Introduce the Problem
I like to manage Windows Azure Websites through PowerShell. For instance, I like to run Get-Website to view a list of all my websites. Before I do that, I need to authenticate with Windows Azure.
Research
One way to do this is via Add-AzureAccount, which prompts me to sign in with my Azure username and password, afterwhich I can run Get-AzureWebsite to view the list. At this point, I have no Management Certificates, and it doesn't seem to matter. I can run Remove-AzureAccount some#account.com to sign out.
Another way to do this is via a Management Certificate. I run Get-AzurePublishSettingsFile followed by Import-AzurePublishSettingsFile. Then I can run Get-AzureWebsite to view my list.
This seems like two ways to do the same thing.
Question
Other than allowing me to save a Management Certificate for convenience, what is the difference, if any, between the two methods?
Import-AzurePublishSettingsFile is not interactive, so I can use a batch process.
Add-AzureAccount is interactive. Since I do not require the certificate, I use Add-AzureAccount because it is easier.
Related
I am trying to add a channel to a team via a non-interactive PowerShell script. I have Connect-MgGraph working and I'm able to query our AD (application registered, cert working, permissions set, etc.). I think I need to use Connect-MicrosoftTeams possibly passing my application credential, but I can't find a way to get the applications access token to pass. I followed the directions for the -AccessTokens parameter in the documentation to configure the "AAD application". (https://learn.microsoft.com/en-us/powershell/module/teams/connect-microsoftteams?view=teams-ps)
Am I going about this the wrong way? Any help would be appreciated.
Thanks- Paul.
We have a PowerShell script to pull Power BI activity data (using Get-PowerBIActivityEvent), and I have been trying to automate it so that it can pull this data daily using an unattended account. The problem is the script must necessarily use the Connect-PowerBIServiceAccount cmdlet, which requires a credential. I don't want to have the passwords hard-coded anywhere (obviously) and ideally don't want to be passing it into the script as a plaintext parameter in case of memory leaks.
I've tried using SSIS as a scheduling mechanism since it allows for encrypted parameters in script tasks, but can't call the PS script with a SecureString parameter since the System.Management.Automation namespace isn't in the GAC (a commandline call wouldn't be possible).
I don't believe task scheduler would offer the functionality needed.
Does anyone know of any elegant ways to connect to the power BI service using encrypted credentials?
In the docs of Connect-PowerBIServiceAccount there are 2 options for unattended sign-in:
Using -Credential, where you pass AAD client ID as username and application secret key as password
Using -CertificateThumbprint and -ApplicationId
For both options you need to configure service pricipal and add proper permissions. I'm not going into details how to configure that, but most probably you'd need (at least) the following application permissions:
I'm not really sure what functionalities you need in the script, but in my experience, majority of the cases can be covered by scheduled task, so the explanation below will apply to that solution.
How you can secure the credentials?
There are variuos possible solutions, depending on your preferences. I'd consider certificate-based authentication as more secure (certificate is available only to current user/all users of the machine).
What's important in certificate-based authentication - make sure that the certificate is available for the account running the script (in many cases it's service account, not your user account).
How can I secure more?
If you want, you can store application ID as secure string (I don't have SSIS to test, so I'm not sure if there's any workaround to make it working in there) or use Export-CliXml. They use Windows Data Protection API (DPAPI), so the file can be decrypted only by the account which was used to encrypt.
To add one more level of security (I'm not even mentioning setting correct access rights to the files as it's obvious) you might put the file in the folder encrypted (you might already have a solution for disk encryption, so use it if you wish).
There are probably some solutions to secure the keys even better, but these ones should do the job. I'm using other Microsoft 365 modules with similar approach (Outlook, SharePoint PnP) and it works quite well.
NOTE: If you need to use user account, instead of service principal, make sure that you have MultiFactor Authentication disabled on that account for that specific application.
The relevant documentation to this (https://learn.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal) states that admin APIs (i.e. those served via Get-PowerBiActivityEvent) do not currently support service principals. This means it's not currently possible to use a registered app to run these cmdlets unattended.
There is a feature request open to provide this at the moment: https://ideas.powerbi.com/forums/265200-power-bi-ideas/suggestions/39641572-need-service-principle-support-for-admin-api
I'm trying to revoke a VPN certificate using Microsoft's byzantine Azure Powershell commands, as described here: https://blogs.technet.microsoft.com/keithmayer/2014/12/09/step-by-step-revoking-and-reinstating-client-vpn-certificates-for-azure-point-to-site-vpns/. (Don't get me started on why you should need to write a 20-line script that makes a manually-constructed REST API call to do basic user management - that's a separate issue for now.)
One of the key bits is getting the appropriate management certificate. You're supposed to use this command:
$cert = (Get-AzureSubscription -SubscriptionName BizSpark -ExtendedDetails).Certificate
One some machines this works. But on my main client machine, the one that I need to run it on, the Certificate property is always blank. I've tried re-importing my .publishsettings file, upgrading the Azure Powershell commandlets, deleting the C:\Users\user\AppData\Roaming\Windows Azure Powershell directory, and so forth, to no avail.
Any suggestions?
To authenticate to Azure and use the Azure Resource Manager cmdlets, I currently use the methods outlined here, namely using an Azure Active Directory account, encrypting the password, storing the encrypted string in a text file, and reading that into a credential object when using it in the script.
But I get the sense that maybe I should be using management certificates instead.
There is a documented method to use a publish settings file, but apparently that doesn't work for AzureRm cmdlets, only older cmdlets.
I have seen examples for using Powershell to create an application_id and service principal, and for authenticating a C# app, for instance, but I can't seem to find anything showing how to use management certificates for authentication in a powershell script, to use AzureRm cmdlets.
Maybe the secure string password storage method is the right one. But I don't have a good sense for that.
What do you use?
The best way to do it? It depends what is important to you. Ease of use, security, scripting?
Microsoft Azure Tooling (Visual Studio, Azure Powershell and CLI) lately moved to a more fine-granular, role-based access control approach based on Azure AD. This is currently a pretty good way to do it, since Management certificates allow owners to manage at subscription level and have proven to be rather difficult in environments like Azure Automation.
Refs
https://azure.microsoft.com/de-de/blog/azure-automation-authenticating-to-azure-using-azure-active-directory/
https://azure.microsoft.com/en-us/documentation/articles/cloud-services-certs-create/#what-are-management-certificates
http://blogs.msdn.com/b/cloud_solution_architect/archive/2015/03/17/rbac-and-the-azure-resource-manager.aspx
https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure/
https://azure.microsoft.com/en-us/documentation/articles/resource-group-rbac/#concepts
You should have a look to Service Principal
https://azure.microsoft.com/en-us/documentation/articles/resource-group-create-service-principal-portal/
https://azure.microsoft.com/en-us/documentation/articles/resource-group-authenticate-service-principal/
I need to take regular backups of a suite of VM’s in an Azure environment. I thought the obvious solution to this would be to use PowerShell to automate the process so have written a script to do just that. I want this to run on a schedule, unattended with no manual intervention. However, the problem I have is that every few days I get the error:
Your Windows Azure credential in the Windows PowerShell session has expired. Please use Add-AzureAccount to login again.
Which means I have to re-run Add-AzureAccount and sign back in through the associated popup and everything works again. Obviously this is no good and negates the benefit of doing this automation.
Is there any way I can prevent these credentials from expiring?
Thanks
Yes, by using certificate authentication instead. One of the drawbacks of using Add-AzureAccount is that the credentials expire from time to time. You could just run Add-AzureAccount again but certificate authentication would be best for you in this scenario.
Firstly, remove the current accounts you have registered in PowerShell using the Remove-AzureAccount cmdlet. Something like:
Remove-AzureAccount -Name name#account.onmicrosoft.com
This doesn't remove your account from Azure, just the reference you hold to it in your PowerShell console (from when you used Add-AzureAccount). Then you run
Get-AzurePublishSettingsFile
this will open a browser window, ask you to authenticate to your account and you'll download a file ending in .publishsettings
Then, in Azure PowerShell you run
Import-AzurePublishSettingsFile -PublishSettingsFile <path_to_file>
which will import the certificates from the publishsettings file, allowing you to execute your scripts without using Add-AzureAccount.
You may also need to use Set-AzureSubscription -SubscriptionName <name_of_subscription> if you happen to have more than one subscription.
Additionally, the following MSDN blog describes the process just as I have above. http://blogs.technet.com/b/ricardma/archive/2014/07/04/managing-azure-subscriptions-in-powershell.aspx