Azure Active Directory PowerShell v2

Maybe you’ve already heard about Microsoft Graph and the Graph API. Microsoft Graph is the way resources in the Microsoft cloud are connected to each other. The Graph API is an API you can use to access Microsoft Graph, and browse (or traverse) through all the resources.


You can use the Graph API when building your own applications, but Microsoft is moving all their apps, tools etc. to the Graph API as well.

Azure Active Directory PowerShell v2 is moving from the Azure AD API’s to the Graph API as well. This automatically implies that Azure AD PowerShell v2 comes with new cmdlets and new options. The output of these cmdlets should be similar of course (creating a new domain, group or user in Azure Active Directory), but that these cmdlets are in no way compatible with the old Azure AD PowerShell.

Unfortunately, you have no choice then moving to Azure AD PowerShell v2. The existing PowerShell v1 will of course be supported for quite some time as it is impossible for everyone to convert their processes, cmdlets, scripts etc. from one version to another.

Note. We’ve seen similar when Microsoft moved from Azure ASM to Azure ARM. It has been taken years for Microsoft to move everything to ARM, so no worries for end-of-support scenarios anytime soon.

Installing Azure AD PowerShell v2 is easy, just install the module using the Install-Module command. This will download the module from the PowerShell repository.

Install-Module AzureAD

When executed you will receive a notification about an untrusted repository. Click [Y] or [A] to continue. The module will be downloaded and installed.




You can use the following commands to store the credentials of your Office 365 and/or Azure tenant administrator account and use it to login to Azure Active Directory:

$AzureADCred = Get-Credential &lt;your tenant admin&gt;<p>Connect-AzureAD -Credential $AzureADCred


You’ve now installed the Azure Active Directory PowerShell v2 module and are logged on to your tenant. If you want to retrieve a list of all new v2 PowerShell commands use can use the Get-Command command:

Get-Command *AzureAD*


In future blogpost I will continue with the Azure AD PowerShell v2 module.

More information

Azure SQL Virtual Networks Endpoint

When creating an Azure SQL environment you will get a public IP address where you have to connect to. You can secure this using a Network Security Group (NSG), but a lot of customer are not too happy with this, and they want to access Azure SQL via the Virtual Network. When you have a Site-to-Site VPN connection between your on-premises environment and Microsoft Azure, you should be able to connect to Azure SQL this way.

Microsoft is aware of this is start now offering Azure SQL VNET Endpoints (as of October 2017 in Public Preview), which makes it possible to connect to Azure SQL via your Virtual Network infrastructure.


Note. This feature can only be used in Azure Resource Manager (ARM) Virtual Networks. ‘Classic’ Virtual Networks cannot be used.

More information regarding this feature can be found in the “Use Virtual Network service endpoints and rules for Azure SQL Database” article on

Manage Azure Active Directory using PowerShell

For managing Azure Active Directory you have two portals available:

You can also manage Azure Active Directory using PowerShell, very useful if you want to script your environment, use automation or do bulk management.

To manage Windows Azure Active Directory with PowerShell you have to install the Azure Active Directory Module for Windows PowerShell (64-bit version) but before you can use this you also have to install the Microsoft Online Services Sign-In Assistant (if not already installed).

Note. This is the Azure Active Directory PowerShell V1.

When you have these installed you’ll find an additional PowerShell module on your server or desktop. You can open this PowerShell module on your machine and connect to the Azure Active Directory using the following commands:

$Cred = Get-Credential &lt;your tenant administrator account&gt;<p>Connect-MsolService -Credential $Cred

This will log you on the Azure Active Directory.

To get an overview of all available Azure Active Directory commands you can use the following command:

Get-Command *MSOL*


Be aware that this is the same Azure Active Directory that’s used in your Office 365 environment, so when executing Get-MsolUser you’ll see an overview of all users that will be using Office 365:


And when looking at the Office 365 Portal you’ll see the same user accounts:


In my next blog I will discuss Azure Active Directory PowerShell v2, with its new features and advantages.

More information

Managing Azure using PowerShell

As already (briefly) mentioned in my previous blog post you better use PowerShell for more complex management tasks, when creating multiple similar resources and when you want to perform repetitive tasks that are prone to error in the GUI.

