Posts on this Sequence
Within the final publish, we took a take a look at the Join-AzAccount
command, saved its output in a variable utilizing the Outvariable parameter and explored it. I feel we must undergo just a few of the opposite instructions within the Az.Accounts module and see why we didn’t must dig in resembling we did. As I stated beforehand, it was a superb train, however it’s nearly just like the cmdlet builders needed to supply us with a better method to collect Azure account-related data. We’ll know extra quickly sufficient. First issues first, let’s pull again solely the Get
instructions from the Az.Accounts PowerShell module. Once more, we’re going to make use of some formatting instructions, however as a result of we solely need to view our outcomes on the display.
Get-Command -Module Az.Accounts -Verb Get | Format-Desk -AutoSize
CommandType Identify Model Supply ----------- ---- ------- ------ Alias Get-AzDomain 2.8.0 Az.Accounts Cmdlet Get-AzAccessToken 2.8.0 Az.Accounts Cmdlet Get-AzConfig 2.8.0 Az.Accounts Cmdlet Get-AzContext 2.8.0 Az.Accounts Cmdlet Get-AzContextAutosaveSetting 2.8.0 Az.Accounts Cmdlet Get-AzDefault 2.8.0 Az.Accounts Cmdlet Get-AzEnvironment 2.8.0 Az.Accounts Cmdlet Get-AzSubscription 2.8.0 Az.Accounts Cmdlet Get-AzTenant 2.8.0 Az.Accounts
If you happen to learn the final publish, then instructions resembling Get-AzEnvironment
and Get-AzContext
might sound to make sense right here. The nouns in these instructions have been the 2, base properties in our $AzOutput
variable. Let’s see what they return and examine it to what we noticed within the output variable within the Accounts – Azure with PowerShell II publish.
Get-Setting
Identify Useful resource Supervisor Url ActiveDirectory Authority Sort ---- -------------------- ------------------------- ---- AzureGermanCloud https://administration.microsoftazure.de/ https://login.microsoftonline.de/ Constructed-in AzureCloud https://administration.azure.com/ https://login.microsoftonline.com/ Constructed-in AzureUSGovernment https://administration.usgovcloudapi.internet/ https://login.microsoftonline.us/ Constructed-in AzureChinaCloud https://administration.chinacloudapi.cn/ https://login.chinacloudapi.cn/ Constructed-in
versus
$AzOutput.Environments
Key Worth --- ----- AzureGermanCloud AzureGermanCloud AzureCloud AzureCloud AzureUSGovernment AzureUSGovernment AzureChinaCloud AzureChinaCloud
It’s clear, that by default the Get-Setting
cmdlet returns the data we noticed beforehand. Nonetheless, by default, it contains some further data. Whereas I didn’t present the output within the earlier publish, I did embody $AzOutput.Environments.Values
. This may give the identical outcomes as above, however let’s use what they’ve supplied us. The identical goes for utilizing Get-AzContext
despite the fact that it produces the identical precise data as $AzOutput.Context
. Whoa, whoa. It doesn’t, we misplaced the Identify property utilizing our output variable. The cmdlets, that we must always use, create full objects; once more, let’s follow these.
Get-AzContext | Format-Listing
Identify : Free Trial (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) - xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx - tommymaynard@xxxxxx Account : tommymaynard@xx.xxx Setting : AzureCloud Subscription : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Tenant : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx TokenCache : VersionProfile : ExtendedProperties : {}
$AzOutput.Context | Format-Listing
Identify : Account : tommymaynardxxxxxx Setting : AzureCloud Subscription : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Tenant : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx TokenCache : VersionProfile : ExtendedProperties : {}
There was extra to the Get began with Azure PowerShell doc that I ignored. Let’s head again there. If you happen to’re new to PowerShell then it’s a should that you simply learn to discover instructions utilizing Get-Command
and even Get-Module
. Additionally, use Get-Assist
to discover details about a selected command. These are among the early-on fundamentals to be taught whenever you’re new to PowerShell. Nobody is aware of what each command does; they only know discover out. A portion of this web page lined this matter, too.
One remaining factor I discovered on the signal into Azure part of the web page, was the UseDeviceAuthentication
parameter. Utilizing this, we don’t have to provide a username and corresponding password, however as a substitute, utilizing this parameter generated a tool code in PowerShell to make use of at a selected URL, which is all included within the picture under.
Studying that, lead me to the Register with Azure PowerShell web page. I ought to’ve identified, there are many different methods to authenticate to Azure, in addition to utilizing the 2 interactive strategies we’ve mentioned to date. One is signing in with a service principal utilizing password-based authentication and the opposite is certificate-based authentication. There’s additionally signing in utilizing a managed id. The remaining you’ll be able to discover at your leisure, however we must always work by way of utilizing a service principal utilizing password-based authentication—why not!?
Within the password-based authentication hyperlink above, the very first thing to note is the necessity to invoke the New-AzADServicePrincipal
command. Earlier than we invoke a command that may probably make adjustments, resembling a New-
command doubtless would, we would like, no we’d like, to be taught extra. First, in what module is the command included?
