Azure – Unable to acquire token for tenant

CAzContext_04

In today’s post I will show a recurring problem that can happen when connecting to Azure through PowerShell when we already have a login history from other Azure’s tenants.

As soon as we try to log into Azure via PowerShell, we will get this error stating that an existing token from another subscription could not be acquired (Your access to that subscription may have been removed and the context is still present in the local files).

CAzContext_01

To clear the historic sessions context in PowerShell we have to execute the command “Clear-AzContext”

CAzContext_02

After running this command above, you can log in again and check that the error has been fixed and the history has been removed.

CAzContext_03

And that’s it folks, quick and practical post.
See you soon!

Joao Costa

Manage multiple Azure Contexts using PowerShell

PowerShell for Azure Databricks — Data Thirst

In my day-to-day work I have to deal with several customers and Azure Subscriptions, and for this reason it sometimes becomes exhausting to jump from one Azure Context to another, even when I want to switch to my personal Azure tenant to run some tests.

Today’s article will be short, but simple and useful. After all, I believe it can help in the organization and agility of those who need to manage several subscriptions like me.

Okay, let’s get straight to the point.

Log in with your Azure account;

image

As you can see in the image above, once I authenticated an Azure context comes up as the default context.

Important -What is an Azure Context? Microsoft says “Azure contexts are PowerShell objects representing your active subscription to run commands against, and the authentication information needed to connect to an Azure cloud.”

Okay, we already noticed that when I authenticate with the user above, an Azure context is already loaded and so the next command will show which Azure contexts this same user has access to.

image

So let’s suppose I want to change which default subscription I want loaded once I authenticate to PowerShell.

image

Once you’ve changed the default context, you can check along the way: “C:\Users\Username\.Azure\AzureRmContext.json”

image

You can also rename all other subscriptions to a simpler name, and then you can select them more simply.

Rename-AzContext -SourceName ‘Visual Studio Professional (xxxxxxxx-xxxx-xxxxxx-xxxx-xxxxxxxxxx) xxx.xxx@xxx’ -TargetName ‘GP_Subscription’

And then when it is selected, you can use the new name placed

Select-AzContext ‘GP_Subscription’

Here we go, now you can choose your default context and also how to rename your context. You can also save these contexts like this when I did a few steps back and then when needed just import the context directly.

Import-AzContext “C:\Users\Username\.azure\CHANGENAME-context.json”

That’s all for today folks, see you soon.

Joao Costa

Azure – Creating a basic environment using PowerShell

AzEnvironment_01

Hi folks,

In this article we will deploy a complete environment via PowerShell (Based on the latest series of articles). The intention with this series of articles was to assist you in the creation of each resource and then in an automated way, help in the delivery of projects or start projects with PowerShell.

Azure-Script

What’s in this script:

Resource Group;
Storage Account;
File Share;
Containers for Logs;
Network Creation;
Virtual Machine Creation;
Creation Network card;
Creation of the Network Security Group;

#Script:

$RGNAME= “RG_GETPRACTICAL”
$LOCATION= “WESTEUROPE”
New-AzResourceGroup -Name $RGNAME -Location $LOCATION -Tag @{Department=”IT”}

#Storage Account creation

$RGNAME= “RG_GETPRACTICAL”
$LOCATION= “WESTEUROPE”
$STRGACCNAME= “strggetpractical02”
$TypeSTRG= “Standard_LRS”
New-AzStorageAccount -ResourceGroupName $RGNAME -Name $STRGACCNAME -Type $TypeSTRG -Location $LOCATION

#Creating a Container for Logs via Powershell

$STORAGEACCOUNT = Get-AzStorageAccount -ResourceGroupName $RGNAME -Name $STRGACCNAME
$CONTAINERNAME = “logs”
$CTX = $storageAccount.Context

New-AzStorageContainer -Name $containerName -Context $ctx -Permission blob

#Creating a FileShare

$STORAGEACCOUNT = Get-AzStorageAccount -ResourceGroupName “RG_GETPRACTICAL” -Name $STRGACCNAME
$storageKey = (Get-AzStorageAccountKey -ResourceGroupName $storageAccount.ResourceGroupName -Name $storageAccount.StorageAccountName | select -first 1).Value
$storageContext = New-AzStorageContext -StorageAccountName $storageAccount.StorageAccountName -StorageAccountKey $storageKey
New-AzStorageShare -Name “getpracticalshare” -Context $storageContext