PowerShell was developed in the early 2000’s and created as a common management interface for all Microsoft operating systems and applications. By default, each Windows machine is configured with PowerShell, which can be used for managing that particular machine (or similar machines in the same network). For applications it’s different, each application (both Microsoft, but 3rd party as well) comes with its own PowerShell module. There are PowerShell modules for Active Directory, for Exchange server, for SharePoint server etc. Sometimes it’s an addition to the installed PowerShell module (like Azure), sometimes it’s installed as a separate PowerShell module like the Exchange Management Shell (Exchange PowerShell) or Azure Active Directory PowerShell.

Installing Azure PowerShell is relatively easy. You can use the Web Platform Installer (found on or you can use the following PowerShell commands in a PowerShell window with elevated privileges:

Install-Module AzureRM
Install-Module Azure

The latter is used to import the classic PowerShell module, similar to the classic portal as discussed in my previous blog post.

To import the Azure Resource Management module into the existing PowerShell execute the following commands:

Set-ExecutionPolicy Unrestricted
Import-Module AzureRm

That’s enough to install the Azure PowerShell modules on your machine. You can login to Azure using the following command:


A pop-up will appear to enter your credentials, and when authenticated you have a connection with Microsoft Azure. Enter the Get-AzureRMResourceGroup to see the Resource Groups in use in your environment:


The cool thing about PowerShell is that you can work with variables. For example, you can store the credentials in a variable called $Cred. Execute the following command in PowerShell:

$Cred = Get-Credentials <your tenant admin account>
Login-AzureRMAccount -Credential $Cred

For retrieving the credentials a small pop-up box is presented where you have to enter the administrator password.

Note. This works with a regular school or workaccount, but this does not work with a Microsoft account (i.e. Hotmail, Outlook or Live account).

Certificate based authentication

Using a username and password is not convenient when working with scripts, since scripts should have the possibility to run completely unattended. To overcome this you can use certificate based authentication. You install an Azure certificate on your workstation or server, and this certificate is used to authenticate the session.

When working with certificate based authentication there’s a difference between Azure Service Manager (the classic way) and the Azure Resource Manager mode. In ASM you have to generate and import the certificate using the Get-PublishSettingsFile and the Import-PublishSettingsFile, while in ARM you have to request the certificate and create an application and service principal to use the certificate.

I’ll get back on certificate based authentication in a future blogpost.

Managing Azure using the Azure Portal

One of the ways to manage your Azure environment is using the Azure Portal. Most services and configuration options are available in the Azure Portal, which is accessible through When logging on to the portal you’ll see the dashboard, which should look something like this:


On the left you’ll see the hub menu, this is the main navigation to all services available in Azure. The dashboard contains several shortcuts, and when creating new resources, you can pin these to the dashboard for easy navigation. In the screenshot above you see a Virtual Machine pinned to the dashboard.

When you click on a menu item, for example Virtual Machines the VM resources are shown in a so called blade. A blade contains information of a resource, and when you click on a resource its details are shown in an additional blade on the right.


When you click on a VM in this example another pane is opened with information and configuration options for this Virtual Machine:


This way you can easily browse through all the resources.

Resource Groups

Resources are grouped together in Resource Groups. Resource Groups are a logical grouping of resources for management purposes. Resource Groups are defined in a region, for example West Europe or East US. Resources are located in only one Resource Group and cannot be a member of multiple Resource Groups. However, a resource can access resources in another Resource Group, or can be accessed by resources located in another Resource Group.

If you click on Resource Groups in the Hub Menu and click on a Resource Group (RG_Holland in this example) a new blade is opened with options for this Resource Group, and the various resources in this Resource Group. In the following screenshot you’ll see all resources (comes with only one Virtual Machine) in the RG_Holland Resource Group.


Service limits

One question that often arises is “are there certain limits in Azure?” especially when designing new Azure environment. Yes, there are service limits, and these are described in the Microsoft document “Azure subscription and service limits, quotas, and constraints” which can be found at

For example, the default limit for ‘Virtual Machines per availability set’ is 200. When looking at networking, the default limit for Virtual Networks is 50, the maximum limit for Virtual Networks is 1000. If you hit the limit of 50 Virtual Networks you can log a call at Microsoft and request the limit to be raised to a higher value.

