Prevent Azure PowerShell Credentials from expiring? - powershell

I need to take regular backups of a suite of VM’s in an Azure environment. I thought the obvious solution to this would be to use PowerShell to automate the process so have written a script to do just that. I want this to run on a schedule, unattended with no manual intervention. However, the problem I have is that every few days I get the error:
Your Windows Azure credential in the Windows PowerShell session has expired. Please use Add-AzureAccount to login again.
Which means I have to re-run Add-AzureAccount and sign back in through the associated popup and everything works again. Obviously this is no good and negates the benefit of doing this automation.
Is there any way I can prevent these credentials from expiring?
Thanks

Yes, by using certificate authentication instead. One of the drawbacks of using Add-AzureAccount is that the credentials expire from time to time. You could just run Add-AzureAccount again but certificate authentication would be best for you in this scenario.
Firstly, remove the current accounts you have registered in PowerShell using the Remove-AzureAccount cmdlet. Something like:
Remove-AzureAccount -Name name#account.onmicrosoft.com
This doesn't remove your account from Azure, just the reference you hold to it in your PowerShell console (from when you used Add-AzureAccount). Then you run
Get-AzurePublishSettingsFile
this will open a browser window, ask you to authenticate to your account and you'll download a file ending in .publishsettings
Then, in Azure PowerShell you run
Import-AzurePublishSettingsFile -PublishSettingsFile <path_to_file>
which will import the certificates from the publishsettings file, allowing you to execute your scripts without using Add-AzureAccount.
You may also need to use Set-AzureSubscription -SubscriptionName <name_of_subscription> if you happen to have more than one subscription.
Additionally, the following MSDN blog describes the process just as I have above. http://blogs.technet.com/b/ricardma/archive/2014/07/04/managing-azure-subscriptions-in-powershell.aspx

Related

WARNING: Unable to acquire token for tenant 'organizations' with error authentication failed: Retry failed after 4 tries.'

I am using powershell to connect to azure interactively, where i will give my username and password and script will fetch the secrets from the key vault . I am not suppose to use the app id here . I was using azure module and powershell 5.1 where the Connect-AzAccount command used to work , open a browser and let me feed my details .
From last 3 days , i am seeing the below error . It is not showing up any browser window
WARNING: Unable to acquire token for tenant 'organizations' with error 'InteractiveBrowserCredential authentication
failed: Retry failed after 4 tries.'
I have tried to delete the azure context files and try again but facing the same issue
You may try the suggestion in comment.
If not,it may occur due to different reasons,some times it may also be due to network issue and delay.
Some work arounds that you may try.
Please clear the cache and try running the following command in order :
Install-Module Az Import-Module Az Connect-AzAccount with” Windows PowerShell ISE".
As you were saying it worked previously, It may have had upgraded to newer version say 2.2.8.Try down grading the Az.Accounts package to version example:1.6.Or you may try the other way around by upgrading.
PowerShell developer reference for Azure Functions | Microsoft Docs
Try to install AZ module on your PowerShell and set your execution policy to remote signed.
Give your tenant ad directly Connect-AzAccount -TenantId cf2a0-*******
Try "Connect-AzAccount -UseDeviceCode" or "Connect-AzureAd"
Check if Grant API permissions to read or read/write on Azure Active Directory to the application.ex:Directory.ReadWriteAll is done. Make sure Managed Service Identity (MSI) has been turned on, and in Keyvault is granted the MSI access policies.And check if user is assigned role .
Try to run your powershell as admin, update the module with Update-Module -Name Az, then login again.
You may use "Connect-AzAccount -Identity -ErrorAction Stop" To catch the error
If issue is not resolved you may raise a support request.
References:
Troubleshoot Azure Automation runbook issues| Microsoft Docs
Using Azure Key Vault with PowerShell
Other SO reference

Get-AzureSubscription -ExtendedDetails in PowerShell doesn't include certificate

I'm trying to revoke a VPN certificate using Microsoft's byzantine Azure Powershell commands, as described here: https://blogs.technet.microsoft.com/keithmayer/2014/12/09/step-by-step-revoking-and-reinstating-client-vpn-certificates-for-azure-point-to-site-vpns/. (Don't get me started on why you should need to write a 20-line script that makes a manually-constructed REST API call to do basic user management - that's a separate issue for now.)
One of the key bits is getting the appropriate management certificate. You're supposed to use this command:
$cert = (Get-AzureSubscription -SubscriptionName BizSpark -ExtendedDetails).Certificate
One some machines this works. But on my main client machine, the one that I need to run it on, the Certificate property is always blank. I've tried re-importing my .publishsettings file, upgrading the Azure Powershell commandlets, deleting the C:\Users\user\AppData\Roaming\Windows Azure Powershell directory, and so forth, to no avail.
Any suggestions?

