This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Written with Azure PowerShell module v6.1.0 available from https://github.com/Azure/azure-powershell/releases/tag/v6.1.0-May2018 | |
| # Recently tested fully with a later version of the Azure PowerShell module - Install-Module AzureRM -RequiredVersion 6.1.0 | |
| ###################### | |
| ############## Step 0: Change Variables, and logon | |
| ###################### | |
| # Define Azure Automation Assets | |
| $AutomationAppIDName = 'AutomationAppId' # Feel free to change to suit you | |
| $AutomationTenantIDName = 'AutomationTenantId' # Feel free to change to suit you | |
| $AutomationCertificateName = 'AutomationCertificate' # Feel free to change to suit you | |
| $AutomationSubscriptionIDName = 'AutomationSubscriptionId' # Feel free to change to suit you | |
| # Login to Azure manually | |
| Login-AzureRmAccount | |
| ### Choose Subscription | |
| $subscription = Get-AzureRmSubscription | Out-GridView -Title "Select the Azure subscription that you want to use ..." -PassThru | |
| Select-AzureRmSubscription -SubscriptionId $subscription.id | |
| ###################### | |
| ############## Step 1: Create certificate for Azure AD Service Principal | |
| ###################### | |
| # Define certificate start and end dates | |
| $currentDate = Get-Date | |
| $endDate = $currentDate.AddYears(1) | |
| $notAfter = $endDate.AddYears(1) | |
| # Generate new self-signed certificate from "Run as Administrator" PowerShell session | |
| $certName = Read-Host -Prompt "Enter FQDN Subject Name for certificate" | |
| $certStore = "Cert:\LocalMachine\My" | |
| $certThumbprint = (New-SelfSignedCertificate -DnsName $certName -CertStoreLocation $CertStore -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $notAfter).Thumbprint | |
| ###################### | |
| ############## Step 2: Export Certificate to PFX file | |
| ###################### | |
| # Export password-protected pfx file | |
| $pfxPassword = Read-Host -Prompt "Enter password to protect exported certificate:" -AsSecureString | |
| $pfxFilepath = "$($env:TEMP)\$(Get-Date -Format yyyyMMdd)pfxfile.json" | |
| Export-PfxCertificate -Cert "$($certStore)\$($certThumbprint)" -FilePath $pfxFilepath -Password $pfxPassword | |
| ###################### | |
| ############## Step 3: Create Key Credential Object | |
| ###################### | |
| # Create Key Credential Object | |
| $cert = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate -ArgumentList @($pfxFilepath, $pfxPassword) | |
| $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) | |
| $keyId = [guid]::NewGuid() | |
| Get-Module AzureRM.Resources | |
| Import-Module -Name AzureRM.Resources | |
| # $keyCredential = New-Object -TypeName Microsoft.Azure.Commands.Resources.Models.ActiveDirectory.PSADKeyCredential | |
| $keyCredential = New-Object -TypeName Microsoft.Azure.Graph.RBAC.Version1_6.ActiveDirectory.PSADKeyCredential | |
| <# | |
| If you get an error: | |
| New-Object : Cannot find type [Microsoft.Azure.Commands.Resources.Models.ActiveDirectory.PSADKeyCredential]: verify that the assembly containing this type is loaded. | |
| Install this module version v4.2.1 specifically, run this: - Install-Module AzureRM -RequiredVersion 4.2.1 | |
| #> | |
| # Define properties of Key Credential object | |
| $keyCredential.StartDate = $currentDate | |
| $keyCredential.EndDate = $endDate | |
| $keyCredential.KeyId = $keyId | |
| $keyCredential.CertValue = $keyValue | |
| #$keyCredential | fl * | |
| ###################### | |
| ############## Step 4: Create Azure AD Service Principal | |
| ###################### | |
| # Define Azure AD Application Properties | |
| $adAppName = Read-Host -Prompt "Enter unique Azure AD App name" | |
| $adAppHomePage = Read-Host -Prompt "Enter unique Azure AD App Homepage URI" # Any URL, http://microsoft.com if you like :) | |
| $adAppIdentifierUri = Read-Host -Prompt "Enter unique Azure AD App Identifier URI" # Can be the same as the first URI | |
| # Remove Azure AD Application | |
| #Remove-AzureRmADApplication -DisplayName $adAppName -Force | |
| # Create new Azure AD Application | |
| $adApp = New-AzureRmADApplication -DisplayName $adAppName -HomePage $adAppHomePage -IdentifierUris $adAppIdentifierUri -KeyCredentials $keyCredential | |
| Write-Output "New Azure AD App Id: $($adApp.ApplicationId)" | |
| # Create Azure AD Service Principal | |
| New-AzureRmADServicePrincipal -ApplicationId $adApp.ApplicationId | |
| ###################### | |
| ############## Step 5: Assign Role-Based Access Control (RBAC) Permissions to the Service Principal | |
| ###################### | |
| # Sleep and wait for the new service principal to propergate through AAD | |