Classic Portal

You’ll see the term ‘classic model’ and ‘classic portal’ at various places. This is the original model that Microsoft used when they started with Azure. In 2014 Microsoft introduced the Resource Model for Azure, and almost all services have now been decommissioned from the classic model, or migrated to the Resource Model.

There’s also a classic portal, which can be found at


Microsoft is still working at decommissioning services from the classic model, and where needed a warning message is shown when a certain service is decommissioned.

Azure Active Directory Portal

Another Portal I’d like to point out is the recently introduced Azure Active Directory Portal, which can be found at

The Azure Active Directory admin center as it’s called looks very much like the regular Azure Portal, besides that it’s focused on Azure Active Directory and related services.



In this blog post I’ve shown you the three portals that are available in Microsoft Azure. The classic portal is being decommissioned, and use of the classic model is not recommended. Instead, the resource model that was introduced in 2014 should be used.

With this resource model come Resource Groups, and resources are logically grouped into Resource Groups, just for management purposes (and nothing else).

Recovery Vault cannot be deleted

During a demo I created a Recovery Vault in Azure, and in Azure SQL I created a long-term retention policy. After the demo I deleted the Azure SQL instance and tried to remove the Recovery Vault. No luck, and I got the following error message:

Vault ‘databasebackupvault’ cannot be deleted as there are existing resources within the vault. Please delete any replicated items, registered servers, Hyper-V sites (Used for Site Recovery), policy associations for System Center VMM clouds (Used for Site Recovery) and then delete the vault.


After removing the backup items from the Recovery Vault I tried to remove the Recovery Vault again (the Vault was really empty), but still no luck. Waiting over the weekend didn’t solve it either, there was nothing in the Recovery Vault, but still no deletion.


Also Azure PowerShell was not willing to remove the Recovery Vault:


It turns out that the long-term retention from Azure SQL was still in the Recovery Vault, and you cannot see this anywhere. The only way to check this, and remove this is by using Azure PowerShell using the following script:

$RecoveryVault = Get-AzureRmRecoveryServicesVault
Set-AzureRmRecoveryServicesVaultContext -Vault $RecoveryVault

$Containers = Get-AzureRmRecoveryServicesBackupContainer -ContainerType AzureSQL -FriendlyName $RecoveryVault.Name
ForEach ($Container in $Containers) {
  $Items = Get-AzureRmRecoveryServicesBackupItem -container $Container -WorkloadType AzureSQLDatabase
  ForEach ($Item in $Items) {
    Disable-AzureRmRecoveryServicesBackupProtection -item $Item -RemoveRecoveryPoints -ea SilentlyContinue
  Unregister-AzureRmRecoveryServicesBackupContainer -Container $container
Remove-AzureRmRecoveryServicesVault -Vault $RecoveryVault

When running this script you get a warning message if you really want to remove this, and if yes the Recovery Vault is finally removed.


Introduction to Azure – Microsoft Public Cloud

Azure is Microsoft’s public cloud platform for IaaS (Infrastructure as a Service) and PaaS (Platform as a Service) Solutions. Microsoft also has a SaaS (Software as a Service) public cloud platform, this is known as Office 365.

What makes a platform a cloud platform? The “National Institute of Standards and Technology” or NIST has defined the characteristics of a cloud platform. The characteristics of a cloud platform are:

  • On-demand self-service.
  • Broad network access.
  • Resource pooling.
  • Rapid elasticity.
  • Measured service.

There are also multiple cloud platforms:

  • Public cloud platform – This is a cloud platform where all resources are shared between multiple customers. The platform is separated into different so called ‘tenants’. Customers in one tenant are totally unaware of customers in other tenants on the same platform. A cloud platform is typically found on the Internet.
  • Private cloud platform – This is a dedicated cloud platform, built for a specific customer. It has the same characteristics as a public cloud form. It can be found on the Internet, on-premises or in a datacenter, but connected using VPN networks.
  • Hybrid cloud platform – This is a combination of a public and a private cloud platform.