#Creating a Virtual Network

$RGName= “RG_GETPRACTICAL”
$LOCATION= “WESTEUROPE”
$NameVnet=”VNet-GETPRACTICAL”
New-AzVirtualNetwork -Name $NameVnet -ResourceGroupName $RGName -Location $location -AddressPrefix 172.16.1.0/24
$VirtualNetwork = Get-AzVirtualNetwork -Name $NameVnet -ResourceGroupName $rgName
Add-AzVirtualNetworkSubnetConfig -Name BackEnd -VirtualNetwork $VirtualNetwork -AddressPrefix 172.16.1.0/26
Add-AzVirtualNetworkSubnetConfig -Name FrontEnd -VirtualNetwork $VirtualNetwork -AddressPrefix 172.16.1.64/26
Add-AzVirtualNetworkSubnetConfig -Name DMZ -VirtualNetwork $VirtualNetwork -AddressPrefix 172.16.1.128/28
Add-AzVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $VirtualNetwork -AddressPrefix 172.16.1.144/28
Set-AzVirtualNetwork -VirtualNetwork $VirtualNetwork

#Creating the Virtual Machine

# Set values for existing resource group and storage account names.

$RGNAME= “RG_GETPRACTICAL”
$LOCATION= “WESTEUROPE”
$NSGName=”NSG-VM-01″

#Get VM credentials

#$CRED=Get-Credential -Message “Enter the local administrator account name and password.”

$VMLocalAdminUser = “jcosta
$VMLocalAdminSecurePassword = ConvertTo-SecureString “GPractical@2022” -AsPlainText -Force
$CRED=New-Object System.Management.Automation.PSCredential ($VMLocalAdminUser, $VMLocalAdminSecurePassword);

#Set the existing virtual subnet and network index.

$VNETNAME=”VNet-GETPRACTICAL”
$subnetIndex=0
$VNET=Get-AzVirtualNetwork -Name $VNETName -ResourceGroupName $RGName

#Creating a NIC with Pulic IP.

$NIC1=”NIC1-GP-VM-01″
$PIP=New-AzPublicIpAddress -Name $NIC1 -ResourceGroupName $RGName -Location $LOCATION -AllocationMethod Dynamic
$NIC=New-AzNetworkInterface -Name $NIC1 -ResourceGroupName $RGName -Location $LOCATION -SubnetId $vnet.Subnets[$subnetIndex].Id -PublicIpAddressId $PIP.Id

# Creating a NIC without Pulic IP

$NIC2=”NIC2-GP-VM-01″
$VNET=Get-AzVirtualNetworkSubnetConfig -Name Backend -VirtualNetwork $VNET
$NIC=New-AzNetworkInterface -Name $NIC2 -ResourceGroupName $RGName -Location $LOCATION -SubnetId $VNET.Id
$PIP.Id

#Setting NSG Rules

$RULES=New-AzNetworkSecurityRuleConfig -Name ‘Allow-RDP’ -Direction Inbound -Priority 1000 -Access Allow -SourceAddressPrefix ‘*’ -SourcePortRange ‘*’ -DestinationAddressPrefix ‘*’ -DestinationPortRange 3389 -Protocol Tcp
$NSG=New-AzNetworkSecurityGroup -Name $NSGName -ResourceGroupName $RGName -Location $LOCATION -SecurityRules $RULES

# VM Name and Size

$VMName=”GP-VM-01″

$VMSize=”Standard_DS2_v2″
$VM=New-AzVMConfig -VMName $VMName -VMSize $VMSize

#Specify the image and local administrator account and then add the NIC.

$PUBName=”MicrosoftWindowsServer”
$OFFERName=”WindowsServer”
$SKUName=”2019-Datacenter”
$VM=Set-AzVMOperatingSystem -VM $VM -Windows -ComputerName $VMName -Credential $CRED -ProvisionVMAgent -EnableAutoUpdate
$VM=Set-AzVMSourceImage -VM $VM -PublisherName $PUBName -Offer $OFFERName -Skus $SKUName -Version “latest”
$VM=Add-AzVMNetworkInterface -VM $VM -Id $NIC.Id

#Specify the OS disk name and create the VM

$DISKName=”OSDisk”
$STORAGEACCOUNT=Get-AzStorageAccount -ResourceGroupName $RGNAME -Name $STRGACCNAME
$OSDiskUri=$STORAGEACCOUNT.PrimaryEndpoints.Blob.ToString() + “vhds/” + $VMName + $DISKName + “.vhd”
$VM=Set-AzVMOSDisk -VM $VM -Name $DISKName -VhdUri $OSDiskUri -CreateOption fromImage
New-AzVM -ResourceGroupName $RGName -Location $LOCATION -VM $VM

#EndoftheScript

That’s all for today folks, see you soon.

