What should I use in place of Select-AzureSubscription? - powershell

I am trying to remove deprecated cmdlets in a powershell script and one of the cmdlets is Select-AzureSubscription. I tried replacing it with Select-AzureRmSubscription but that requires user interaction to authenticate. Does anyone know what Azure-Rm cmdlet I should be using instead?

Select-AzureRmSubscription does change the approach that Azure uses for authentication. I had the same pain points when I converted my scripts.
The official way of approaching this via scripting is as follows -
$profile = Login-AzureRmAccount
Save-AzureRMProfile -Profile $profile -path $path
You can then use Select-AzureRmSubscription to none-interactively load those saved profiles.
Although ultimately I didn't go this route, I decided to add another layer of security and use a machine based certificate to encrypt / decrypt credentials to pass to Login-AzureRmAccount This way I could manage multiple sets of accounts and never have to be concerned about those tokens being exposed on vulnerable machines.

Related

Using Application ID to automate Seamless SSO kerberos decryption key rollover

I would like to automate the rollover of kerberos description keys used for seamless SSO. In doing this, I cannot use global administrator USER accounts, as they may receive spray attacks (I cannot use domain IDs as there are so many domains, and thus I will have to make so many Global Admins). I am thinking that by using application ID and certificates, I can securely automate this job.
The problem is, every sample code I could find has uses the "AuthenticationContext". Something like this:
New-AzureADSSOAuthenticationContext -CloudCredentials $CloudCredentials
Update-AzureADSSOForest -OnPremCredentials $OnpremCredentials
Is it possible to use application IDs to automate this process? And if it is, how do i code it?
Thank you for your kind help.
I'm afraid you could not use the service principal(i.e. the application ID) to do that.
Currently, we could just use domain admin and tenant global admin credentials in a scheduled task.
You could refer to this sample:
# Requirements:
# Microsoft Online Services Sign-In Assistant.
# 64-bit Azure Active Directory module for Windows PowerShell.
$CloudUser = 'service_account#domain.com'
$CloudEncrypted = Get-Content "C:\Scripts\Cloud_Encrypted_Password.txt" | ConvertTo-SecureString
$CloudCred = New-Object System.Management.Automation.PsCredential($CloudUser,$CloudEncrypted)
$OnpremUser = 'DOMAIN\service_account'
$OnpremEncrypted = Get-Content "C:\Scripts\Onprem_Encrypted_Password.txt" | ConvertTo-SecureString
$OnpremCred = New-Object System.Management.Automation.PsCredential($OnpremUser,$OnpremEncrypted)
Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1'
New-AzureADSSOAuthenticationContext -CloudCredentials $CloudCred
Update-AzureADSSOForest -OnPremCredentials $OnpremCred
Besides, Azure Team is also working on getting this automated, see the feedback:
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/33773926-automate-seamless-sso-kerberos-decryption-key-roll

Is there a way to change the service account from "This account" to "Log in as" using Powershell?

New to powershell but bear with me. I am trying to automate an install of Prosystem Fx Engagement, but need to install a SQL instance. I have already done this part, but I will also need to automate the changing of a services account within services.msc. It will need to be changed from "This account" to "Log in as Local System Account"
https://imgur.com/en9COWl
The name of the service is MSSQL$PROFXENGAGEMENT, and the display name of the service is SQL Server (PROFXENGAGEMENT).
I don't really want to use the method below because the password is visible on the .ps file. I tried looking around but was not able to find anything. Is this even possible?
$LocalSrv = Get-WmiObject Win32_service -filter "name='MSSQL$PROFXENGAGEMENT'"
$LocalSrv.Change($null,$null,$null,$null,$null,$false,"DOMAIN\administrator","PASSWORD")
As for the method you are saying you don't want to use for the account change activity. You don't have to and should not put plain text password in scripts.
You can prompt for the password, store that in a variable and use it. Yet, that means a human has to be there to address that, so, not very automated.
So, this means you need to set the credentials in a file or other store and call that from your script.
Meaning like what is described below. This of course has to be done in advance of any other use case that will need it.
using secure password with multiple users without prompt
#saving credentials
Get-Credential | Export-CliXml -Path c:\credential.xml
#importing credentials to a variable
$Credential = Import-CliXml -Path c:\credential.xml
A YouTube Video on the topic:
Learn to securely use Passwords with PowerShell
You could also use the Windows Credential Store, and call it from there. Also shown in the above video.
Using Windows Credential Manager
https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde
https://www.powershellgallery.com/packages/CredentialManager/1.0
https://www.experts-exchange.com/questions/29061982/Powershell-Using-credentials-stored-in-Credential-Manager.html

