Using Azure SPNs is a massive benefit more so for the pure fact that it creates a specific user account in Azure (like a service account) which you can use to automate PowerShell scripts against Azure subscriptions for specific tasks. You don’t need to worry about whether the account needed is a Microsoft account, which you know that you can’t automate an Azure logon with PowerShell using a Microsoft account. You can however create an SPN and use this instead. The other benefit, you’re using a task based account.
The SPN is created on the tenant (Directory) which can essentially have access to one or many Azure subscriptions when used.
The other benefit to using SPNs is the fact that once you logon using an SPN (instructions below), you will have access to both Azure ASM (Classic) based Azure modules and Azure ARM based Azure modules.
Azure PowerShell modules can be accessed from here.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $DisplayName = 'My-SPN' | |
| $Domain = 'company.com' | |
| $Password = 'Password!' | |
| Function SPN-Removal ($DisplayName){ | |
| if(Get-AzureRmADApplication | ? {$_.DisplayName -eq $DisplayName}){ | |
| $app = Get-AzureRmADApplication | ? {$_.DisplayName -eq $DisplayName} | |
| Remove-AzureRmADApplication -ObjectId $app.ObjectId.Guid -Force | |
| } | |
| if(Get-AzureRmADServicePrincipal -SearchString $DisplayName){ | |
| $appsp = Get-AzureRmADServicePrincipal -SearchString $DisplayName | |
| Remove-AzureRmADServicePrincipal -ObjectId $appsp.Id | |
| } | |
| } | |
| Function SPN-Creation ($Subscription, $DisplayName, $Domain, $Password){ | |
| $app = New-AzureRmADApplication ` | |
| -DisplayName $DisplayName ` | |
| -HomePage "https://$Domain/$DisplayName" ` | |
| -IdentifierUris "https://$Domain/$DisplayName" ` | |
| -Password $Password | |
| New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId.Guid | |
| Start-Sleep -Seconds 10 # Until it really creates it | |
| New-AzureRmRoleAssignment -RoleDefinitionName 'Contributor' -ServicePrincipalName $app.ApplicationId.Guid | |
| write-host -nonewline "`n`tThe SPN username is: " -ForegroundColor Yellow; ` | |
| write-host -nonewline $app.ApplicationId.Guid`n -ForegroundColor Green; ` | |
| write-host -nonewline "`n`tThe Password is: " -ForegroundColor Yellow; ` | |
| write-host -nonewline $Password"`n" -ForegroundColor Green; ` | |
| write-host -nonewline "`n`tThe Subscription Name is: " -ForegroundColor Yellow; ` | |
| write-host -nonewline $Subscription.SubscriptionName"`n" -ForegroundColor Green; ` | |
| write-host -nonewline "`n`tThe Subscription Tenant ID is: " -ForegroundColor Yellow; ` | |
| write-host -nonewline $Subscription.TenantId`n"`n" -ForegroundColor Green; | |
| } | |
| ########################################################################################## | |
| ############################## Logon to Azure Tenant ############################## | |
| ########################## …and Setup Service Principal ########################### | |
| ########################################################################################## | |
| #region Logon to an Azure environment | @marckean | |
| Write-Host "`nEnter credentials for the Azure Tenant.`n" -ForegroundColor Cyan | |
| $MigrationAzure = Get-AzureRmEnvironment 'AzureCloud' | |
| $MigrationEnv = Login-AzureRmAccount -Environment $MigrationAzure -Verbose | |
| Select-AzureRmProfile -Profile $MigrationEnv | |
| $MigrationSubscription = (Get-AzureRmSubscription | Out-GridView -Title "Choose aan Azure Subscription …" -PassThru) | |
| Get-AzureRmSubscription -SubscriptionId $MigrationSubscription.SubscriptionId | Select-AzureRmSubscription | |
| SPN-Removal $DisplayName | |
| SPN-Creation $MigrationSubscription $DisplayName $Domain $Password |
Manual SPN Logon:
To logon to Azure using PowerShell and an Azure SPN, the following will allow you to logon on manually using the SPN you created above.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ########################################################################################## | |
| ########################### Log into Azure using SPN ############################## | |
| ########################################################################################## | |
| Write-Host "`nEnter credentials for the Azure Tenant.`n" -ForegroundColor Cyan | |
| [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') | Out-Null | |
