How to add an SSL certificate to an azure website using powershell? - powershell

I am working on automatic deployment + azure. I'm at the point where i'm adding an ssl cert to the website. Does anyone know how to use PowerShell to upload an SSL certificate to a website using the PowerShell command (Add - Get - Set based commands)? I'm able to add a certificate to a cloud service using ...
New-AzureService $Program -Location 'East US'
Add-AzureCertificate -Password Cert123! -ServiceName $Program -CertToDeploy $CertLocation
but I have no idea how to add it to an azure website.
Thanks
edit: I've found a way using the following command, but i'm not wanting to install additional libraries on my production deployment machine.
azure site cert add -k Cert123! $CertLocation $Program

Using the newly released Azure PowerShell v. 1.1.0, you can use the following command to upload a certificate to your website
New-AzureRmWebAppSSLBinding -ResourceGroupName myresourcegroup -WebAppName mytestapp -CertificateFilePath PathToPfxFile -CertificatePassword PlainTextPwd -Name www.contoso.com
More information is in the following article
https://azure.microsoft.com/en-us/documentation/articles/app-service-web-app-powerhell-ssl-binding/

As far as I know the Azure PowerShell cmdlets do not offer this capability at the moment that I could find. As you point out the Cross Platform Command Line tool does. Since you don't want to add the XPlat-CLI tool to your deployment machines you can use what the XPlat-CLI tool does under the hood: a direct call against the REST api for web site management.
Note you'll need to figure out what webspace the site resides in, etc. You can use the Invoke-WebRequest to make this call so that you can verify you get that 200 response back. Or you could use the Invoke-RESTMethod as well, but that would only return an XML document (the contents of the response). The Invoke-WebRequest provides you a little more control and access to the full response object.
The Microsoft Azure Management Libraries (which the PowerShell cmdlets sit on top of) has a Web Site Management piece to it. One of the operations is an update to a site and that includes a WebSiteUpdateParameters object with a SSLCertificates property. You may check into that as well, though I've not done this myself.

Related

How to log into AWS CLI with a federated SAML (AzureAD) login

I'm connecting to AWS using a SAML login with AzureAD as my IdP. This is all working great and I can use SAML response in the browser to generate a temporary session token that gives me an hour to work in AWS CLI. However, according to this blog, I should be able to use AWS Tools for Windows PowerShell to capture the SAML Response but all I ever get is an error Unable to set credentials: Root element is missing. All my googling is leading to possible transient issues with certificates being near expiration or using older versions of the Powershell Module (I'm using the latest as of this writing: v4.1.13.0) or Powershell itself (I'm using 7.1.3).
Anybody successfully got the AWS Tools for Windows PowerShell to work with AzureAD as an IdP?
I found this somewhat more recent post, which has a ton more information about this kind of setup, some detail about how to configure it, and a note about why it may not be working (as of Jan2020)
Try using the AWSPowerShell command Use-STSRoleWithSAML(AWS docs) to generate some temporary credentials. The doc page goes into a lot of detail on what is required too for your Idp and in IAM, including links to relevant IAM guides. For example:
# Returns a set of temporary security credentials
Use-STSRoleWithSAML `
-RoleArn 'arn:aws:iam::ACCOUNTNUMBER:role/IAMROLE' `
-PrincipalArn 'arn:aws:iam::ACCOUNTNUMBER:saml-provider/SAMLPROVIDER' `
-SAMLAssertion 'BASE64ENCODEDRESPONSE' `
-DurationInSeconds 3600

Connecting to Exchange Online with PowerShell and Modern Authentication (without any dependencies)