How to manage multiple AzureRM accounts with Powershell

I tried to use Login-AzureRmAccount and Add-AzureRmAccount to login to my Azure Accounts. I have two of them, it was easy to add both of them via Add-AzureAccount and manage the active and default one using Select-Azuresubscription.
With the RM cmdlets every time I do Add-AzureRmAccount it overrides the previous authenticated one. This makes it hard for me to switch between a private and a company azure account.
Are there any solutions for that ?
I am using the PowerShell Gallery to update the Azure and AzureRM Modules and using the latest ones.
The official way is to do something like this
$profile1 = Login-AzureRmAccount
$profile2 = Login-AzureRmAccount
Select-AzureRmProfile -Profile $profile2
You can then save the profiles to disk using
Save-AzureRmProfile -Profile $profile1 -Path e:\ps\profile1.json
You can then load with
Select-AzureRmProfile -Path e:\ps\profile1.json
My personal approach though was to create a module that gave a cmdlet with profile1,profile2 etc as parameters. It would then download and decrypt credentials and feed them into Add-AzureRMAccount (this way I can use the same credential file from assorted locations)
Use Login-AzureRMAccout to login two accounts respectively. Then use Get-AzureRmSubscription to check the subscription info and note down the two TenantIds.
To switch between a private and a company azure account, you can specify the TenantId parameter using
$loadersubscription = Get-AzureRmSubscription -SubscriptionName $YourSubscriptionName -TenantId $YourAssociatedSubscriptionTenantId

How to get some file from smb share in DSC script?

I am trying to copy one file from share in my custom dsc script. This code below works great in powershell, but not working in dsc resource.
PS C:\Users\user> $wc = New-Object System.Net.WebClient
PS C:\Users\user> $wc.DownloadFile("\\DC1\Downloads\en_sql_server_2012_enterprise_edition_with_service_pack_2_x64_dvd_
4685849.iso", "C:\SQL2012SP2.iso")
Powershell 4/5 has native commandlets for get files from smb share? Or any variants?
As #arco444 alluded to, the way you're doing this is bananas. Why not use Copy-Item?
That aside, I think you would have the problem with Copy-Item as well.
DSC runs under the context of SYSTEM, so you should make sure that your share allows access from the machine account of the machine on which the DSC is to be executed.
Alternatively, you can grant read access to Authenticated Users (which includes all other users as well), or Domain Computers if you're in a domain and want all of the computers to be able to read the contents.
The Credential parameter in file resource is used to connect to the source - so you can specify credentials for the share.
However make sure that credentials are secured as described in this article - [link] http://blogs.msdn.com/b/powershell/archive/2014/01/31/want-to-secure-credentials-in-windows-powershell-desired-state-configuration.aspx

Get-AzureStorageBlob throws Can not find your azure storage credential

I have just started using Azure and I am facing issues using the PowerShell cmdlets to work with my storage account.
I have created a Storage account and a container in that storage account. Next I installed the Azure Powershell SDK and command lets etc. and imported the publishsettings file. When I do the Get-AzureSubscription or Get-AzureStorageAccount command it correctly shows my subscription in the PowerShell console along with various storage end points.
However if I do a Get-AzureStorageBlob call or a Set-AzureStorageBlobContent I get the following error
Get-AzureStorageBlob : Can not find your azure storage credential. Please set current storage account using
"Set-AzureSubscription" or set the "AZURE_STORAGE_CONNECTION_STRING" environment variable.
I am literally at wits ends here. A Google search on this error string only brings up references to code on Github etc. Would really appreciate some help.
Right so I finally managed to do this! Here is the overall details on how to use PowerShell to create a blob in Azure and store a file there.
http://www.nikgupta.net/2013/09/azure-blob-storage-powershell/
$context = New-AzureStorageContext -StorageAccountName FunkyStorage -StorageAccountKey {Enter your storage account key here}
Set-AzureStorageBlobContent -Blob "MyFunkyBlob" -Container FunkyContainer-File "c:\temp\1.txt" -Context $context -Force
You may need to set the 'current' subscription to use. For that, you must run Select-AzureSubscription.
If you run Get-AzureSubscription, you'll see all subscriptions in your publish settings. One of those subscriptions should be set as the default. As you scroll through the result list, you'll see one property, IsDefault for each subscription, set to True or False. If the subscription you're using is set to False, run:
Select-AzureSubscription -SubscriptionName mysub
Hopefully that fixes the issue you're running into.
Just a quick FYI: you can do this another (and faster way). I build a web language atop Windows PowerShell that heavily integrates with Azure. It's called PowerShell Pipeworks.
You can use 4 cmdlets to interact with the blobs:
Get-Blob
Import-Blob
Export-Blob
Remove-Blob
All take a -StorageAccount and a -StorageKey, and also a -StorageAccountSetting and a -StorageKeySetting. You can save creds to disk (or for use in a web app by using Add-SecureSetting). Once any blob cmdlet has a storage account, it will continue to reuse it.
Export-Blob is also handy in that you can pipe in a directory to it, and it will create the right content types, and provide -Public, which will mark the container it's stored in as public.
These cmdlets are a notch older (~3 months) than the Azure ones, and still about 3/4ths the time to execute (I believe a major chunk of this is their slower lookup on credentials), and are worth a try.