| $TenantID = [Microsoft.VisualBasic.Interaction]::InputBox("Enter the Tenant ID", "Tenant ID") | |
| $creds = Get-Credential | |
| $MigrationAzure = Get-AzureRmEnvironment 'AzureCloud' | |
| $MigrationEnv = Login-AzureRmAccount -Environment $MigrationAzure -TenantId $TenantID -Credential $creds -ServicePrincipal -Verbose | |
| ########################################################################################## | |
| ########################### Select Azure Subscription ############################# | |
| ########################################################################################## | |
| Select-AzureRmProfile -Profile $MigrationEnv | |
| $MigrationSubscription = (Get-AzureRmSubscription | Out-GridView -Title "Choose an Azure Subscription …" -PassThru) | |
| $MigrationSubscriptionID = $MigrationSubscription.SubscriptionId | |
| $MigrationSubscriptionName = $MigrationSubscription.SubscriptionName | |
| ########################################################################################## | |
| ######################### Azure Subscription Function ############################# | |
| ########################################################################################## | |
| Function AzureSubscription { | |
| Select-AzureRmProfile -Profile $MigrationEnv | |
| Get-AzureRmSubscription -SubscriptionName $MigrationSubscriptionName | | |
| Select-AzureRmSubscription; Select-AzureSubscription -SubscriptionName $MigrationSubscriptionName} | |
| ########################################################################################## | |
| ######################### Select the Azure Subscription ########################### | |
| ########################################################################################## | |
| AzureSubscription |
Automatic SPN Logon:
To logon to Azure using PowerShell and an Azure SPN, the following will allow you to logon on automatically using the SPN you created above.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ########################################################################################## | |
| ###################### Log into Azure using SPN (Silently) ######################### | |
| ########################################################################################## | |
| Write-Host "`nEnter credentials for the Azure Tenant.`n" -ForegroundColor Cyan | |
| [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') | Out-Null | |
| $TenantID = '86753c5-6f2f-8c35-6tfc-64v7g575nhb' | |
| $spnpassword = ConvertTo-SecureString "Password" -AsPlainText -Force | |
| $Cred = New-Object System.Management.Automation.PSCredential ("3f12ab75-2d13-4460-8bf5-1c7f0f591ff5", $spnpassword) | |
| $MigrationAzure = Get-AzureRmEnvironment 'AzureCloud' | |
| $MigrationEnv = Login-AzureRmAccount -Environment $MigrationAzure -TenantId $TenantID -Credential $cred -ServicePrincipal -Verbose | |
| ########################################################################################## | |
| ########################### Select Azure Subscription ############################# | |
| ########################################################################################## | |
| Select-AzureRmProfile -Profile $MigrationEnv | |
| $MigrationSubscription = (Get-AzureRmSubscription | Out-GridView -Title "Choose an Azure Subscription …" -PassThru) | |
| $MigrationSubscriptionID = $MigrationSubscription.SubscriptionId | |
| $MigrationSubscriptionName = $MigrationSubscription.SubscriptionName | |
| ########################################################################################## | |
| ######################### Azure Subscription Function ############################# | |
| ########################################################################################## | |
| Function AzureSubscription { | |
| Select-AzureRmProfile -Profile $MigrationEnv | |
| Get-AzureRmSubscription -SubscriptionName $MigrationSubscriptionName | | |
| Select-AzureRmSubscription; Select-AzureSubscription -SubscriptionName $MigrationSubscriptionName} | |
| ########################################################################################## | |
| ######################### Select the Azure Subscription ########################### | |
| ########################################################################################## | |
| AzureSubscription |
Marc Kean 