I am using Version 1.0.1 Azure PowerShell module and it seems there is some breaking changes I cannot figure out.
I have logged into Azure and the Get-AzureSubscription cmdlet returns my two accounts. However, executing Get-AzureVM's returns nothing even though the Azure Portal is properly reporting about a dozen.
What am I doing wrong?
Thanks
Run Add-AzureAccount; this will load the Azure login dialogue, allowing you to sign in.
Once done, running Get-AzureSubscription should work as you'd expect.
Sadly no helpful error's displayed to say "you're not logged in; run Add-AzureAccount to login" if the command's run without you being logged in.
If you are attempting to fetch ARM resources, please use “Get-AzureRmVM” cmdlet.
Get-AzureVM - To fetch classic instances
Get-AzureRmVM - To fetch ARM instances.
Related
All the docs and help threads I can find reference connection strings with Authentication=ActiveDirectoryIntegrated to hit SQL with AAD integration. If I'm using SSMS I can also choose "Active Directory Universal" which gives a prompt if MultiFactorAuth (MFA) is required.
I want to use powershell to invoke-sqlcmd, or even sqlcmd.exe directly -- do either support an MFA flow? How else can I get commandline queries against an AAD-enabled MFA-enabled SQLAzure instance?
invoke-sqlcmd : Failed to authenticate the user NT Authority\Anonymous Logon in Active Directory
(Authentication=ActiveDirectoryIntegrated).
Error code 0xCAA2000C; state 10
AADSTS50079: The user is required to use multi-factor authentication.
Trace ID: 54f0cb31-2f0f-4137-b142-b312a6cd441b
Correlation ID: 70204904-576c-4db5-9c3b-6ccd7fe6b409
Timestamp: 2017-02-09 22:56:39Z
I've seen https://learn.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication, and everything was working fine right up until MFA either was applied, or when it realized it was time to re-auth and prompt.
If there is a way for me to cache creds so ActiveDirectoryIntegrated generally works, and I just need to re-auth and re-cache when it decides it is time to force an MFA prompt I'm also open to that.
I want to use powershell to invoke-sqlcmd, or even sqlcmd.exe directly -- do either support an MFA flow?
No. As far as I know, the SSMS is the only tool currently enabled for MFA through Active Directory Universal Authentication.( refer here)
If you have any idea or suggestion about Azure SQL database, you can submit them from here.
Beginning with version 15.0.1, sqlcmd utility and bcp utility support Active Directory Interactive authentication with MFA.
Greeting Everyone,
Hoping someone has a quick insight but I am getting access denied on a service account using the PowerShell command Remove-CMDevice.
This process is as per outlined here, https://technet.microsoft.com/en-us/library/jj821759(v=sc.20).aspx
The account has permission to remove devices from SCCM and this works fine through the GUI but not the command line. I have been unable to find documentation on what permissions the account need to do this via command line, it works fine manually in the GUI.
If anyone can shed light on this it will be wonderful, I do want to keep this service account as having as minimal permissions as possible.
Many thanks,
Edit to Add Image as follows,
After a lot of testing, I'm here with an answer on the Permission part when using PowerShell console to remove CM system object. Of course the symptom is the same: The account can delete from Admin console, however, when using PowerShell, it failed with Permission error message.
The account to perform the Remove-CMDevice cmdlet must have proper RBA Permission on the object. Assume the security scope is default one, the account connected to Configuration Manager console must have below RBA permission which I tested is almost minimal permission:
In the screenshot the Collection part, the permission is easy to understand, Read, Delete Resource, etc.
For the Computer Association part, you may get confused, why?
Steps I did the troubleshooting:
I opened a PowerShell Console connecting to Configuration Manager using my test account and run below command to see what will happen:
Remove-CMDevice 'Rsuraceccc' -Verbose
I got below error:
Yes, it's trying to querying from the SMS_StateMigration. Then I try to run a simple command:
Get-WMIObject -NameSpace root\sms\site_clt -Query 'Select * from SMS_StateMigration'
Once again, I got error. So I get the conclusion that the account needs Permission on SMS_StateMigration. So I add 'Recover User State' permission of Computer Association on the role and tried again, cheers, this time all command runs successfully.
I don't know why it's using SMS_StateMigration, but this is the case here.