Run Powershell remotely as Admin

IT admin here, First Question on this site. Online I found a simple Powershell script that manually creates a System Restore Point on a user's PC. I want to deploy this to all company computers via a GPO scheduled task. Script as follows:
Checkpoint-Computer -Description 'System Restore Point' -RestorePointType modify_settings
Script work perfectly fine. Issue is that powershell needs to run as an admin. In scheduled task menu, the option to run with highest privileges only works if the user is a local admin. For security reasons at our company, it will not be possible to grant user's local admin access.
My question, is there some simple commands I can add that will elevate powershell to have admin privileges? Also, have to make sure that the user will not be prompted, and that the rest of the command will still execute. I do not mind having to store username or admin passwords in the script itself as the users will not see the script. I appreciate any suggestions, but only if it is fairly simply to execute. Keep in mind, I am not a programmer, I am a Cisco network engineer as well as a Windows Server admin. My boss just wants me to create manual restore points on a set schedule and I think powershell might be the best. Open to other script types though.
There are 2 parts to your question. The first part is about how to run a scheduled task as a specific user with elevated rights. I don't think it's correct that it's only possible to do so with a local admin account, but that's off-topic for this site. Consider posting that separately on ServerFault (if you do and link it, I will take a look).
The second part concerns embedding credentials into the script.
This is typically a bad idea. Saying that the user "won't" see it is not the same as saying they can't see it. If they can see it, the credential is compromised and essentially that user now can trivially have elevated rights.
So you would need to secure the script file well enough so that the unprivileged user cannot read the file.
Encrypted Credentials
PowerShell also has a [PSCredential] object which stores the password as a secure string. It is possible to store and retrieve an encrypted version of this object.
For example:
$cred = Get-Credential
$cred | Export-CliXml -Path C:\my\cred.xml
The XML file will contain the credential but it will be encrypted. It can only be decrypted by the same user on the same machine that encrypted it to begin with.
This could be a way for you to use a credential if needed. But to be honest it probably isn't.
How I would do this
Run your scheduled task as SYSTEM.
It should be privileged enough to take a restore point
It's local
It's easy to set a scheduled task to run as SYSTEM even through GPO
It requires no password handling

Azure Powershell website cmdlet's not working correctly on server

I am setting up deployment of an azure website on a build server running Server 2012.
I first tried to deploy from my local machine using the following steps (and it worked):
Install Azure Powershell using WPI
Use Get-AzurePublishSettingsFile command and Import-AzurePublishSettingsFile to get access to my Azure websites etc from powershell
Run command Get-AzureWebsites and I see a list of my websites
Run Publish-AzureWebsiteProject to publish my package to the website
All the above works. However, when I follow exactly the same steps on my server, when I get to the Get-AzureWebsites step, I get nothing back. As a follow on from this, when I try and run the publish command, I get a "website does not exist" error.
If I run the Get-AzureAccount and Get-AzureSubscription commands, I get back the correct account / subscriptions.
I have no idea what is going on?!
Check if there are more than one azure subscriptions on that server. If there are more, make sure that the subscription that you need is set as default.
Use the command:
Select-AzureSubscription -Default 'subscription name'
... to set the default subscription.
Azure command is Get-AzureWebsite not Get-AzureWebsites.

Import-AzurePublishSettingsFile vs Add-AzureAccount

Introduce the Problem
I like to manage Windows Azure Websites through PowerShell. For instance, I like to run Get-Website to view a list of all my websites. Before I do that, I need to authenticate with Windows Azure.
Research
One way to do this is via Add-AzureAccount, which prompts me to sign in with my Azure username and password, afterwhich I can run Get-AzureWebsite to view the list. At this point, I have no Management Certificates, and it doesn't seem to matter. I can run Remove-AzureAccount some#account.com to sign out.
Another way to do this is via a Management Certificate. I run Get-AzurePublishSettingsFile followed by Import-AzurePublishSettingsFile. Then I can run Get-AzureWebsite to view my list.
This seems like two ways to do the same thing.
Question
Other than allowing me to save a Management Certificate for convenience, what is the difference, if any, between the two methods?
Import-AzurePublishSettingsFile is not interactive, so I can use a batch process.
Add-AzureAccount is interactive. Since I do not require the certificate, I use Add-AzureAccount because it is easier.