I've been playing with RBAC in Azure AD, in particular custom application roles.
It all works well, but is a bit manual, i.e. downloading, editing and uploading the manifest and then assigning each user/group to one of these roles via the management portal.
Is there a way to do that via powershell or even code, say the Graph API?
If not, I presume it's a planned feature, so does anyone know a the likely ETA?
Right now this feature is not available via the AAD PowerShell Module, but it will find its way there eventually. We are working on releasing a new PowerShell module soon that sits atop ADAL which means we will soon be making cmdlets that directly target the Graph API.
For now, you can make direct queries using the Graph Client Library or pure REST calls. I believe an example of setting Application Roles should be available in this sample:
https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console
I hope this helps!
Shawn Tabrizi
Before you can use Windows PowerShell to manage RBAC, you must have the following:
Windows PowerShell, Version 3.0 or 4.0. To find the version of Windows PowerShell, type:$PSVersionTable and verify that the value of PSVersion is 3.0 or 4.0.
Azure PowerShell version 0.8.8 or later.
To get detailed help for any cmdlet that you see in this tutorial, use the Get-Help cmdlet.
Get-Help <cmdlet-name> -Detailed
For example, to get help for the Add-AzureAccount cmdlet, type:
Get-Help Add-AzureAccount -Detailed
Since RBAC only works with Azure Resource Manager, the first thing to do is to switch to Azure Resource Manager mode, type:
PS C:\> Switch-AzureMode -Name AzureResourceManager
Here is the complete tutorial on
https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-powershell/
Related
We are planning connect Microsoft Identity manager with Ceridian Dayforce HRIS tool. We want to use MIM then to sync with our Active Directory to get a list of all the users, roles and other details regularly.
I found Dayforce API documentation online here https://usconfigr58.dayforcehcm.com/api/ddn/swagger/
Can I use PowerShell to query and parse rest API so that I can get the information from Dayforce to our Active Directory?
Absolutely you could, you would write Powershell scripts to query the APIs using the the endpoints stated in Swagger to query the information you want, then use the resulting objects to update whatever you wanted to in AD. In Powershell the easiest way to do it would be using invoke-restmethod then use the appropriate Powershell AD commands to update the adusers mainly set-aduser
However, if you are using MIM, then you wouldn't be using Powershell to do it, you would use mim's workflow and rest connector functionality. Otherwise what's the point of using MiM if you are going to basically write your own sync?
Recently switched to a new machine, and installing all Azure powershell modules etc. I can no longer find the cmdlet New-AzureDnsRecordSet. The DNS Zone I currently have is based on service management not ARM, so I can't use the new ARM cmdlets. I can see majority of the other Azure service management commands, but not these ones.
I've tried:
Install-Module Azure
Import-Module Azure
nothing is adding those cmdlets in. The new Rm cmdlets are there, and you can see some Azure modules are there. Do I need to recreate the DNSzone with the new Rm cmdlet?
Yes, the New-AzureDnsRecordSet cmdlet has been deprecated in the latest version of Azure module as you have shown, which implies you can no longer create new Azure DNS record set in Classic (Service Management) mode.
You will need to create new Azure DNS Record Set with the new RM cmdlet (New-AzureRmDnsRecordSet) if you are using the latest Azure PowerShell version.
Hope that answers your question.
I have been trying to install the Azure Active Directory Module for Windows for Powershell. So far I have not been able to find a combination of the Sign-In Assistant and Powershell module versions that allows me to create a connection in a Powershell session. My measure for success has been to run the Connect-MsolService cmdlet to create such a connection. I have tried it both from the command line and in a script. The (few) forum and blogs posts that reference this functionality have been very contradictory.
I am using the same credentials that I use to log into manage.windowsazure.com.
