Microsoft Azure and AZ PowerShell Module

Hi all,

In this blog post, I want to guide you through the process of using Visual Studio Code (VS Code) and the AZ PowerShell module to do automation in Azure. I have three main points I want to go through and that is

  1. Installing the AZ PowerShell module
  2. Authenticating to Azure
  3. Saving your credentials to Azure for use in automation scripts
  4. Creating a resource group in Azure using a script

The whole process I am doing here is something I am doing myself for the first time and I am using this site as my guideline:
https://docs.microsoft.com/en-us/powershell/azure/overview?view=azps-1.5.0

Let’s get into the cool stuff.

Installing AZ PowerShell Module

First. open VS Code and go to the terminal and just for learning a bit while we install the module I am going to use the “Find-Module” command to search the PowerShell gallery. So I am typing in the command below and I expect that I will find the module I need.

Find-Module | Where {$_.Name -Like "*AZ*"}

If you haven’t connected to the PowerShell gallery before you will be presented with a warning like shown below. Answer “Y” to accept and continue
2019-03-16_13-31-27.png
So this actually gives us way more modules than what we need, I did a count on it and it was 287 modules that contained “AZ” in their name. So we need to narrow it down a bit, looking at the Microsoft site I can see that the actual name of the module is simply “AZ” so if I type in this command I should find it

Find-Module -Name AZ

2019-03-16_13-35-37.png

Great so now we found the module, so let us install it. I only want to install it for my own user so I will use the following command

Find-Module -Name AZ | Install-Module -Scope CurrentUser"

Press “A” to install all the supporting modules from the untrusted repository, please ensure that the source is “‘https://www.powershellgallery.com/api/v2” before you hit “A” though. As you can see on the picture below it is installing the module on my machine in the CurrentUser scope.
2019-03-16_13-38-32.png

After the installation completes we still need to do one thing before we can use the module. Since the module is from another system we need to allow remote signed scripts to run in the CurrentUser scope. To do this we use the following command:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser"

2019-03-16_13-46-24.png

If you don’t set the executionpolicy you will run into an error like this:2019-03-16_13-49-05.png

This concludes the first section in this guide and we are now ready to start using PowerShell to integrate with resources in Microsoft Azure. If you are a bit lazy you can actually just use the script I put on my GitHub account, this will do all of the above without you needing to do anything else than run the script.
https://github.com/mracket/Azure-PowerShell/tree/master/Installing%20Azure%20AZ%20Module

Authenticating to Azure

First I will show you how you can connect to Azure using PowerShell and do some basic commands.

Use the following command to authenticate to Azure

Connect-AzAccount

2019-03-16_14-11-39.png

You might think that the command is hanging here, but actually, a window for authentication is hidden behind the VS Code window, so minimize VS Code for a bit and use your credentials for Microsoft Azure to log in.
2019-03-16_14-13-04.png
2019-03-16_14-13-49.png

When signed in the VS Code should return back to the prompt and show something like below.
2019-03-16_14-14-22.png

Now we can try and get some resources from Azure like for instance our resource groups. This can be done with the command

Get-AzResourceGroup

2019-03-16_14-16-10.png

So at this point, we have installed the AZ modules and authenticated to Azure. Now it is time to move on to the part where we can sign into Azure with a service principal.

Saving your credentials to Azure for use in automation scripts

As Microsoft states it is not a good idea to use a named user when doing automation in Azure, instead the recommendation is to use a service principal for this so let’s create one that we can use.

The first step is to actually create the service principal, the command for this is “New-AzADServicePrincipal” but this just generates it, and we need to be able to use it. So to do this we use the following two commands to create a service principal that we know the password for.

$Credentials = New-Object Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential -Property @{ StartDate=Get-Date; EndDate=Get-Date -Year 2024; Password="STRONGPASSWORD"}
$ServicePrincipal=New-AzAdServicePrincipal-DisplayName "YOURAUTOMATIONACCOUNTNAME" -PasswordCredential $Credentials

If we then take a look at that is in the variable “ServicePrincipal” we get the following
2019-03-16_14-34-50.png

When using a service principal you also need to sign in with the tenant id, so right after you created the service principal run the following command

(Get-AzContext).Tenant.Id

That should give you something like the picture below
2019-03-16_14-36-40.png

We now have the account created and by default the service principal will not have a role assignment in Azure. This is something we need to fix before we can start using the account, so let us do that.

To do this we need the application ID from the picture above and run the following command:

New-AzRoleAssignment -ApplicationId "ApplicationID" -RoleDefinitionName "Contributor"

2019-03-16_15-01-53.png

This means that it will be able to see resources and create resources in the Azure account. The role can be changed by using the “New-AzRoleAssignment” command and you can create the required roles inside the Azure portal or using PowerShell. In this guide, I will stick to the default role as contributor.

Let us log in to Azure using the new service principal. To do this close VS Code and reopen it. Use these two lines of code to start the sign-in process.

$credentials = Get-Credential
Connect-AzAccount -ServicePrincipal -Credential $credentials -Tenant "TENANTID"

As you can see on the picture below I am using the username “http://CitrixlabAutomation” which is the account I created above. I also type in my password. These can, of course, be fully automated, but I wanted to show you what it looks like.

2019-03-16_14-44-50.png

Now we can try and run the the following command as the new user.

Get-AzResourceGroup

2019-03-16_15-04-21.png

This completes the step to create and sign in using the service principal instead of using a named user for the automation.

Creating a resource group in Azure using a script

Now the hard part of this guide is done, so let us just for the sake of demonstration create a resource group in Azure. First I will show you which resource groups I have and then create a new one called “CitrixRocks”.

As you can see on the picture below I am logged in with the service principal “http://CitrixlabAutomation”
2019-03-16_15-12-26.png

And the current resource groups I have is shown on the picture below
2019-03-16_15-14-18.png

So let us create a new one called “CitrixRocks” by using the following command

New-AzResourceGroup -Name "CitrixRocks" -Location WestEurope

The result should look like this
2019-03-16_15-15-30.png

So now we have these resource groups in the subscription
2019-03-16_15-16-48.png

Summary

So this was my second article on using VS Code and PowerShell, this time I wanted to show you how useful PowerShell can be. Connecting to Azure and getting information or creating a new resource is very powerful and by getting into the mindset of creating new resources using PowerShell you also get a great benefit or creating reusable code so that you don’t have to start from scratch every time. I have put some of the code I have created in this guide on my GitHub so you can find it here:
https://github.com/mracket/Azure-PowerShell

I hope you have found the guide useful and that you will provide feedback on anything I can do better or even if you just liked the guide.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.