Tag Archives: powershell

Azure Active Directory PowerShell v2

Maybe you’ve already heard about Microsoft Graph and the Graph API. Microsoft Graph is the way resources in the Microsoft cloud are connected to each other. The Graph API is an API you can use to access Microsoft Graph, and browse (or traverse) through all the resources.

image

You can use the Graph API when building your own applications, but Microsoft is moving all their apps, tools etc. to the Graph API as well.

Azure Active Directory PowerShell v2 is moving from the Azure AD API’s to the Graph API as well. This automatically implies that Azure AD PowerShell v2 comes with new cmdlets and new options. The output of these cmdlets should be similar of course (creating a new domain, group or user in Azure Active Directory), but that these cmdlets are in no way compatible with the old Azure AD PowerShell.

Unfortunately, you have no choice then moving to Azure AD PowerShell v2. The existing PowerShell v1 will of course be supported for quite some time as it is impossible for everyone to convert their processes, cmdlets, scripts etc. from one version to another.

Note. We’ve seen similar when Microsoft moved from Azure ASM to Azure ARM. It has been taken years for Microsoft to move everything to ARM, so no worries for end-of-support scenarios anytime soon.

Installing Azure AD PowerShell v2 is easy, just install the module using the Install-Module command. This will download the module from the PowerShell repository.

Install-Module AzureAD

When executed you will receive a notification about an untrusted repository. Click [Y] or [A] to continue. The module will be downloaded and installed.

image

image

image

You can use the following commands to store the credentials of your Office 365 and/or Azure tenant administrator account and use it to login to Azure Active Directory:

$AzureADCred = Get-Credential &lt;your tenant admin&gt;<p>Connect-AzureAD -Credential $AzureADCred

image

You’ve now installed the Azure Active Directory PowerShell v2 module and are logged on to your tenant. If you want to retrieve a list of all new v2 PowerShell commands use can use the Get-Command command:

Get-Command *AzureAD*

image

In future blogpost I will continue with the Azure AD PowerShell v2 module.

More information

Manage Azure Active Directory using PowerShell

For managing Azure Active Directory you have two portals available:

You can also manage Azure Active Directory using PowerShell, very useful if you want to script your environment, use automation or do bulk management.

To manage Windows Azure Active Directory with PowerShell you have to install the Azure Active Directory Module for Windows PowerShell (64-bit version) but before you can use this you also have to install the Microsoft Online Services Sign-In Assistant (if not already installed).

Note. This is the Azure Active Directory PowerShell V1.

When you have these installed you’ll find an additional PowerShell module on your server or desktop. You can open this PowerShell module on your machine and connect to the Azure Active Directory using the following commands:

$Cred = Get-Credential &lt;your tenant administrator account&gt;<p>Connect-MsolService -Credential $Cred

This will log you on the Azure Active Directory.

To get an overview of all available Azure Active Directory commands you can use the following command:

Get-Command *MSOL*

image

Be aware that this is the same Azure Active Directory that’s used in your Office 365 environment, so when executing Get-MsolUser you’ll see an overview of all users that will be using Office 365:

image

And when looking at the Office 365 Portal you’ll see the same user accounts:

image

In my next blog I will discuss Azure Active Directory PowerShell v2, with its new features and advantages.

More information

Managing Azure using PowerShell

As already (briefly) mentioned in my previous blog post you better use PowerShell for more complex management tasks, when creating multiple similar resources and when you want to perform repetitive tasks that are prone to error in the GUI.

PowerShell was developed in the early 2000’s and created as a common management interface for all Microsoft operating systems and applications. By default, each Windows machine is configured with PowerShell, which can be used for managing that particular machine (or similar machines in the same network). For applications it’s different, each application (both Microsoft, but 3rd party as well) comes with its own PowerShell module. There are PowerShell modules for Active Directory, for Exchange server, for SharePoint server etc. Sometimes it’s an addition to the installed PowerShell module (like Azure), sometimes it’s installed as a separate PowerShell module like the Exchange Management Shell (Exchange PowerShell) or Azure Active Directory PowerShell.

Installing Azure PowerShell is relatively easy. You can use the Web Platform Installer (found on https://www.microsoft.com/web/downloads/platform.aspx) or you can use the following PowerShell commands in a PowerShell window with elevated privileges:

Install-Module AzureRM
Install-Module Azure

The latter is used to import the classic PowerShell module, similar to the classic portal as discussed in my previous blog post.

To import the Azure Resource Management module into the existing PowerShell execute the following commands:

Set-ExecutionPolicy Unrestricted
Import-Module AzureRm

That’s enough to install the Azure PowerShell modules on your machine. You can login to Azure using the following command:

Login-AzureRmAccount

A pop-up will appear to enter your credentials, and when authenticated you have a connection with Microsoft Azure. Enter the Get-AzureRMResourceGroup to see the Resource Groups in use in your environment:

image

The cool thing about PowerShell is that you can work with variables. For example, you can store the credentials in a variable called $Cred. Execute the following command in PowerShell:

$Cred = Get-Credentials <your tenant admin account>
Login-AzureRMAccount -Credential $Cred

For retrieving the credentials a small pop-up box is presented where you have to enter the administrator password.

Note. This works with a regular school or workaccount, but this does not work with a Microsoft account (i.e. Hotmail, Outlook or Live account).

Certificate based authentication

Using a username and password is not convenient when working with scripts, since scripts should have the possibility to run completely unattended. To overcome this you can use certificate based authentication. You install an Azure certificate on your workstation or server, and this certificate is used to authenticate the session.

When working with certificate based authentication there’s a difference between Azure Service Manager (the classic way) and the Azure Resource Manager mode. In ASM you have to generate and import the certificate using the Get-PublishSettingsFile and the Import-PublishSettingsFile, while in ARM you have to request the certificate and create an application and service principal to use the certificate.

I’ll get back on certificate based authentication in a future blogpost.

Recovery Vault cannot be deleted

During a demo I created a Recovery Vault in Azure, and in Azure SQL I created a long-term retention policy. After the demo I deleted the Azure SQL instance and tried to remove the Recovery Vault. No luck, and I got the following error message:

Vault ‘databasebackupvault’ cannot be deleted as there are existing resources within the vault. Please delete any replicated items, registered servers, Hyper-V sites (Used for Site Recovery), policy associations for System Center VMM clouds (Used for Site Recovery) and then delete the vault.

image

After removing the backup items from the Recovery Vault I tried to remove the Recovery Vault again (the Vault was really empty), but still no luck. Waiting over the weekend didn’t solve it either, there was nothing in the Recovery Vault, but still no deletion.

image

Also Azure PowerShell was not willing to remove the Recovery Vault:

image

It turns out that the long-term retention from Azure SQL was still in the Recovery Vault, and you cannot see this anywhere. The only way to check this, and remove this is by using Azure PowerShell using the following script:

$RecoveryVault = Get-AzureRmRecoveryServicesVault
Set-AzureRmRecoveryServicesVaultContext -Vault $RecoveryVault

$Containers = Get-AzureRmRecoveryServicesBackupContainer -ContainerType AzureSQL -FriendlyName $RecoveryVault.Name
ForEach ($Container in $Containers) {
  $Items = Get-AzureRmRecoveryServicesBackupItem -container $Container -WorkloadType AzureSQLDatabase
  ForEach ($Item in $Items) {
    Disable-AzureRmRecoveryServicesBackupProtection -item $Item -RemoveRecoveryPoints -ea SilentlyContinue
  }
  Unregister-AzureRmRecoveryServicesBackupContainer -Container $container
}
Remove-AzureRmRecoveryServicesVault -Vault $RecoveryVault

When running this script you get a warning message if you really want to remove this, and if yes the Recovery Vault is finally removed.

image

Introduction to Azure – Microsoft Public Cloud

Azure is Microsoft’s public cloud platform for IaaS (Infrastructure as a Service) and PaaS (Platform as a Service) Solutions. Microsoft also has a SaaS (Software as a Service) public cloud platform, this is known as Office 365.

What makes a platform a cloud platform? The “National Institute of Standards and Technology” or NIST has defined the characteristics of a cloud platform. The characteristics of a cloud platform are:

  • On-demand self-service.
  • Broad network access.
  • Resource pooling.
  • Rapid elasticity.
  • Measured service.

There are also multiple cloud platforms:

  • Public cloud platform – This is a cloud platform where all resources are shared between multiple customers. The platform is separated into different so called ‘tenants’. Customers in one tenant are totally unaware of customers in other tenants on the same platform. A cloud platform is typically found on the Internet.
  • Private cloud platform – This is a dedicated cloud platform, built for a specific customer. It has the same characteristics as a public cloud form. It can be found on the Internet, on-premises or in a datacenter, but connected using VPN networks.
  • Hybrid cloud platform – This is a combination of a public and a private cloud platform.

image

I’ve written an article about private clouds for Red Gate and contains some more information regarding clouds and cloud characteristics. You can find this article on the Red Gate site at https://www.red-gate.com/simple-talk/cloud/cloud-development/private-cloud-what-is-it-and-why-do-you-need-it/

Also interesting to note are the XaaS solutions:

  • SaaS – Software as a Service. Office 365 is the Microsoft SaaS solution. You have a subscription to a complete solution, for example an email service (Exchange Online) or a document management solution (SharePoint Online, OneDrive for Business) or a collaboration solution (Skype for Business). You only have to take care about the user accounts, all infrastructure and platform is managed by Microsoft. A SaaS solution is easy to manage, but doesn’t offer too much flexibility.
  • IaaS – Infrastructure as a Service. In a IaaS solution Microsoft is offering for example Virtual Machines (VM) and these VMs can have different operating systems, for example Windows Server 2012 R2, Windows Server 2016 or a Linux OS. You are responsible for the configuring and managing the servers, including the applications installed on the servers. IaaS offers a lot of flexibility, but automatically includes complexity and responsibility.
  • Paas – Platform as a Service. In a PaaS solution Microsoft is offering solutions like Azure SQL, Web Apps or Cloud Services. For example, when you have an Azure SQL solution, you can define your own SQL Server and Database, but Microsoft is responsible for the SQL Server application, provisioning, management etc. You only have a SQL Database according to predefined requirements. In the Azure Cloud services, you have a front-end back-end infrastructure, where you can create your own application, including business logic (in the back-end) or connections to (Azure) databases. Depending on the solution you’ve configured it can come with more (or less) complexity and flexibility.

image

There are more ‘as a Service’ solutions. I’ve seen hosting customers offering their own backup solutions as ‘Backup as a Service’, or ‘Database as a Service’. It’s up to your own offering when you are a (Microsoft) hosting partner.

Azure Services

Microsoft Azure consists of several ‘containers’, each consisting of their own service, as can be seen in the following picture:

image

There can be dependencies between various services. For example, when creating an Azure Virtual Machine, you also need a Virtual Network and Storage. Maybe you want to backup your VMs and you need Azure Backup, or integrate your environment with Azure Active Directory.

A quick note on Azure Active Directory. This is the underlying directory for all Office 365 services. If you have an Office 365 tenant, all users and groups are automatically created in Azure Active Directory. This is the same directory as being used in your Azure tenant, so if you logon to your Azure environment using your Office 365 admin credentials you’ll see all Office 365 users when selecting Azure AD in the Azure Portal.

Azure Datacenters

Azure is hosted in multiple datacenters across the world. At the moment of writing there are 42 datacenters worldwide. You can see these datacenter on the following website: https://azure.microsoft.com/en-us/regions/

Using the ‘Explore products per region’ you can do a deep diver per region, and check which services are available in that region.

image

Datacenters are tied together in a ‘datacenter pair’. For example, Datacenter pairing occurs between West Europe (in The Netherlands) and North Europe (Ireland). If data is stored in one location (West Europe) and you need to store it in another location for resiliency, it is automatically stored in North Europe. This way data is not automatically replicated outside the political region (i.e. Europe). If you want, or if there’s a need, you can still configure geo-replication to another datacenter in the world, for example from West Europe to East US, but that’s a manual configuration and never occurs automatically.

Managing Azure

Azure can be managed using different solutions, but the two most often used are the Azure Portal and Azure PowerShell.

The Azure Portal is easy, just navigate to https://portal.azure.com and login using your tenant administrator credentials. You’ll see something like this:

image

In the Azure Portal you can configure most solutions and options, and I’ll discuss various of these in upcoming blog post.

The second option is to use Azure PowerShell. This can be installed using the Web Platform Installer (https://www.microsoft.com/web/downloads/platform.aspx) or by executing the following commands in a PowerShell window (with elevated privileges):

Install-Module AzureRM
Install-Module Azure
Set-ExecutionPolicy Unrestricted
Import-Module AzureRm

Once imported you can login using the following command:

Login-AzureRmAccount

and start managing your Azure environment using PowerShell. Again, this will also be covered in upcoming blogpost.

Summary

Azure is Microsoft’s public cloud solution for IaaS and PaaS solutions. Azure is hosted in datacenters worldwide, and by nature offers high availability, resiliency etc. to create scalable and available solutions.

Azure can be managed by the Azure Portal and by Azure PowerShell. The first one is easy to use, the second one offer a lot more flexibility, scripting options and automating solutions. This is extremely important when creating larger environment that need to be consistent.

In my upcoming blog’s I’ll show you more about the Azure Portal, Azure PowerShell, Virtual Machines, Storage and Virtual Networking.