I’ve written an article about private clouds for Red Gate and contains some more information regarding clouds and cloud characteristics. You can find this article on the Red Gate site at

Also interesting to note are the XaaS solutions:

  • SaaS – Software as a Service. Office 365 is the Microsoft SaaS solution. You have a subscription to a complete solution, for example an email service (Exchange Online) or a document management solution (SharePoint Online, OneDrive for Business) or a collaboration solution (Skype for Business). You only have to take care about the user accounts, all infrastructure and platform is managed by Microsoft. A SaaS solution is easy to manage, but doesn’t offer too much flexibility.
  • IaaS – Infrastructure as a Service. In a IaaS solution Microsoft is offering for example Virtual Machines (VM) and these VMs can have different operating systems, for example Windows Server 2012 R2, Windows Server 2016 or a Linux OS. You are responsible for the configuring and managing the servers, including the applications installed on the servers. IaaS offers a lot of flexibility, but automatically includes complexity and responsibility.
  • Paas – Platform as a Service. In a PaaS solution Microsoft is offering solutions like Azure SQL, Web Apps or Cloud Services. For example, when you have an Azure SQL solution, you can define your own SQL Server and Database, but Microsoft is responsible for the SQL Server application, provisioning, management etc. You only have a SQL Database according to predefined requirements. In the Azure Cloud services, you have a front-end back-end infrastructure, where you can create your own application, including business logic (in the back-end) or connections to (Azure) databases. Depending on the solution you’ve configured it can come with more (or less) complexity and flexibility.


There are more ‘as a Service’ solutions. I’ve seen hosting customers offering their own backup solutions as ‘Backup as a Service’, or ‘Database as a Service’. It’s up to your own offering when you are a (Microsoft) hosting partner.

Azure Services

Microsoft Azure consists of several ‘containers’, each consisting of their own service, as can be seen in the following picture:


There can be dependencies between various services. For example, when creating an Azure Virtual Machine, you also need a Virtual Network and Storage. Maybe you want to backup your VMs and you need Azure Backup, or integrate your environment with Azure Active Directory.

A quick note on Azure Active Directory. This is the underlying directory for all Office 365 services. If you have an Office 365 tenant, all users and groups are automatically created in Azure Active Directory. This is the same directory as being used in your Azure tenant, so if you logon to your Azure environment using your Office 365 admin credentials you’ll see all Office 365 users when selecting Azure AD in the Azure Portal.

Azure Datacenters

Azure is hosted in multiple datacenters across the world. At the moment of writing there are 42 datacenters worldwide. You can see these datacenter on the following website:

Using the ‘Explore products per region’ you can do a deep diver per region, and check which services are available in that region.


Datacenters are tied together in a ‘datacenter pair’. For example, Datacenter pairing occurs between West Europe (in The Netherlands) and North Europe (Ireland). If data is stored in one location (West Europe) and you need to store it in another location for resiliency, it is automatically stored in North Europe. This way data is not automatically replicated outside the political region (i.e. Europe). If you want, or if there’s a need, you can still configure geo-replication to another datacenter in the world, for example from West Europe to East US, but that’s a manual configuration and never occurs automatically.

Managing Azure

Azure can be managed using different solutions, but the two most often used are the Azure Portal and Azure PowerShell.

The Azure Portal is easy, just navigate to and login using your tenant administrator credentials. You’ll see something like this:


In the Azure Portal you can configure most solutions and options, and I’ll discuss various of these in upcoming blog post.

The second option is to use Azure PowerShell. This can be installed using the Web Platform Installer ( or by executing the following commands in a PowerShell window (with elevated privileges):

Install-Module AzureRM
Install-Module Azure
Set-ExecutionPolicy Unrestricted
Import-Module AzureRm

Once imported you can login using the following command:


and start managing your Azure environment using PowerShell. Again, this will also be covered in upcoming blogpost.


Azure is Microsoft’s public cloud solution for IaaS and PaaS solutions. Azure is hosted in datacenters worldwide, and by nature offers high availability, resiliency etc. to create scalable and available solutions.

Azure can be managed by the Azure Portal and by Azure PowerShell. The first one is easy to use, the second one offer a lot more flexibility, scripting options and automating solutions. This is extremely important when creating larger environment that need to be consistent.

In my upcoming blog’s I’ll show you more about the Azure Portal, Azure PowerShell, Virtual Machines, Storage and Virtual Networking.

by Jaap Wesselius