Creating An Azure Credential Manually Using Windows Powershell

Creating An Azure Credential Manually Using Windows Powershell

1. Install Azure Cmdlets in Windows Powershell:
  • Open a Powershell window as administrator
  • Run the following commands:
Install-Module AzureRM
Install-Module Azure
  • You can verify proper installation by typing the following command:
Get-Module

Output:

PS C:\WINDOWS\system32> Get-Module
ModuleType  Version            Name                                                                     ExportedCommands
-------       -------             ----                                                                     ----------------
Script            3.3.0            AzureRM                                                             {Add-AzureKeyVaultCertificate, ...}
Script            3.2.0            AzureRM.ApiManagement                                {Add-AzureRmApiManagementApiToProduct, ...
Manifest 3.1.0.0         Microsoft.PowerShell.Management           {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Content...}
Manifest 3.1.0.0         Microsoft.PowerShell.Utility                  {Add-Member, Add-Type, Clear-Variable, Compare-Object...}
Binary 1.0.0.1         PackageManagement                                          {Find-Package, Find-PackageProvider, Get-Package, Get-PackageProvider...}
Script 1.0.0.1         PowerShellGet                                                  {Find-Command, Find-DscResource, Find-Module, Find-RoleCapability...}
Script 1.2                  PSReadline {Get-PSReadlineKeyHandler, Get-PSReadlineOption, ...}

2. Login into Azure:

  • Execute the following command:
Login-AzureRmAccount  
  • You will be walked through a series of 3 login screens:






3. Get the Subscription ID and Tenant ID:
  • Once you have logged in information from the default subscription will be displayed:
Output
Environment            : AzureCloud
Account                : joe_user@someplace.com
TenantId               : 0a31c9b8-1734-4141-95b4-efd9f4c247ca
SubscriptionId         : 11aaa902-82ca-4b18-9641-0b7825f7eb42
SubscriptionName       : PMC-1-As-U-Go
CurrentStorageAccount  :
  • Here you have the first two pieces of information:
    • Subscription ID (in this case, 11aaa902-82ca-4b18-9641-0b7825f7eb42)
    • Tenant ID (in this case, 0a31c9b8-1734-4141-95b4-efd9f4c247ca)

  • Note: If you wish to use a subscription other than the default then use the following command:
Get-AzureRmSubscription
Output

SubscriptionName      : My-First-Subscription
SubscriptionId            : 0a31c9b8-1734-4141-95b4-efd9f4c247ca
TenantId                        : 11aaa902-82ca-4b18-9641-0b7825f7eb42
State                              : Enabled
SubscriptionName      : My-Second-Subscription
TenantId                        : 3e20c9b8-2932-4334-95b4-efd9f4c2476a
State                              : Enabled
SubscriptionId            : 6d6a385d-5921-4223-b6f8-88ca2498e0c9
  • And use the ID and Tenant ID number from that output below. Use the SubscriptionName and rerun Get-AzureRmSubscription:
Get-AzureRmSubscription -SubscriptionName My-Second-Subscription

4. Get Client ID/Application ID and the Key:
  • For this step you will need to create an application within your subscription. From the command line this can be done by typing:
New-AzureRmADApplication -DisplayName "Your App Name" -IdentifierUris "https:/id.uris" -HomePage "https://your.home.page" -EndDate "mm-dd-yyyy"
  • In this example, I used the following values:
    • DisplayName: "PMC Azure Dev"
    • Password: "parkmycloud!"
    • IdentifierUris: "https://PMC-Azure-Dev-not-used" (HEADS UP: This needs to be unique. Be creative. Use something different.)
    • HomePage: "https://console.parkmycloud.com"
    • EndDate: "01-02-2299" (a.k.a, permanent)
Output

DisplayName                                    : PMC Azure Dev


ObjectId                                          : d10e4fd3-1939-42e2-a8a9-91ff9952f84e

IdentifierUris                              : {https://PMC-Azure-Dev-not-used}

HomePage                                          : https://console.parkmycloud.come

Type                                                      : Application

ApplicationId                                    : 7d3157b9-f26d-4516-bf6e-4fc8de854688

AvailableToOtherTenants            : False

AppPermissions                              :

ReplyUrls                                           :

Here you will need to copy the AppId (in this case, 7d3157b9-f26d-4516-bf6e-4fc8de854688).

Your App Access Key is simply the password you just entered (in this case, parkmycloud!).

At this point you have everything you need for ParkMyCloud. However, there are a few more steps you need to complete the configuration on the Azure side.
5. Create a Service Principal for the Application:
  • You will need to create a Service Principal for the application by passing the Application ID from above:
New-AzureRmADServicePrincipal -ApplicationID "Enter the App ID from above here"
Output
DisplayName            Type                       ObjectID
------------------    -------                    -----------
PMC Azure Dev    ServicePrincipal      118e4955-a4ee-48fd-9acd-60181b09e796
  • Copy the Service Principal Object ID from the response for the next step.
6. Create a Custom Role with Limited Permissions:
  • Get the example role from the ParkMyCloud console Add Credential page, and paste it into a file (we called it ExampleAzureRolePerms.json). It may look a little different from what's below, but you get the idea. (The latest permissions example will always be found in the ParkMyCloud console).
  • Suggest you give it the same name as the application
  • Perhaps referencing the application name in the description would also be helpful
  • Enter the subscription ID from step 3 as well:

    {

    "Name": "PMC Azure Dev",

    "Description": "PMC Azure Dev Role",

    "IsCustom": "true",

    "Actions": [

    "Microsoft.Compute/virtualMachines/read",

    "Microsoft.Compute/virtualMachines/*/read",

    "Microsoft.Compute/virtualMachines/start/action",

    "Microsoft.Compute/virtualMachines/deallocate/action",

    "Microsoft.Compute/virtualMachineScaleSets/read"

    "Microsoft.Compute/virtualMachineScaleSets/write"

    "Microsoft.Compute/virtualMachineScaleSets/start/action",

    "Microsoft.Compute/virtualMachineScaleSets/deallocate/action",

    "Microsoft.Compute/virtualMachineScaleSets/*/read",

    "Microsoft.Resources/subscriptions/resourceGroups/read"

    ],

    "NotActions": [],

    "AssignableScopes": [

    "/subscriptions/<Your_subscription_ID_here>"

    ]

    }

  • Then execute the following command:
New-AzureRmRoleDefinition -InputFile ExampleAzureRolePerms.json
Output
Name             : PMC Azure Dev
Id               : 0295c03d-c93c-482a-ad07-885e3e842695
IsCustom         : True
Description      : PMC Azure Dev Role
Actions          : {Microsoft.Compute/virtualMachines/read, Microsoft.Compute/virtualMachines/*/read, Microsoft.Compute/virtualMachines/start/action,
                   Microsoft.Compute/virtualMachines/deallocate/action...}
NotActions       : {}
AssignableScopes : {/subscriptions/11aaa902-82ca-4b18-9641-0b7825f7eb42}
7. Assign the Custom Role to Service Principal:
  • The final step will be to map this custom role you have just created to the service principal:
New-AzureRmRoleAssignment -ObjectId <Service principal Object Id> -RoleDefinitionId "<RoleId >" -Scope "/subscriptions/<Subscription ID>"
Where:

  • Service Principal Object Id is from Step 5
  • Role Definition Id is from Step 6 and
  • Scope is Subscription ID from Step 3


Output

RoleAssignmentId   : /subscriptions/11aaa902-82ca-4b18-9641-0b7825f7eb42/providers/Microsoft.Authorization/roleAssignments/7e76e563-ee34-4a06-a994-01855a301141
Scope              : /subscriptions/11aaa902-82ca-4b18-9641-0b7825f7eb42
DisplayName        : PMC Azure Dev
SignInName         :
RoleDefinitionName : PMC Azure Dev
RoleDefinitionId   : 0295c03d-c93c-482a-ad07-885e3e842695
ObjectId           : 118e4955-a4ee-48fd-9acd-60181b09e796
ObjectType         : ServicePrincipal
That completes the application configuration within Azure. Now, you merely need to fill in the blanks on the credential page, give it a name and select a team to complete the configuration within ParkMyCloud




Troubleshooting:

* List custom roles:
Get-AzureRmRoleDefinition -Custom

* Show the current custom role:
Get-AzureRmRoleDefinition -Name "PMC Azure Dev"

* Modify the current custom role:
Set-AzureRmRoleDefinition -InputFile

* Remove a role assignment from a Service Principal:
Remove-AzureRmRoleAssignment -ObjectId <Service Principal Object ID> -RoleDefinitionId <Role Definition Id>