| Start-Sleep -Seconds 30 | |
| # Assign Owner permissions to the Service Principal for the selected subscription | |
| New-AzureRmRoleAssignment -RoleDefinitionName Owner -ServicePrincipalName $adApp.ApplicationId.Guid | |
| ###################### | |
| ############## Step 6: Test authenticating as Service Principal | |
| ###################### | |
| # Set Azure AD Tenant ID | |
| $tenantId = (Get-AzureRmContext).Tenant.Id | |
| # Test authenticating as Service Principal to Azure | |
| Login-AzureRmAccount -ServicePrincipal -TenantId $tenantId -ApplicationId $adApp.ApplicationId -CertificateThumbprint $certThumbprint | |
| ### Choose Subscription | |
| $subscription = Get-AzureRmSubscription | Out-GridView -Title "Select the Azure subscription that you want to use ..." -PassThru | |
| Select-AzureRmSubscription -SubscriptionId $subscription.id | |
| ###################### | |
| ############## Step 7: Define Azure Automation Assets | |
| ###################### | |
| # Select existing Azure Automation account | |
| $automationAccount = Get-AzureRmAutomationAccount | Out-GridView -Title "Select an existing Azure Automation account …" -PassThru | |
| # Create Azure Automation Asset for Azure AD App ID | |
| New-AzureRmAutomationVariable -Name $AutomationAppIDName -Value $adApp.ApplicationId -AutomationAccountName $automationAccount.AutomationAccountName ` | |
| -ResourceGroupName $automationAccount.ResourceGroupName -Encrypted:$false | |
| # Create Azure Automation Asset for Azure AD Tenant ID | |
| New-AzureRmAutomationVariable -Name $AutomationTenantIDName -Value $tenantId -AutomationAccountName $automationAccount.AutomationAccountName ` | |
| -ResourceGroupName $automationAccount.ResourceGroupName -Encrypted:$false | |
| # Create Azure Automation Asset for Certificate | |
| New-AzureRmAutomationCertificate -Name $AutomationCertificateName -Path $pfxFilepath -Password $pfxPassword ` | |
| -AutomationAccountName $automationAccount.AutomationAccountName -ResourceGroupName $automationAccount.ResourceGroupName | |
| # Create Azure Automation Asset for Azure Subscription ID | |
| New-AzureRmAutomationVariable -Name $AutomationSubscriptionIDName -Value $subscription.Id -AutomationAccountName $automationAccount.AutomationAccountName ` | |
| -ResourceGroupName $automationAccount.ResourceGroupName -Encrypted:$false | |
| ########################################################################################## | |
| ########################################################################################## | |
| ############## ###################### | |
| ############## Azure Automation PowerShell Workflow Runbook example ###################### | |
| ############## ###################### | |
| ########################################################################################## | |
| ########################################################################################## | |
| workflow StartAzurePlaylistVMs | |
| { | |
| # Get Azure Automation Assets | |
| $adAppId = Get-AutomationVariable -Name 'AutomationAppId' | |
| Write-Output "Azure AD Tenant Id: $adAppId" | |
| $tenantId = Get-AutomationVariable -Name 'AutomationTenantId' | |
| Write-Output "Azure AD Tenant Id: $tenantId" | |
| $subscriptionId = Get-AutomationVariable -Name 'AutomationSubscriptionId' | |
| Write-Output "Azure Subscription Id: $subscriptionId" | |
| $cert = Get-AutomationCertificate -Name 'AutomationCertificate' | |
| $certThumbprint = ($cert.Thumbprint).ToString() | |
| Write-Output "Service Principal Certificate Thumbprint: $certThumbprint" | |
| # Install Service Principal Certificate | |
| Write-Output "Install Service Principal certificate…" | |
| if ((Test-Path "Cert:\CurrentUser\My\$($certThumbprint)") -eq $false) { | |
| InlineScript { | |
| $certStore = new-object System.Security.Cryptography.X509Certificates.X509Store("My", "CurrentUser") | |
| $certStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite) | |
| $certStore.Add($Using:cert) | |
| $certStore.Close() | |
| } | |
| } | |
| # Login to Azure | |
| Write-Output "Login to Azure as Service Principal…" | |
| Login-AzureRmAccount -ServicePrincipal -TenantId $tenantId -ApplicationId $adAppId -CertificateThumbprint $certThumbprint | |
| # Select Azure Subscription | |
| Write-Output "Select Azure subscription…" | |
| Select-AzureRmSubscription -SubscriptionId $subscriptionId -TenantId $tenantId | |
| $VMs = Get-AzureRmVM | where {$_.Name -match 'playlist'} | |
| ForEach -Parallel ($VM in $VMs) | |
| { | |
| Start-AzureRmVM -Name $VM.Name -ResourceGroupName $VM.ResourceGroupName | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment