Creating An Azure Credential Manually Using Windows Powershell
1. Install Azure Cmdlets in Windows Powershell:
- Open a Powershell window as administrator
- Run the following commands:
Install-Module AzureRM
Install-Module Azure
- You can verify proper installation by typing the following command:
Get-ModuleOutput:PS C:\WINDOWS\system32> Get-ModuleModuleType Version Name ExportedCommands------- ------- ---- ----------------Script 3.3.0 AzureRM {Add-AzureKeyVaultCertificate, ...}Script 3.2.0 AzureRM.ApiManagement {Add-AzureRmApiManagementApiToProduct, ...Manifest 3.1.0.0 Microsoft.PowerShell.Management {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Content...}Manifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object...}Binary 1.0.0.1 PackageManagement {Find-Package, Find-PackageProvider, Get-Package, Get-PackageProvider...}Script 1.0.0.1 PowerShellGet {Find-Command, Find-DscResource, Find-Module, Find-RoleCapability...}Script 1.2 PSReadline {Get-PSReadlineKeyHandler, Get-PSReadlineOption, ...}
2. Login into Azure:
- Execute the following command:
Login-AzureRmAccount - You will be walked through a series of 3 login screens:
3. Get the Subscription ID and Tenant ID:
- Once you have logged in information from the default subscription will be displayed:
Output
Environment : AzureCloud
Account : joe_user@someplace.com
TenantId : 0a31c9b8-1734-4141-95b4-efd9f4c247ca
SubscriptionId : 11aaa902-82ca-4b18-9641-0b7825f7eb42
SubscriptionName : PMC-1-As-U-GoCurrentStorageAccount :
- Here you have the first two pieces of information:
- Subscription ID (in this case, 11aaa902-82ca-4b18-9641-0b7825f7eb42)
- Tenant ID (in this case, 0a31c9b8-1734-4141-95b4-efd9f4c247ca)
- Note: If you wish to use a subscription other than the default then use the following command:
Get-AzureRmSubscription
OutputSubscriptionName : My-First-SubscriptionSubscriptionId : 0a31c9b8-1734-4141-95b4-efd9f4c247caTenantId : 11aaa902-82ca-4b18-9641-0b7825f7eb42State : Enabled
SubscriptionName : My-Second-SubscriptionTenantId : 3e20c9b8-2932-4334-95b4-efd9f4c2476aState : EnabledSubscriptionId : 6d6a385d-5921-4223-b6f8-88ca2498e0c9
- And use the ID and Tenant ID number from that output below. Use the SubscriptionName and rerun Get-AzureRmSubscription:
Get-AzureRmSubscription -SubscriptionName My-Second-Subscription
4. Get Client ID/Application ID and the Key:
- For this step you will need to create an application within your subscription. From the command line this can be done by typing:
New-AzureRmADApplication -DisplayName "Your App Name" -IdentifierUris "https:/id.uris" -HomePage "https://your.home.page" -EndDate "mm-dd-yyyy"
- In this example, I used the following values:
- DisplayName: "PMC Azure Dev"
- Password: "parkmycloud!"
- IdentifierUris: "https://PMC-Azure-Dev-not-used" (HEADS UP: This needs to be unique. Be creative. Use something different.)
- HomePage: "https://console.parkmycloud.com"
- EndDate: "01-02-2299" (a.k.a, permanent)
OutputDisplayName : PMC Azure Dev
ObjectId : d10e4fd3-1939-42e2-a8a9-91ff9952f84e
IdentifierUris : {https://PMC-Azure-Dev-not-used}
HomePage : https://console.parkmycloud.come
Type : Application
ApplicationId : 7d3157b9-f26d-4516-bf6e-4fc8de854688
AvailableToOtherTenants : False
AppPermissions :
ReplyUrls :
Here you will need to copy the AppId (in this case, 7d3157b9-f26d-4516-bf6e-4fc8de854688).Your App Access Key is simply the password you just entered (in this case, parkmycloud!).At this point you have everything you need for ParkMyCloud. However, there are a few more steps you need to complete the configuration on the Azure side.
5. Create a Service Principal for the Application:
- You will need to create a Service Principal for the application by passing the Application ID from above:
New-AzureRmADServicePrincipal -ApplicationID "Enter the App ID from above here"
OutputDisplayName Type ObjectID------------------ ------- -----------PMC Azure Dev ServicePrincipal 118e4955-a4ee-48fd-9acd-60181b09e796
- Copy the Service Principal Object ID from the response for the next step.
