If you wanted to ever setup a service account to use for Azure administration that uses a password for authentication, setup a Service Principal in AAD. Use this to use for things like Azure automation or any of those other Azure PowerShell admin scripts you have. See my other post on how to setup an Azure AD Service Principal using certificate based authentication instead. This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters Show…

Did you ever wanted to automate everything in Azure? Using Azure Automation or using Remote PowerShell – pretty much anything automated in Azure, you should NOT be using a stock standard user account. Why? Because you can have all sorts of problems, for instance the password can expire and then it breaks everything and everything stops working. It’s a bit like on-prem days where you would use specific service accounts, each service account setup for a specific purpose, much easier to manage and it’s best practice. In Azure it’s no difference, you use a service principal and grant this service…

If you ever wanted to capture a full inventory of an Azure Classic ASM IaaS based environment, using the script below is how you can do it – run it for ‘each’ Cloud Service. This will create two .json files on the desktop, one for the Cloud Service containing all the VMs (along with detailed information) and another for the vNet which is used. This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters…

Imagine you had a specific user setup (a service account) to run all your Azure Automation runbooks. Then all of a sudden things stopped working, no runbooks worked anymore. You then troubleshoot and find that the password for the Azure AD account used in your runbooks has expired. By default when creating Azure AD account the password is set to expire and if you try to logon to PowerShell with an account which has an expired password, this is what you would see: Login-AzureRmAccount : AADSTS50055: Password is expired Previously this was fixed using the old MSOLUser cmdlets: Set-MsolUser -UserPrincipalName powershell@<tenant>.onmicrosoft.com…

SSPR (Self Service Password Reset), SSPC (Self-service password change) and MFA (Multi-Factor Authentication) are all features of AAD (Azure AD). Both MFA and SSPC are part of Azure AD Premium P1 & P2 editions as explained here. SSPR however requires Azure AD Premium or Basic explained here. First things first, follow the requirements listed here for AD Connect. You then need to make sure all the password reset stuff is all setup in Azure AD. To get to the Azure AD portal, logon to https://manage.windowsazure.com/@trusbron.com notice the domain at the end? Change this domain with yours. Even if you don’t have an Azure subscription…

This post walks you through two things: an upgrade of an existing AD Connect installation converting from ADFS to pass-through authentication Turning off ADFS setting up pass-through authentication and single sign on Recently Microsoft announced the new Azure AD Pass-Through Authentication and Seamless Single Sign-on. It’s a way of signing in to AAD (Azure AD) and AAD services using on-prem credentials as a reputable replacement to ADFS. This also includes any any third party apps all like Concour or SalesForce as well as custom apps. You can use AAD Premium to setup SAML 2.0 authentication to any custom app that supports claims…