All,
I am trying to use a certificate to authenticate against azure instead of using the Azure-AddAccount. So I did the following in an administrator powershell console, i followed the instruction located at http://azure.microsoft.com/en-us/documentation/articles/install-configure-powershell/ :
Get-AzurePublishSettingsFile
This prompted me to login and download the publishsettings file. I placed the file in the same folder as the powershell console is.
Import-AzurePublishSettingsFile "D:\Dev\Powershell\azure.publishsettings"
This command doesn't return anything. I am not sure if it worked, but if I put an invalid name it blows up so I assume it works.
Get-AzureStorageAccount
I get the error "Get-AzureStorageAccount : Your credentials have expired. Please use Add-AzureAccount to log in again." At this point I thought I imported my certificate and this should work, but it doesn't. Am I missing a step? I have multiple subscriptions, maybe thats the problem?
You still need to use Add-Account in addition to importing the publish settings file. Add-Account will prompt you for the user you wish to authenicate with when running certain commands.
Add-Account utilises a different authentication mechanism to the cert-based setup with the PublishSettings File and it necessary to use both in certain scenarios (such as yours).
How would I check if my credentials are already cached for a specific server using tf.exe? I am trying to do slight automation for tfs get and workspace/workfold configuration. The assumption is that most machines already have the credentials cached, but I want to be able to double check beforehand, and throw an error in powershell if they are not.
Thank you,
Derongan
Try using vaultcmd.exe e.g.:
vaultcmd /listcreds:"Windows Credentials" /all
You could run that through a Where-Object command looking for a string that matches the TFS server name.
I have an azure subscription and I'm trying to write a powershell script to automatically get a list of all the resources (VMs, Storage Accounts, Databases, etc) that I currently have in my subscription. Is there a way to do this using the azure management REST API or the Azure Cmdlets?
If you are using the new Resource Manager model (introduced in 2014) you can use the following PowerShell script.
Login-AzureRmAccount
Get-AzureRmResource | Export-Csv "c:\Azure Resources.csv"
To use the Resource Manager PowerShell commands you will need the AzureRM PowerShell module (https://learn.microsoft.com/en-us/powershell/azure/install-azurerm-ps).
Install-Module AzureRM
For more information on the difference between Resource Manager and Classic models see, https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-deployment-model.
For users with multiple subscriptions:
If you want to output the contents of multiple subscriptions then you will need to call Select-AzureRmSubscription to switch to another subscription before calling Get-AzureRmResource.
I don't think there's just one function (or PS Cmdlet) to fetch all this information. However each of these can be fetched through both Windows Azure Service Management REST API as well as Window Azure PowerShell Cmdlets.
Windows Azure Service Management REST API: http://msdn.microsoft.com/en-us/library/windowsazure/ee460799.aspx. For example, if you want to list storage accounts in your subscription, you would use this: http://msdn.microsoft.com/en-us/library/windowsazure/ee460787.aspx
Windows Azure PowerShell Cmdlets: http://msdn.microsoft.com/en-us/library/jj554330.aspx. Again, if you want to list storage accounts in your subscription, you would use this: http://msdn.microsoft.com/en-us/library/dn205168.aspx.
well,
You may update the version of your AzurePowershell and execute this command.
Get-AzureResource
In the output, You may check for "ResourceType".
It has the information about the type of resource creatd on azure.
Since you said PowerShell "preferably", I'm going to assume other options are still maybe useful? You can go to http://portal.azure.com, and click on the Menu icon (three horizontal lines), then All Resources. Then at the top of the page you can click Export to CSV and open that in Excel.
You have to take 30 seconds to do a little cleanup in Excel, but for what I'm trying to do right now, this was definitely the best & fastest solution. I hope it's useful to you (or someone else) too.
Adding to #Gaurav's answer (and related to your comment about SQL database enumeration): You can enumerate all of your databases, on a per-server basis, in a few easy steps.
First, enumerate all of the SQL Database servers in your subscription:
Then, for each server, create a connection context and enumerate the databases. Note that, with the Get-Credentials cmdlet, I was prompted to enter a username + password via a popup, which I don't show here. For demonstration purposes, I created a brand new server, with only a master database, to show what the output looks like:
This sample demonstrates how to automatically get a list of all the resources (VMs, Storage Accounts, Databases, App Services) and status via Powershell by certificate authentication.
https://gallery.technet.microsoft.com/Access-Azure-resource-data-ca9cc9f7
I know it's already been answered however, I have found the Get-AzResource command easy to use and fetches all the resources from a particular subscription. Try using it with "ft" for clean text
Get-AzResource | ft
Screenshot