Joao Paulo Costa

Creating Network Security Group using PowerShell

NSG_01

Hi folks!

Today let’s create the network security group that has a very important role within Microsoft Azure. It works at layer 4, where we can communicate ports and IPs between internal or external networks through a VPN.

Now let’s assign the following variables:

$NSGName=”NSG-VM-01″
$RGName= “RG_GETPRACTICAL”
$LOCATION= “UKSOUTH”

NSG_02

Next, we will create a variable with the name of the port and which rule will be used. In this case, I am creating an “NSG” for RDP access.

$RULES = New-AzNetworkSecurityRuleConfig -Name ‘Default-Allow-RDP’ -Direction Inbound -Priority 1000 -Access Allow -SourceAddressPrefix ‘*’  -SourcePortRange ‘*’ -DestinationAddressPrefix ‘*’ -DestinationPortRange 3389 -Protocol TCP

NSG_03

Now let’s create the NSG, using the following command.

$NSG = New-AzNetworkSecurityGroup -Name $NSGName -ResourceGroupName $RGName -Location $LOCATION -SecurityRules $RULES

NSG_04

Your NSG was successfully created.

NSG_05

Thanks guys and until the next post, where I will demonstrate how to create a virtual machine using all these commands at once.

Joao Paulo Costa

Creating Network Interface using PowerShell

NIC_01

Hey folks,

Continuing our series of articles on how to create resources in Azure using PowerShell, let’s talk about creating the network interface using PowerShell, creating the network interface and assigning it to a VM and associating it to a VNET is easier via shell command.

Now let’s assign some variables to create the network interface.

$RGName= “RG_GETPRACTICAL”
$NIC1=”Nic-GP-VM-01″
$LOCATION= “UKSouth”
$VNETNAME=”VNet-GETPRACTICAL”
$subnetIndex=0

NIC_02

This “SubnetIndex” variable is very important in the creation process, as it will identify each of your VNETs within your environment. In the case of this article I have a single VNET so I am considering the value “0”, but if you need to pull this value, just run a “Get-AzVirtualNetwork” with the add-ons such as resource group and VNET name.

Now let’s validate if the network exists within the environment.

$VNET=Get-AzVirtualNetwork -Name $VNETName -ResourceGroupName $RGName

NIC_03

Next we will create a public IP for the network interface.

$PIP=New-AzPublicIpAddress -Name $NIC1 -ResourceGroupName $RGName -Location $LOCATION -AllocationMethod Dynamic

NIC_04

Finally, we will create the network interface associating the public IP and the VNET that exists within our environment.

$NIC=New-AzNetworkInterface -Name $NIC1 -ResourceGroupName $RGName -Location $LOCATION -SubnetId $vnet.Subnets[$subnetIndex].Id -PublicIpAddressId $PIP.Id

NIC_05

Your network interface has now been successfully created.

NIC_06

Thanks guys and until the next post!

Joao Paulo Costa

Creating Virtual Network using PowerShell

Vnet_01

Continuing from the last article, today we are going to create a virtual network to allocate Azure resources and leave it in a secure pattern. In this scope, I’m setting up the network with the segmented subnets:

  • BackEnd: 172.16.1.0/26
  • FrontEnd: 172.16.1.64/26
  • DMZ: 172.16.1.128/28
  • Gateway: 172.16.1.144/28

Before starting to create the Azure network structure, let’s understand how a network in Azure works.

In Azure, when we create a network, we first choose the “Address Space” that would be an IP block that we would use inside our virtual network and within this block we will consider that each “Subnet” will be a piece of this block, according to the drawing below.

Vnet_02

After logging into the “Cloud Shell” select PowerShell, let’s assign some variables to create the network.

$RGName= “RG_GETPRACTICAL”
$LOCATION= “UKSOUTH”
$NameVnet=”VNet-GETPRACTICAL

These variables are for choosing the resource group where we will provision, the location and the name of your virtual network.

Vnet_03

Now let’s assign the network settings pointing the “Address Block”, in this case the Address Space 172.16.1.0/24 with 256 hots.

New-AzVirtualNetwork -Name $NameVnet -ResourceGroupName $RGName -Location $location -AddressPrefix 172.16.1.0/24

Vnet_04

See that it has been provisioned but does not contain subnets. now let’s assign some variables. This variable is to validate if the network exists within the environment.

$VirtualNetwork = Get-AzVirtualNetwork -Name $NameVnet -ResourceGroupName $rgName

Vnet_05

After validating the existing network, let’s add the subnets as shown in the examples below.

