AzureAD
After messing with Azure and four or five orchestration engines at the same time and not having one single good way to authenticate against AzureAD, I dig some digging and have put together about 78 pieces of info into one handy blog+ vlog. I hope you find it useful!
In this post, I will cover how to automate your Azure credentials (Service Principals / Service Accounts) and then capture the token to be reused in later operations. In the video, I will be using MicroFocus Operations Orchestration (Previously HP/HPE) but the process is exactly the same for any other orchestration engine as this is mainly using PowerShell (a PowerShell host as well.)
Let’s get Started!
Make sure you have .Net 4.5 or later as well as have already installed the AzureRM module as shown below on your local PowerShell host, as well as the remote PowerShell host your orchestration engine will use.
0 – Install AzureRM Module
(Run as Administrator)
[ps]
Install-Module AzureRM
[/ps]
1 – Log in to Azure using PowerShell CLI
(I like to run ICE as Admin and keep notes/scripts in the script window.)
[ps]
Login-AzureRmAccount
[/ps]
2 – List your Azure Subscriptions
[ps]
Get-AzureRmSubscription
[/ps]
3 – Select your subscription
[ps]
Select-AzureRmSubscription -SubscriptionId "Your SubscriptionId from last command"
[/ps]
4 – Create an Azure AD Application
You are not actually creating an application here – You are creating what Azure considers an application, which is our ticket to authenticate into Azure.
[ps]
$newAzureApp = New-AzureRmADApplication -DisplayName "myNewApp-01" -HomePage "https://www.contoso.org/" -IdentifierUris "https://www.contoso.org/sample" -Password "Secure password"
$newAzureApp
[/ps]
5 – Create the Service Principal
(Service Account)
[ps]
New-AzureRmADServicePrincipal -ApplicationId $newAzureApp.ApplicationId
[/ps]
6 – Assign Permissions
[ps]
New-AzureRmRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $newAzureApp.ApplicationId.Guid
[/ps]
Now that we have created our service account, let’s check out the video on how to integrate this into an orchestration engine such as ServiceNow, vRealize Orchestrator or as in this demo, MicroFocus Operations Orchestration so we can authenticate against Azure to do cool actions in future blogs. Below you’ll find some of the information and scripts I cover in the video.
PowerShell script #1 – Check / Get Existing Token
(Source can be found here.)
[ps]
function Get-AzureRmCachedAccessToken()
{
$ErrorActionPreference = "Stop"
<span data-mce-type="bookmark" style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" class="mce_SELRES_start"></span>
if(-not (Get-Module AzureRm.Profile)) {
Import-Module AzureRm.Profile
}
$azureRmProfileModuleVersion = (Get-Module AzureRm.Profile).Version
# refactoring performed in AzureRm.Profile v3.0 or later
if($azureRmProfileModuleVersion.Major -ge 3) {
$azureRmProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
if(-not $azureRmProfile.Accounts.Count) {
Write-Error "Ensure you have logged in before calling this function."
}
} else {
# AzureRm.Profile &lt; v3.0
$azureRmProfile = [Microsoft.WindowsAzure.Commands.Common.AzureRmProfileProvider]::Instance.Profile
if(-not $azureRmProfile.Context.Account.Count) {
Write-Error "Ensure you have logged in before calling this function."
}
}
$currentAzureContext = Get-AzureRmContext
$profileClient = New-Object Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient($azureRmProfile)
#Write-Debug ("Getting access token for tenant " + $currentAzureContext.Subscription.TenantId)
$token = $profileClient.AcquireAccessToken($currentAzureContext.Subscription.TenantId)
$token.AccessToken
}
#Get-AzureRmCachedAccessToken
$myToken = Get-AzureRmCachedAccessToken
#Write-Host("Token " + $myToken)
return $myToken
[/ps]
PowerShell script #2 – Login to Azure
[ps]$azureAccountName = "${azureUser}"
$azurePassword = ConvertTo-SecureString "${azurePW}" -AsPlainText -Force
$psCred = New-Object System.Management.Automation.PSCredential($azureAccountName, $azurePassword)
Add-AzureRmAccount -Credential $psCred -TenantId [Your tenant ID] -ServicePrincipal[/ps]
Leave a Reply