I want to connect to Exchange Online using PowerShell and modern authentication without depending on any modules or dll's.
There's a module available for modern authentication to Exchange Online that depends on the CreateEXOPSSession.ps1 and Microsoft.Exchange.Management.ExoPowerShellModule.dll, I have decompiled the latter and found that it generates an access token as such:
TokenInformation accessToken = TokenProviderFactory.Instance.CreateTokenProvider(new TokenProviderContext(authType, "a0c73c16-a7e3-4564-9a95-2bdf47383716", this.AzureADAuthorizationEndpointUri, acquireTokenEndpoint, this.UserPrincipalName, this.Credential, clientAppRedirectUri, (Action<string>) (s => this.WriteWarning(s)))).GetAccessToken();
I want to request the access token is the same way in PowerShell but I can't seem to get the right authentication context and method of retrieving the access token.
Any ideas?
You have to have an MSOL connection and create a remote session to EXO to use EXO cmdlets. There is no workaround for this.
The dependencies are there for a reason. The backend plumbing of MSOL / Azure / O365 expects what it expects, and skirting it will just lead you down a very frustrating/hair-pulling activity.
That token is an Azure AD as MA/ADAL requires that you have an Azure AD Premium license.
MA requires use of the ADAL API/DLL. This is like asking to programmatically connect to and use Exchange on-prem EAS/EWS services without using the API/DLL, that's not a thing either.
So, no matter how you look at this, there will be dependencies, as noted below. So, if you are serious about this effort, you need to really dig into what MA really is and how it's plumbing really works. Also, MFA must be already enabled for you and users, either in O365 and or the ADAL MFA settings in Azure.
Modern Authentication – What is it?
Modern Authentication brings Active Directory Authentication Library (ADAL)-based sign-in to Office client apps across platforms.
Microsoft identity platform authentication libraries
There is also an ADAL module on the MS PowerShellGallery.com.
Microsoft.ADAL.PowerShell 1.12
ADAL module for PowerShell
https://www.powershellgallery.com/packages/Microsoft.ADAL.PowerShell/1.12
Functions
Get-ADALAccessToken Clear-ADALAccessTokenCache
Examples are here:
Microsoft.ADAL.Powershell ```
####Example 1 This example acquire accesstoken by using RedirectUri from contoso.onmicrosoft.com Azure Active Directory for PowerBI
service. It will only prompt you to sign in for the first time, or
when cache is expired.
Get-ADALAccessToken -AuthorityName contoso.onmicrosoft.com `
-ClientId 8f710b23-d3ea-4dd3-8a0e-c5958a6bc16d `
-ResourceId https://analysis.windows.net/powerbi/api `
-RedirectUri "http://yourredirecturi.local"
See also:
Azure-AD-Authentication-with-PowerShell-and-ADAL
This is a set of really simple PowerShell scripts which allow you to get access tokens with Azure Active Directory using ADAL.
and this...
ADAL and PowerShell

Get-AzureSubscription -ExtendedDetails in PowerShell doesn't include certificate

I'm trying to revoke a VPN certificate using Microsoft's byzantine Azure Powershell commands, as described here: https://blogs.technet.microsoft.com/keithmayer/2014/12/09/step-by-step-revoking-and-reinstating-client-vpn-certificates-for-azure-point-to-site-vpns/. (Don't get me started on why you should need to write a 20-line script that makes a manually-constructed REST API call to do basic user management - that's a separate issue for now.)
One of the key bits is getting the appropriate management certificate. You're supposed to use this command:
$cert = (Get-AzureSubscription -SubscriptionName BizSpark -ExtendedDetails).Certificate
One some machines this works. But on my main client machine, the one that I need to run it on, the Certificate property is always blank. I've tried re-importing my .publishsettings file, upgrading the Azure Powershell commandlets, deleting the C:\Users\user\AppData\Roaming\Windows Azure Powershell directory, and so forth, to no avail.
Any suggestions?

Import-AzurePublishSettingsFile vs Add-AzureAccount

Introduce the Problem
I like to manage Windows Azure Websites through PowerShell. For instance, I like to run Get-Website to view a list of all my websites. Before I do that, I need to authenticate with Windows Azure.
Research
One way to do this is via Add-AzureAccount, which prompts me to sign in with my Azure username and password, afterwhich I can run Get-AzureWebsite to view the list. At this point, I have no Management Certificates, and it doesn't seem to matter. I can run Remove-AzureAccount some#account.com to sign out.
Another way to do this is via a Management Certificate. I run Get-AzurePublishSettingsFile followed by Import-AzurePublishSettingsFile. Then I can run Get-AzureWebsite to view my list.
This seems like two ways to do the same thing.
Question
Other than allowing me to save a Management Certificate for convenience, what is the difference, if any, between the two methods?
Import-AzurePublishSettingsFile is not interactive, so I can use a batch process.
Add-AzureAccount is interactive. Since I do not require the certificate, I use Add-AzureAccount because it is easier.

How to use PowerShell to get information about a Staging Windows Azure WebSite slot?

I'm using the PowerShell CmdLets to automate most tasks against Windows Azure Cloud Services and Windows Azure Web Sites.
For Cloud Services, I can use the Get-AzureDeployment CmdLet. However, the similar Get-AzureWebSiteDeployment CmdLet requires Git to be installed before it can run and does not seem to be designed for the same task.
As far as I can see, the Get-AzureWebSite CmdLet only ever retrieves the "Production" slot of a Windows Azure Web Site.
How is it possible to get programmatic access to the corresponding "Staging" slot ?
We are working on some PowerShell cmdlets to support website slots. We are very close to releasing it. Keep an eye on this repo on github. https://github.com/WindowsAzure/azure-sdk-tools
Current date update (Jul 19 2015):
According to Azure Docs Web Sites Staging Slots there are new CMDLets that support querying Slots:
Show-AzureWebsite -Name webappslotstest -Slot staging
And some others cmdlets extended with -Slot attribute (Create New Website, Remove, Switch Slots).