Get-Command -Identify New-AzADServicePrincipal | Format-Desk -AutoSize
CommandType Identify Model Supply ----------- ---- ------- ------ Perform New-AzADServicePrincipal 6.0.0 Az.Assets
What’s the aim of the Azure PowerShell Az.Assets module?
Get-Module -Identify Az.Assets | Choose-Object -Property Identify,Description | Format-Listing
Identify : Az.Assets Description : Microsoft Azure PowerShell - Azure Useful resource Supervisor and Energetic Listing cmdlets in Home windows PowerShell and PowerShell Core. Manages subscriptions, tenants, useful resource teams, deployment templates, suppliers, and useful resource permissions in Azure Useful resource Supervisor. Supplies cmdlets for managing sources generically throughout useful resource suppliers. For extra data on Useful resource Supervisor, please go to the next: https://docs.microsoft.com/azure/azure-resource-manager/ For extra data on Energetic Listing, please go to the next: https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis
What does the New-AzADServicePrincipal
command do?
Get-Assist -Identify New-AzADServicePrincipal | Choose-Object -Property Identify,Synopsis
Identify Synopsis ---- -------- New-AzADServicePrincipal Provides new entity to servicePrincipals
Is there a Get-
Model of the command (Get-AzADServicePrincipal
)?
Get-Command -Identify Get-AzADServicePrincipal | Format-Desk -AutoSize
CommandType Identify Model Supply ----------- ---- ------- ------ Perform Get-AzADServicePrincipal 6.0.0 Az.Assets
And in that case, what output does it produce?
Get-AzADServicePrincipal | Choose-Object -Property AppDisplayName
AppDisplayName -------------- Workplace 365 Configure Azure SQL Managed Occasion to Microsoft.Community Microsoft Graph Microsoft Fashionable Contact Grasp Azure Useful resource Graph Billing RP Jarvis Transaction Service AIGraphClient Microsoft_Azure_Support Home windows Azure Safety Useful resource Supplier Azure SQL Database Backup To Azure Backup Vault Azure Knowledge Warehouse Polybase Microsoft.Azure.ActiveDirectoryIUX Microsoft Azure App Service Coverage Administration Service Azure Portal Azure SQL Digital Community to Community Useful resource Supplier Azure Traditional Portal Azure Monitor System Microsoft.SupportTicketSubmission Azure ESTS Service Home windows Azure Energetic Listing Azure Site visitors Supervisor and DNS Microsoft.Azure.GraphExplorer Microsoft App Entry Panel Microsoft Azure Signup Portal Signup Microsoft.SMIT Home windows Azure Service Administration API
Okay, we must always really feel as if we all know somewhat bit extra about our subsequent transfer. First, nonetheless, take a look at the Azure Portal view of this output. The directions could be discovered within the View the service principal subtopic. Positive sufficient, it appears nearly precisely just like the above output once we don’t use | Choose-Object -Property AppDisplayName
, and show the GUIDs.
First, we have to receive and retailer our Tenant ID.
$TenantId = (Get-AzContext).Tenant.Id $TenantId
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Then we’ll use the New-AzADServicePrincipal
command, amongst just a few different instructions to create a brand new Service Principal and get linked to Azure utilizing it.
$ServicePrincipal = New-AzADServicePrincipal -DisplayName SPName $ServicePrincipal
DisplayName Id AppId ----------- -- ----- SPName xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
After this step, we are able to return into the Azure Portal and discover a new entry. The command labored!
The $ServicePrincipal
variable contains extra data than its output shows by default. We needs to be getting used to that by now. It features a PasswordCredentials property that features a number of different nested properties.
$ServicePrincipal.PasswordCredentials
CustomKeyIdentifier DisplayName EndDateTime Trace KeyId SecretText StartDateTime ------------------- ----------- ----------- ---- ----- ---------- ------------- 5/30/2023 1:08:45 AM Qcw xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Qcw8Q......oRLla5 5/30/2022 1:08:45 AM
A type of nested properties is SecretText. That’s our password and we’re going to make use of it to create a credential object—the mixture of a consumer and its password.
$ServicePrincipal.PasswordCredentials.SecretText
Qcw8Q......oRLla5
As we’ll see, the username is the AppId’s GUID. Once we provide each it and the password, as is finished within the under PowerShell, we’ll have our full PSCredential object.
$PSCredential = Get-Credential -UserName $ServicePrincipal.AppId
PowerShell credential request Enter your credentials. Password for consumer xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx: ****************************************
Utilizing the PSCredential object, we are able to 100% authenticate to Azure utilizing PowerShell in one other method. We haven’t researched it or mentioned it but—though we must always have—however the objective for why we’d use a service principal needs to be included. The primary paragraph on the Create an Azure service principal with Azure PowerShell web page explains it nicely. Learn that. Again with extra Azure PowerShell in time!
Join-AzAccount -ServicePrincipal -Credential $PSCredential -Tenant $TenantId
WARNING: The supplied service principal secret will probably be included within the 'AzureRmContext.json' file discovered within the consumer profile ( C:Userstommymaynard.Azure ). Please be certain that this listing has applicable protections. Account SubscriptionName TenantId Setting ------- ---------------- -------- ----------- xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx AzureCloud