Accounts Continued – Azure with PowerShell III

Posts on this Sequence

Within the final publish, we took a take a look at the Join-AzAccount command, saved its output in a variable utilizing the Outvariable parameter and explored it. I feel we must undergo just a few of the opposite instructions within the Az.Accounts module and see why we didn’t must dig in resembling we did. As I stated beforehand, it was a superb train, however it’s nearly just like the cmdlet builders needed to supply us with a better method to collect Azure account-related data. We’ll know extra quickly sufficient. First issues first, let’s pull again solely the Get instructions from the Az.Accounts PowerShell module. Once more, we’re going to make use of some formatting instructions, however as a result of we solely need to view our outcomes on the display.

Get-Command -Module Az.Accounts -Verb Get | Format-Desk -AutoSize

CommandType Identify                         Model Supply
----------- ----                         ------- ------
Alias       Get-AzDomain                 2.8.0   Az.Accounts
Cmdlet      Get-AzAccessToken            2.8.0   Az.Accounts
Cmdlet      Get-AzConfig                 2.8.0   Az.Accounts
Cmdlet      Get-AzContext                2.8.0   Az.Accounts
Cmdlet      Get-AzContextAutosaveSetting 2.8.0   Az.Accounts
Cmdlet      Get-AzDefault                2.8.0   Az.Accounts
Cmdlet      Get-AzEnvironment            2.8.0   Az.Accounts
Cmdlet      Get-AzSubscription           2.8.0   Az.Accounts
Cmdlet      Get-AzTenant                 2.8.0   Az.Accounts

If you happen to learn the final publish, then instructions resembling Get-AzEnvironment and Get-AzContext might sound to make sense right here. The nouns in these instructions have been the 2, base properties in our $AzOutput variable. Let’s see what they return and examine it to what we noticed within the output variable within the Accounts – Azure with PowerShell II publish.

Get-Setting

Identify              Useful resource Supervisor Url                  ActiveDirectory Authority          Sort
----              --------------------                  -------------------------          ----
AzureGermanCloud  https://administration.microsoftazure.de/ https://login.microsoftonline.de/  Constructed-in
AzureCloud        https://administration.azure.com/         https://login.microsoftonline.com/ Constructed-in
AzureUSGovernment https://administration.usgovcloudapi.internet/ https://login.microsoftonline.us/  Constructed-in
AzureChinaCloud   https://administration.chinacloudapi.cn/  https://login.chinacloudapi.cn/    Constructed-in

versus

$AzOutput.Environments

Key               Worth
---               -----
AzureGermanCloud  AzureGermanCloud
AzureCloud        AzureCloud
AzureUSGovernment AzureUSGovernment
AzureChinaCloud   AzureChinaCloud

It’s clear, that by default the Get-Setting cmdlet returns the data we noticed beforehand. Nonetheless, by default, it contains some further data. Whereas I didn’t present the output within the earlier publish, I did embody $AzOutput.Environments.Values. This may give the identical outcomes as above, however let’s use what they’ve supplied us. The identical goes for utilizing Get-AzContext despite the fact that it produces the identical precise data as $AzOutput.Context. Whoa, whoa. It doesn’t, we misplaced the Identify property utilizing our output variable. The cmdlets, that we must always use, create full objects; once more, let’s follow these.

Get-AzContext | Format-Listing

Identify               : Free Trial (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) - xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx - tommymaynard@xxxxxx
Account            : tommymaynard@xx.xxx
Setting        : AzureCloud
Subscription       : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Tenant             : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
TokenCache         :
VersionProfile     :
ExtendedProperties : {}

$AzOutput.Context | Format-Listing

Identify               :
Account            : tommymaynardxxxxxx
Setting        : AzureCloud
Subscription       : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Tenant             : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
TokenCache         :
VersionProfile     :
ExtendedProperties : {}

There was extra to the Get began with Azure PowerShell doc that I ignored. Let’s head again there. If you happen to’re new to PowerShell then it’s a should that you simply learn to discover instructions utilizing Get-Command and even Get-Module. Additionally, use Get-Assist to discover details about a selected command. These are among the early-on fundamentals to be taught whenever you’re new to PowerShell. Nobody is aware of what each command does; they only know discover out. A portion of this web page lined this matter, too.

One remaining factor I discovered on the signal into Azure part of the web page, was the UseDeviceAuthentication parameter. Utilizing this, we don’t have to provide a username and corresponding password, however as a substitute, utilizing this parameter generated a tool code in PowerShell to make use of at a selected URL, which is all included within the picture under.

Studying that, lead me to the Register with Azure PowerShell web page. I ought to’ve identified, there are many different methods to authenticate to Azure, in addition to utilizing the 2 interactive strategies we’ve mentioned to date. One is signing in with a service principal utilizing password-based authentication and the opposite is certificate-based authentication. There’s additionally signing in utilizing a managed id. The remaining you’ll be able to discover at your leisure, however we must always work by way of utilizing a service principal utilizing password-based authentication—why not!?

Within the password-based authentication hyperlink above, the very first thing to note is the necessity to invoke the New-AzADServicePrincipal command. Earlier than we invoke a command that may probably make adjustments, resembling a New- command doubtless would, we would like, no we’d like, to be taught extra. First, in what module is the command included?