As to the specifics I have the following configuration:
Windows Server 2012R2
Powershell version 4.0 ($PSVersionTable.PSVersion)
Microsoft Online Services Sign-In Assistant version 7.250.4556.0
Windows Azure Active Directory Module for Windows Azure version
1.0.8362. The version number is based on the command (get-item C:\Windows\System32\WindowsPowerShell\v1.0\Modules\MSOnline\Microsoft.Online.Administration.Automation.PSModule.dll).VersionInfo.FileVersion
My questions are as follows:
What versions work on Windows Server 2012R2?
Is there a specific .Net version that I might be missing?
Am I looking at it wrong? For example is the cmdlet
Connect-MsolService not the metric to be using? Is there another way
that I might verify that I have a connection?
My understanding is that the Powershell cmdlets, as well as all the other methods for managing Azure, are based on the REST API's. Would that be a better way to go? Of course I would not be able to dynamically enter commands, but I would be able to validate credentials etc.
Are you trying to authenicate with an MSA account? Try connecting with a Global Admin AAD account (eg. globaladminuser#tenant.onmicrosoft.com).
I am working on automatic deployment + azure. I'm at the point where i'm adding an ssl cert to the website. Does anyone know how to use PowerShell to upload an SSL certificate to a website using the PowerShell command (Add - Get - Set based commands)? I'm able to add a certificate to a cloud service using ...
New-AzureService $Program -Location 'East US'
Add-AzureCertificate -Password Cert123! -ServiceName $Program -CertToDeploy $CertLocation
but I have no idea how to add it to an azure website.
Thanks
edit: I've found a way using the following command, but i'm not wanting to install additional libraries on my production deployment machine.
azure site cert add -k Cert123! $CertLocation $Program
Using the newly released Azure PowerShell v. 1.1.0, you can use the following command to upload a certificate to your website
New-AzureRmWebAppSSLBinding -ResourceGroupName myresourcegroup -WebAppName mytestapp -CertificateFilePath PathToPfxFile -CertificatePassword PlainTextPwd -Name www.contoso.com
More information is in the following article
https://azure.microsoft.com/en-us/documentation/articles/app-service-web-app-powerhell-ssl-binding/
As far as I know the Azure PowerShell cmdlets do not offer this capability at the moment that I could find. As you point out the Cross Platform Command Line tool does. Since you don't want to add the XPlat-CLI tool to your deployment machines you can use what the XPlat-CLI tool does under the hood: a direct call against the REST api for web site management.
Note you'll need to figure out what webspace the site resides in, etc. You can use the Invoke-WebRequest to make this call so that you can verify you get that 200 response back. Or you could use the Invoke-RESTMethod as well, but that would only return an XML document (the contents of the response). The Invoke-WebRequest provides you a little more control and access to the full response object.
The Microsoft Azure Management Libraries (which the PowerShell cmdlets sit on top of) has a Web Site Management piece to it. One of the operations is an update to a site and that includes a WebSiteUpdateParameters object with a SSLCertificates property. You may check into that as well, though I've not done this myself.
I'm using the PowerShell CmdLets to automate most tasks against Windows Azure Cloud Services and Windows Azure Web Sites.
For Cloud Services, I can use the Get-AzureDeployment CmdLet. However, the similar Get-AzureWebSiteDeployment CmdLet requires Git to be installed before it can run and does not seem to be designed for the same task.
As far as I can see, the Get-AzureWebSite CmdLet only ever retrieves the "Production" slot of a Windows Azure Web Site.
How is it possible to get programmatic access to the corresponding "Staging" slot ?
We are working on some PowerShell cmdlets to support website slots. We are very close to releasing it. Keep an eye on this repo on github. https://github.com/WindowsAzure/azure-sdk-tools
Current date update (Jul 19 2015):
According to Azure Docs Web Sites Staging Slots there are new CMDLets that support querying Slots:
Show-AzureWebsite -Name webappslotstest -Slot staging
And some others cmdlets extended with -Slot attribute (Create New Website, Remove, Switch Slots).