Tag: Azure AD

Azure Arc-enabled Server APP01

Use the Azure Arc Managed Identity with Azure PowerShell

In this blog post we are going to have a look at how you can use the Azure Arc provided Azure Active Directory (Azure AD) managed identity (MSI) to authenticate in Azure PowerShell on your on-premises Linux and Windows Server machines.

The moment you want to run some automation directly on your servers, you often end up in a scenario where you need some credentials to run your PowerShell script. Now the issue with that is that you need to store or get your credentials from somewhere and that can be an issue. Luckly, Azure Arc provides you with an Azure Active Directory Managed Identity which can be used for that.

Azure PowerShell allows you an uncomplicated way to login using that managed identity.

Prerequisites

Azure Arc-enabled Server APP01
Azure Arc-enabled Server APP01
  • You are a member of the Owner group in the subscription or resource group, in order to perform required resource creation and role management steps.
Add Role Assignment to resource or resource group for Azure Arc-enabled Server APP01
Add Role Assignment to resource or resource group for Azure Arc-enabled Server APP01

Get an access token using REST API

For an Azure Arc-enabled Windows server, using PowerShell, you invoke the web request to get the token from the local host in the specific port. Specify the request using the IP address or the environmental variable IDENTITY_ENDPOINT.

$apiVersion = "2020-06-01"
$resource = "https://management.azure.com/"
$endpoint = "{0}?resource={1}&api-version={2}" -f $env:IDENTITY_ENDPOINT,$resource,$apiVersion
$secretFile = ""
try
{
    Invoke-WebRequest -Method GET -Uri $endpoint -Headers @{Metadata='True'} -UseBasicParsing
}
catch
{
    $wwwAuthHeader = $_.Exception.Response.Headers["WWW-Authenticate"]
    if ($wwwAuthHeader -match "Basic realm=.+")
    {
        $secretFile = ($wwwAuthHeader -split "Basic realm=")[1]
    }
}
Write-Host "Secret file path: " $secretFile`n
$secret = cat -Raw $secretFile
$response = Invoke-WebRequest -Method GET -Uri $endpoint -Headers @{Metadata='True'; Authorization="Basic $secret"} -UseBasicParsing
if ($response)
{
    $token = (ConvertFrom-Json -InputObject $response.Content).access_token
    Write-Host "Access token: " $token
}

For an Azure Arc-enabled Linux server, using Bash, you invoke the web request to get the token from the local host in the specific port. Specify the following request using the IP address or the environmental variable IDENTITY_ENDPOINT. To complete this step, you need an SSH client.

ChallengeTokenPath=$(curl -s -D - -H Metadata:true "http://127.0.0.1:40342/metadata/identity/oauth2/token?api-version=2019-11-01&resource=https%3A%2F%2Fmanagement.azure.com" | grep Www-Authenticate | cut -d "=" -f 2 | tr -d "[:cntrl:]")
ChallengeToken=$(cat $ChallengeTokenPath)
if [ $? -ne 0 ]; then
    echo "Could not retrieve challenge token, double check that this command is run with root privileges."
else
    curl -s -H Metadata:true -H "Authorization: Basic $ChallengeToken" "http://127.0.0.1:40342/metadata/identity/oauth2/token?api-version=2019-11-01&resource=https%3A%2F%2Fmanagement.azure.com"
fi

You can learn more about this on Microsoft Learn.

Login with Azure PowerShell on Azure Arc enabled server using Managed Identity

To login with your managed identity using Azure PowerShell, run the following command:

Connect-AzAccount -Identity

Now you have access to the resources your Azure AD managed identity (MSI) on your Azure Arc-enabled server has permissions to.

Azure PowerShell on Azure Arc enabled server using Managed Identity
Azure PowerShell on Azure Arc enabled server using Managed Identity

Conclusion

I hope this post is helpful to build some automation with Azure PowerShell on your on-premises or multi-cloud servers with Azure Arc. Let me know if you have any questions in the comments below.



Azure VPN Azure Active Directory authentication

Create Azure P2S VPN with Azure AD authentication

A couple of days ago, we announced that you now can use Azure Active Directory to authentication Point-to-Site (P2S) VPN connections to your Azure virtual network. Before you were able to connect to your Azure virtual network (VNet) by using certificate-based or RADIUS authentication, however, if you are using the Open VPN protocol, you can now also use Azure Active Directory authentication. In this blog post, I will walk you through how you can set up an Azure P2S VPN connection using Azure AD authentication.

Prerequisites

To set this up, you will need a couple of things in place before we get started. Here are the prerequisites:

If you already have this in place, you are good to go.



Windows Users with PowerShell

Manage Local Windows User with PowerShell

Awhile ago Microsoft added a new PowerShell module to manage local Windows user accounts. This post should quickly show you how easily you can for example use PowerShell to create a new Windows User account, remove a Windows user account or modify windows users and groups with PowerShell.

List Windows User accounts

The most simple one is obviously to list Windows users or groups, using the PowerShell Get- commands.

List all local Windows Users:

Get-LocalUser

List all local Windows Groups:

Get-LocalGroup

Create new Windows User account using PowerShell

There are three different account types you can add to Windows 10:

The following part describes how you can add them to your Windows system using PowerShell

To create a new Windows User account you can simply use the following command:

$Password = Read-Host -AsSecureString
 
New-LocalUser "Tom" -Password $Password -FullName "Thomas Maurer" -Description "Description"

If you want to see that password you can also use this method, to create a new Windows User:

$Password= ConvertTo-SecureString "Password" -AsPlainText -Force
 
New-LocalUser "Tom" -Password $Password -FullName "Thomas Maurer" -Description "Description"

Create a new Windows User account connected to a Microsoft Account with PowerShell.

With Windows 10 you have the opportunity to login using Microsoft Accounts, for example with outlook.com or hotmail.com email aliases. For that you can use the folloing command to create a new Windows User connected to a Microsoft Account. In this case you will not need to configure a password for the account, since this is connected to the Microsoft Account.

New-LocalUser -Name "MicrosoftAccount\[email protected]" -Description "Description of this Microsoft account."

You can also add Azure Active Directory (Azure AD) accounts if your business is for example using Office 365. The following command adds an Azure AD account to the local Windows Users:

New-LocalUser -Name  "AzureAD\[email protected]" -Description "Description of this Azure AD account."

Remove Windows User account

You can also simply remove user accounts from Windows using PowerShell. The following command will delete the account:

Remove-LocalUser -Name "SomeUser"

Change password of a Windows User account

To change the password of a local Windows User account, you can use the Set-LocalUser cmdlet. This also has some other options as well, but one of the most common ones is to reset the password.

$Password = Read-Host -AsSecureString
 
Get-LocalUser -Name "SomeUser" | Set-LocalUser -Password $Password

Rename a Windows User account

To rename a Windows User account with PowerShell, you can use the following command:

Rename-LocalUser -Name "Tom" -NewName "Tom2"

Add Windows User account to group

This command for example adds users to the Windows Administrator group:

Add-LocalGroupMember -Group "Administrators" -Member "Admin02", "MicrosoftAccount\[email protected]", "AzureAD\[email protected]", "CONTOSO\Domain Admins"

I hope this gives you a quick overview how you can manage local Windows User accounts using PowerShell. If you have any questions, feel free to leave a comment.



Windows 10 Task View

The best Windows 10 Features – Why you will love Windows 10

Since the first release of the Windows 10 Preview in the Insider program, I was using the Technical previews on my Surface Pro 3, and it is excellent how Microsoft is improving Windows 10 over the last several months based on research and feedback from the Windows Insider program.

In some days, on July 29, Microsoft will release Windows 10 to the public, and here are some reasons why you will love Windows 10:

Microsoft Edge

Microsoft Edge Browser

With Windows 10 Microsoft released a new browser called Microsoft Edge (before Project Spartan) which is amazingly fast and brings a lot of new features to the table such as Cortana Integration, Web notes which allow you basically draw your notes on websites and share them and Microsoft also promised to enable browser extensions. Secret: you can also switch from a Light Theme to a Dark Theme.

You can also check out the new edge insider preview here: Microsoft Edge Insider

Task View & Virtual Desktop

Windows 10 Task View

Most of the IT Pros reading this blog already knew about Task view in the previous version of Windows using WIN + TAB, but only a few other users did know about these features. Microsoft not only improved the Task view, but Microsoft also promoted it much better with an icon in the Taskbar.

In Windows 10 WIN + TAB does not only offer you Task View it also allows you to create and switch between Virtual Desktops. With Virtual Desktops, you can now finally create multiple workspaces on your PC, which should bring you the productivity boost you need. Secret: You can switch between different Desktops using the Shortcut: CTRL + WIN + ARROW (LEFT and RIGHT).

Hyper-V

Hyper-V vNext Runtime Memory Resize

Microsoft builds Hyper-V directly into the Windows Client since Windows 8. This is great if you want to run Virtual Machines on your Windows Client. Windows 10 Client Hyper-V brings you the excellent performance and features Windows Server 2016 Hyper-V will bring you. Of course, some features are only available in the server build of Hyper-V, but you get some great features such as Enhanced Session mode to copy & paste between your PC and your Virtual Machine. Secret: Windows 10 will allow you to run Hyper-V and use Connected Standby at the same time.