Get-Command -Identify New-AzADServicePrincipal | Format-Desk -AutoSize

CommandType Identify                     Model Supply
----------- ----                     ------- ------
Perform    New-AzADServicePrincipal 6.0.0   Az.Assets

What’s the aim of the Azure PowerShell Az.Assets module?

Get-Module -Identify Az.Assets | Choose-Object -Property Identify,Description | Format-Listing

Identify        : Az.Assets
Description : Microsoft Azure PowerShell - Azure Useful resource Supervisor and Energetic Listing cmdlets in Home windows PowerShell and PowerShell Core.  Manages subscriptions, tenants, useful resource teams, deployment templates, suppliers, and useful resource permissions in Azure Useful resource
              Supervisor.  Supplies cmdlets for managing sources generically throughout useful resource suppliers.
              For extra data on Useful resource Supervisor, please go to the next: https://docs.microsoft.com/azure/azure-resource-manager/
              For extra data on Energetic Listing, please go to the next: https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis

What does the New-AzADServicePrincipal command do?

Get-Assist -Identify New-AzADServicePrincipal | Choose-Object -Property Identify,Synopsis

Identify                     Synopsis
----                     --------
New-AzADServicePrincipal Provides new entity to servicePrincipals

Is there a Get- Model of the command (Get-AzADServicePrincipal)?

Get-Command -Identify Get-AzADServicePrincipal | Format-Desk -AutoSize

CommandType Identify                     Model Supply
----------- ----                     ------- ------
Perform    Get-AzADServicePrincipal 6.0.0   Az.Assets

And in that case, what output does it produce?

Get-AzADServicePrincipal | Choose-Object -Property AppDisplayName

AppDisplayName
--------------
Workplace 365 Configure
Azure SQL Managed Occasion to Microsoft.Community
Microsoft Graph
Microsoft Fashionable Contact Grasp
Azure Useful resource Graph
Billing RP
Jarvis Transaction Service
AIGraphClient
Microsoft_Azure_Support
Home windows Azure Safety Useful resource Supplier
Azure SQL Database Backup To Azure Backup Vault
Azure Knowledge Warehouse Polybase
Microsoft.Azure.ActiveDirectoryIUX
Microsoft Azure App Service
Coverage Administration Service
Azure Portal
Azure SQL Digital Community to Community Useful resource Supplier
Azure Traditional Portal
Azure Monitor System
Microsoft.SupportTicketSubmission
Azure ESTS Service
Home windows Azure Energetic Listing
Azure Site visitors Supervisor and DNS
Microsoft.Azure.GraphExplorer
Microsoft App Entry Panel
Microsoft Azure Signup Portal
Signup
Microsoft.SMIT
Home windows Azure Service Administration API

Okay, we must always really feel as if we all know somewhat bit extra about our subsequent transfer. First, nonetheless, take a look at the Azure Portal view of this output. The directions could be discovered within the View the service principal subtopic. Positive sufficient, it appears nearly precisely just like the above output once we don’t use | Choose-Object -Property AppDisplayName, and show the GUIDs.

First, we have to receive and retailer our Tenant ID.

$TenantId = (Get-AzContext).Tenant.Id
$TenantId

xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Then we’ll use the New-AzADServicePrincipal command, amongst just a few different instructions to create a brand new Service Principal and get linked to Azure utilizing it.

$ServicePrincipal = New-AzADServicePrincipal -DisplayName SPName
$ServicePrincipal

DisplayName Id                                   AppId
----------- --                                   -----
SPName      xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

After this step, we are able to return into the Azure Portal and discover a new entry. The command labored!

The $ServicePrincipal variable contains extra data than its output shows by default. We needs to be getting used to that by now. It features a PasswordCredentials property that features a number of different nested properties.

$ServicePrincipal.PasswordCredentials

CustomKeyIdentifier DisplayName EndDateTime          Trace KeyId                                SecretText                               StartDateTime
------------------- ----------- -----------          ---- -----                                ----------                               -------------
                                5/30/2023 1:08:45 AM Qcw  xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Qcw8Q......oRLla5 5/30/2022 1:08:45 AM

A type of nested properties is SecretText. That’s our password and we’re going to make use of it to create a credential object—the mixture of a consumer and its password.

$ServicePrincipal.PasswordCredentials.SecretText

Qcw8Q......oRLla5

As we’ll see, the username is the AppId’s GUID. Once we provide each it and the password, as is finished within the under PowerShell, we’ll have our full PSCredential object.

$PSCredential = Get-Credential -UserName $ServicePrincipal.AppId

PowerShell credential request
Enter your credentials.
Password for consumer xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx: ****************************************

Utilizing the PSCredential object, we are able to 100% authenticate to Azure utilizing PowerShell in one other method. We haven’t researched it or mentioned it but—though we must always have—however the objective for why we’d use a service principal needs to be included. The primary paragraph on the Create an Azure service principal with Azure PowerShell web page explains it nicely. Learn that. Again with extra Azure PowerShell in time!

Join-AzAccount -ServicePrincipal -Credential $PSCredential -Tenant $TenantId

WARNING: The supplied service principal secret will probably be included within the 'AzureRmContext.json' file discovered within the consumer profile ( C:Userstommymaynard.Azure ). Please be certain that this listing has applicable protections.

Account                              SubscriptionName TenantId                             Setting
-------                              ---------------- --------                             -----------
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx                  xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx AzureCloud