6. Create a Custom Role with Limited Permissions:
- Get the example role from the ParkMyCloud console Add Credential page, and paste it into a file (we called it ExampleAzureRolePerms.json). It may look a little different from what's below, but you get the idea. (The latest permissions example will always be found in the ParkMyCloud console).
- Suggest you give it the same name as the application
- Perhaps referencing the application name in the description would also be helpful
- Enter the subscription ID from step 3 as well:
{
"Name": "PMC Azure Dev",
"Description": "PMC Azure Dev Role",
"IsCustom": "true",
"Actions": [
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachineScaleSets/read"
"Microsoft.Compute/virtualMachineScaleSets/write"
"Microsoft.Compute/virtualMachineScaleSets/start/action",
"Microsoft.Compute/virtualMachineScaleSets/deallocate/action",
"Microsoft.Compute/virtualMachineScaleSets/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"NotActions": [],
"AssignableScopes": [
"/subscriptions/<Your_subscription_ID_here>"
]
}
- Then execute the following command:
New-AzureRmRoleDefinition -InputFile ExampleAzureRolePerms.json
OutputName : PMC Azure DevId : 0295c03d-c93c-482a-ad07-885e3e842695IsCustom : TrueDescription : PMC Azure Dev RoleActions : {Microsoft.Compute/virtualMachines/read, Microsoft.Compute/virtualMachines/*/read, Microsoft.Compute/virtualMachines/start/action, Microsoft.Compute/virtualMachines/deallocate/action...}NotActions : {}AssignableScopes : {/subscriptions/11aaa902-82ca-4b18-9641-0b7825f7eb42}
7. Assign the Custom Role to Service Principal:
- The final step will be to map this custom role you have just created to the service principal:
New-AzureRmRoleAssignment -ObjectId <Service principal Object Id> -RoleDefinitionId "<RoleId >" -Scope "/subscriptions/<Subscription ID>"
Where:
- Service Principal Object Id is from Step 5
- Role Definition Id is from Step 6 and
- Scope is Subscription ID from Step 3
OutputRoleAssignmentId : /subscriptions/11aaa902-82ca-4b18-9641-0b7825f7eb42/providers/Microsoft.Authorization/roleAssignments/7e76e563-ee34-4a06-a994-01855a301141Scope : /subscriptions/11aaa902-82ca-4b18-9641-0b7825f7eb42DisplayName : PMC Azure DevSignInName :RoleDefinitionName : PMC Azure DevRoleDefinitionId : 0295c03d-c93c-482a-ad07-885e3e842695ObjectId : 118e4955-a4ee-48fd-9acd-60181b09e796ObjectType : ServicePrincipal
That completes the application configuration within Azure. Now, you merely need to fill in the blanks on the credential page, give it a name and select a team to complete the configuration within ParkMyCloud
Troubleshooting:
* List custom roles:
Get-AzureRmRoleDefinition -Custom
* Show the current custom role:
Get-AzureRmRoleDefinition -Name "PMC Azure Dev"
* Modify the current custom role:
Set-AzureRmRoleDefinition -InputFile
* Remove a role assignment from a Service Principal:
Remove-AzureRmRoleAssignment -ObjectId <Service Principal Object ID> -RoleDefinitionId <Role Definition Id>
Related Articles
Creating An Azure Credential For ParkMyCloud
Goal The goal of this process is to configure limited access for ParkMyCloud to an Azure subscription. To do this you will need to obtain the following pieces of information to create the ParkMyCloud Azure credential: Subscription ID Tenant ID App ID ...Creating An Azure Credential the Easy Way in Windows Using Powershell and get_azure_cred.ps1
We have created some helpful scripts in our public Github repository. One of those is a script called get_azure_cred.ps1, which runs in Windows and Powershell and will: Log you into your Azure account Create an application for you in your Active ...Creating an Azure Credential Manually Using Azure CLI
1. Install azure CLI (linux shown below) using NodeJS install: if nodejs, npm and/or azure-cli are not installed: curl -sL https://deb.nodesource.com/setup_7.x | sudo -E bash - sudo apt-get install -y nodejs sudo npm install -g azure-cli 2. Login ...Creating An Azure Cred the Easy Way In Linux Using azure-cli and get_azure_cred.sh Script
We have created some helpful scripts in our public Github repository. One of those is a script called get_azure_cred.sh, which runs in Ubuntu Linux and will: Install nodejs, npm and azure-cli (if they are not already installed) Log you into your ...Setting Up Azure Active Directory (Free Version) As A SAML IdP Server for ParkMyCloud
When you followed our article on creating an Azure credential, that process included creating an application in Azure. We are now going to revisit one of those applications and configure some of its settings to configure Azure Active Directory as an ...