We can actually just specify the tennant ID to select the directory, without a subscription ID.
Select-AzureRmSubscription -TenantId <ID of Azure Tenant>

Still requiring Login-RmAzureAccount even after importing PublishSettings in Azure

I am attempting to login to an Azure account through a PowerShell script by means of making use of a publishsettings file; However, I am still finding that it is requiring me to login to my account using Login-AzureRmAccount, regardless of having those credentials.
My step-by step looks something like this:
Clear out all accounts that may be available:
Get-AzureAccount | ForEach-Object { Remove-AzureAccount $_.ID -Force }
Download the PublishSettings file: Import-AzurePublishSettingsFile –PublishSettingsFile $PublishSettingsFileNameWithPath
Select the Azure subscription using the subscription ID:
Select-AzureRMSubscription -SubscriptionId $SubscriptionId
And finally, create a new resource group in the subscription before deploying it: New-AzureRmResourceGroup -Name $ResourceGroupName -Location $ResourceGroupLocation -Verbose -Force 2>> .\errorCIMS_RG.txt | Out-File .\rgDetailsCIMS_RG.txt
However, this is when an error is thrown: Run Login-AzureRmAccount to login.
Assuming I have the PublishSettings file, and it hasnt expired, why would this be giving back an error?
As Mihail said, we should check Azure PowerShell version first, and install the latest version.
We can run this command to list Azure PowerShell version:
Get-Module -ListAvailable -Name Azure -Refresh
By the way, Import-AzurePublishSettingsFile work for ASM, New-AzureRmResourceGroup is ARM command, so if you want to create resource group, you should Login-AzureRmAccount first.
Note:
The AzureResourceManager module does not support publish settings
files.
More information about Import-AzurePublishSettingsFile, please refer to this link.
I solved this problem by updating to last version of azure powershell cmdlet.
You can find last one here:
https://github.com/Azure/azure-powershell/releases

Executing Select-AzureRmSubscription works from one of my (client) machines but not in an other

Context
I have a Microsoft account, an I have and Azure subscription for it. I've got access rights (added as user: owner) to other Microsoft account's other subscriptions.
All works OK, when I log with my one and only credential in to the Azure portal, I can see the directories (tenants?) listed in the top right menu, so I can switch. After switching to a directory I can see the subscription(s) for that directory.
I would like to use this credential similarly in PowerShell. So far I used Select-AzureRmSubscription with success, and interestingly I experienced, that I can omit -TenanttId parameter even the subscription is under other tenant as my default directory. (I suppose Select-AzureRmSubscription iterates though all the tenant's all subscriptions to find the guid I providing in -SubscrptionId parameter. (or was this only a "bug"?). Anyway now I've switched to an other client computer, and freshly installed AzureRM PowerShell modules, and the very same Select-AzureRmSubscription does not work there. So I thought this "bug" was "fixed" and now I must use the -TenantId parameter too. However I still got error.
NOTE: All works from my older developer machine: I can switch between subscriptions of different tenants just by using Select-AzureRmSubscription (even not using -TenantId parameter)
What I've tried:
$subscriptionId = "42940206-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
$tenantId = "ce8a477c-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
Login-AzureRmAccount
Select-AzureRmSubscription -SubscriptionId $subscriptionId -TenantId $tenanId
I've got the following error message:
Set-AzureRmContext : Cannot validate argument on parameter 'SubscriptionId'. The argument "42940206-xxxx-xxxx-xxxx-xxxxxxxxxxxx" does not
belong to the set "0692a8b8-xxxx-xxxx-xxxx-xxxxxxxxxxxx" specified by the ValidateSet attribute. Supply an argument that is in the set and then try the command again.
What is this 0692a8b8-xxxx-xxxx-xxxx-xxxxxxxxxxxx" specified by the ValidateSet attribute. It is neither any of my subscription ids, neither any my tenantIds...
Differences between the two client machines
Working: Poweshell 5, approx half year old AzureRM modules, installed by PowerShellGet's Install-Module
Not Working: Poweshell 4, latest AzureRM modules, installed by PowerShellGet's Install-Module
The trivial next step would be to install PowerShell 5 on the new machine, but it is a production machine many of stabilized and day by day running PowerShell scripts, so I would not like to risk to break the production processes...
I ran into similar issue. I was only experiencing the issue if the subscriptions were in different tenants.
The cure, for me, was to get the subscription object, then select it. So, using your example above, where you have $subscriptionId setup with your subscription ID value you want, you'd do:
Get-AzureRmSubscription -SubscriptionId $subscriptionId | Select-AzureRmSubscription

What should I use in place of Select-AzureSubscription?

I am trying to remove deprecated cmdlets in a powershell script and one of the cmdlets is Select-AzureSubscription. I tried replacing it with Select-AzureRmSubscription but that requires user interaction to authenticate. Does anyone know what Azure-Rm cmdlet I should be using instead?
Select-AzureRmSubscription does change the approach that Azure uses for authentication. I had the same pain points when I converted my scripts.
The official way of approaching this via scripting is as follows -
$profile = Login-AzureRmAccount
Save-AzureRMProfile -Profile $profile -path $path
You can then use Select-AzureRmSubscription to none-interactively load those saved profiles.
Although ultimately I didn't go this route, I decided to add another layer of security and use a machine based certificate to encrypt / decrypt credentials to pass to Login-AzureRmAccount This way I could manage multiple sets of accounts and never have to be concerned about those tokens being exposed on vulnerable machines.