Azure powershell cmdlets with certificate authentication not working - powershell

All,
I am trying to use a certificate to authenticate against azure instead of using the Azure-AddAccount. So I did the following in an administrator powershell console, i followed the instruction located at http://azure.microsoft.com/en-us/documentation/articles/install-configure-powershell/ :
Get-AzurePublishSettingsFile
This prompted me to login and download the publishsettings file. I placed the file in the same folder as the powershell console is.
Import-AzurePublishSettingsFile "D:\Dev\Powershell\azure.publishsettings"
This command doesn't return anything. I am not sure if it worked, but if I put an invalid name it blows up so I assume it works.
Get-AzureStorageAccount
I get the error "Get-AzureStorageAccount : Your credentials have expired. Please use Add-AzureAccount to log in again." At this point I thought I imported my certificate and this should work, but it doesn't. Am I missing a step? I have multiple subscriptions, maybe thats the problem?

You still need to use Add-Account in addition to importing the publish settings file. Add-Account will prompt you for the user you wish to authenicate with when running certain commands.
Add-Account utilises a different authentication mechanism to the cert-based setup with the PublishSettings File and it necessary to use both in certain scenarios (such as yours).

Related

How to invoke-sqlcmd (or sqlcmd.exe) with AAD+MultiFactorAuth

All the docs and help threads I can find reference connection strings with Authentication=ActiveDirectoryIntegrated to hit SQL with AAD integration. If I'm using SSMS I can also choose "Active Directory Universal" which gives a prompt if MultiFactorAuth (MFA) is required.
I want to use powershell to invoke-sqlcmd, or even sqlcmd.exe directly -- do either support an MFA flow? How else can I get commandline queries against an AAD-enabled MFA-enabled SQLAzure instance?
invoke-sqlcmd : Failed to authenticate the user NT Authority\Anonymous Logon in Active Directory
(Authentication=ActiveDirectoryIntegrated).
Error code 0xCAA2000C; state 10
AADSTS50079: The user is required to use multi-factor authentication.
Trace ID: 54f0cb31-2f0f-4137-b142-b312a6cd441b
Correlation ID: 70204904-576c-4db5-9c3b-6ccd7fe6b409
Timestamp: 2017-02-09 22:56:39Z
I've seen https://learn.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication, and everything was working fine right up until MFA either was applied, or when it realized it was time to re-auth and prompt.
If there is a way for me to cache creds so ActiveDirectoryIntegrated generally works, and I just need to re-auth and re-cache when it decides it is time to force an MFA prompt I'm also open to that.
I want to use powershell to invoke-sqlcmd, or even sqlcmd.exe directly -- do either support an MFA flow?
No. As far as I know, the SSMS is the only tool currently enabled for MFA through Active Directory Universal Authentication.( refer here)
If you have any idea or suggestion about Azure SQL database, you can submit them from here.
Beginning with version 15.0.1, sqlcmd utility and bcp utility support Active Directory Interactive authentication with MFA.

SCCM 2012 R2 Remove-CMDevice

Greeting Everyone,
Hoping someone has a quick insight but I am getting access denied on a service account using the PowerShell command Remove-CMDevice.
This process is as per outlined here, https://technet.microsoft.com/en-us/library/jj821759(v=sc.20).aspx
The account has permission to remove devices from SCCM and this works fine through the GUI but not the command line. I have been unable to find documentation on what permissions the account need to do this via command line, it works fine manually in the GUI.
If anyone can shed light on this it will be wonderful, I do want to keep this service account as having as minimal permissions as possible.
Many thanks,
Edit to Add Image as follows,
After a lot of testing, I'm here with an answer on the Permission part when using PowerShell console to remove CM system object. Of course the symptom is the same: The account can delete from Admin console, however, when using PowerShell, it failed with Permission error message.
The account to perform the Remove-CMDevice cmdlet must have proper RBA Permission on the object. Assume the security scope is default one, the account connected to Configuration Manager console must have below RBA permission which I tested is almost minimal permission:
In the screenshot the Collection part, the permission is easy to understand, Read, Delete Resource, etc.
For the Computer Association part, you may get confused, why?
Steps I did the troubleshooting:
I opened a PowerShell Console connecting to Configuration Manager using my test account and run below command to see what will happen:
Remove-CMDevice 'Rsuraceccc' -Verbose
I got below error:
Yes, it's trying to querying from the SMS_StateMigration. Then I try to run a simple command:
Get-WMIObject -NameSpace root\sms\site_clt -Query 'Select * from SMS_StateMigration'
Once again, I got error. So I get the conclusion that the account needs Permission on SMS_StateMigration. So I add 'Recover User State' permission of Computer Association on the role and tried again, cheers, this time all command runs successfully.
I don't know why it's using SMS_StateMigration, but this is the case here.

Running PowerShell as different user and credentials

I am working on a project using PowerShell, and the challenge that I have now is how to run PowerShell itself.
I have access to a domain credential that has login capability on the server I am running it from, and I am planning on using WQL queries as triggers to run the script at different times.
Is there a way to do this without leaving the credential information as plaintext? I have and use stored domain credentials within the script, but I cannot find a way to use those credentials to run the script itself.
Any idea how to do this, or creative ways to get around the issue? I cannot use Task Scheduler for this project.

Check if credentials are cached for tf.exe

How would I check if my credentials are already cached for a specific server using tf.exe? I am trying to do slight automation for tfs get and workspace/workfold configuration. The assumption is that most machines already have the credentials cached, but I want to be able to double check beforehand, and throw an error in powershell if they are not.
Thank you,
Derongan
Try using vaultcmd.exe e.g.:
vaultcmd /listcreds:"Windows Credentials" /all
You could run that through a Where-Object command looking for a string that matches the TFS server name.

new to windows azure powershell and can not connect to my azure app

I am getting given error when I use powershell commandlets to connect azure app -
Get-HostedService : Could not establish secure channel for SSL/TLS with authority ‘management.core.windows.net’.
here is the links I follow -
http://msdn.microsoft.com/en-us/gg271300
http://wappowershell.codeplex.com/documentation
Based on my experience there could be two problems:
The certificate you are using is not able to create a secure SSL tunnel between your computer and Windows Azure Management Portal and you get error
I have seen OS specific problems related to SSPI and SCHANEL in which the SSL tunnel could not be created.
I also think the first links you have has old info and does not help in most cases. Lets try to solve problem first which is very easy. I am writing below understanding you have Powershell Cmdlets installed in your machine:
First download the publishconfig file from your Windows Azure portal as decribed here.
Now open your Windows Powershell for Windows Azure CmdLets (In Admin Mode)
After that enter these Powershell Commands directly:
PS > Import-Subscription <include your _filename_.publishsettings here>
PS > Select-Subscription <Enter The _name_of_your_subscription which will be listed after you run above command (Note - **SubscriptionName** is needed here>
PS > Get-HostedService <This should list all of services in your subscription>
Now you can manage the subscription from Powershell Cmdlets.
If you still have problems please let me know and I will provide info on 2).
Can you please file a bug for this here: http://github.com/WindowsAzure/azure-sdk-tools
The error message back from PowerShell should be friendlier in this case.
Also, you can now use Add-AzureAccount to obtain credentials rather than having to download and import a publishsettings file