Add-AzVirtualNetworkSubnetConfig -Name BackEnd -VirtualNetwork $VirtualNetwork -AddressPrefix 172.16.1.0/26

Vnet_06

Next, let’s add the rest of the network scope.

Add-AzVirtualNetworkSubnetConfig -Name FrontEnd -VirtualNetwork $VirtualNetwork -AddressPrefix 172.16.1.64/26
Add-AzVirtualNetworkSubnetConfig -Name DMZ -VirtualNetwork $VirtualNetwork -AddressPrefix 172.16.1.128/28
Add-AzVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $VirtualNetwork -AddressPrefix 172.16.1.144/28

Vnet_07

Now let’s run the “Set” command to add the set of subnets that were assigned above.

Set-AzVirtualNetwork -VirtualNetwork $VirtualNetwork

Vnet_08

Once your virtual network has been successfully created with its segmented subnets, let’s go to the portal to validate it.

Vnet_09

That’s all for today folks, until the next post.

Joao Costa

Creating a Storage Account using PowerShell

cloud-file

Hey everyone,

Today we are going to create a Storage Account for any kind of use and inside this storage account we are going to create a blob for logs and a file share.

In the last post we created a resource group, where we will provision resources during this and the next posts.

Open the Azure Cloud Shell, then choose your subscription, if the cloud shell is already open, we will add the following variables, with the information:

$RGNAME= “RG_GETPRACTICAL”
$LOCATION= “UKSOUTH”
$STRGACCNAME= “strggetpractical01”
$TypeSTRG= “Standard_LRS”

STRG_01

Then we will execute the command “New-AZStorageAccount” to create the storage from the variables assigned above.

New-AzStorageAccount -ResourceGroupName $RGNAME -Name $STRGACCNAME -Type $TypeSTRG -Location $LOCATION

STRG_02

The storage was successfully created.

With the storage created, we are going to create a container to allocate the “Logs” of our environment, for that we are going to assign some variables as well.

$STORAGEACCOUNT = Get-AzStorageAccount -ResourceGroupName $RGNAME -Name $STRGACCNAME
$CONTAINERNAME = “logs”
$CTX = $storageAccount.Context

STRG_03

After assigning the variables, let’s run the following command “New-AzStorageContainer” to create the container.

New-AzStorageContainer -Name $containerName -Context $ctx -Permission blob

STRG_04

Your container was successfully created.

Last but not least let’s create a “File Share” with the following variables.

$STORAGEACCOUNT = Get-AzStorageAccount -ResourceGroupName “RG_GETPRACTICAL” -Name “strggetpractical01”

$storageKey = (Get-AzStorageAccountKey -ResourceGroupName $storageAccount.ResourceGroupName -Name $storageAccount.StorageAccountName | select -first 1).Value

$storageContext = New-AzStorageContext -StorageAccountName $storageAccount.StorageAccountName -StorageAccountKey $storageKey

STRG_05

New-AzureStorageShare -Name “getpracticalshare” -Context $storageContext

STRG_06

The File Share was created successfully, now let’s check the container and the file share that were created.

Container for Logs:

STRG_07

File Share for files:

STRG_08

That’s all for today guys, until the next post!

Joao Costa

Creating Resource Group using Powershell

Hey guys, how are you?

The idea is to learn how to create the resources and finally create an environment with all the resources together.

To start the configuration we have two ways, use the “Azure Cloud Shell” or install the “AZ Module” of powershell.

AZ Module Installation: Powershell Configuration

Access to Azure Cloud Shell: //shell.azure.com/

For this articles I will use the Azure Cloud Shell.

Let’s start by accessing Cloud Shell, then type in your subscription credentials.

RG01

Now let’s create two variables, one indicating the name for the resource group and another indicating the region where we will create the resources.
We will work with variables to facilitate the creation of command lines, in this way we can create complex scripts based on variables.
Let’s create two variables, one with the name of the resource group and the other with the region where we will create the resource group.

$RGNAME= “RG_GETPRACTICAL”
$LOCATION= “UKSOUTH”

RG02

After creating the variable, let’s create the command line.

New-AzResourceGroup -Name $RGNAME -Location $LOCATION

RG03

As you can see, we are executing the command to create a new resource group with the name given in the variable and with the location we put, in my case I am creating it in “UK South“.

RG04

Now you can create the group directly with the “Tag” or make an update on the created group.

To create or update the resource group and assign “Tags“, we will give a name and a value to this tag, according to the command below.

New-AzResourceGroup -Name $RGNAME -Location $LOCATION -Tag @{Department=”IT”}

In the image below, only the update was executed, it asks to confirm if you are going to do the update or not.

RG05

Your resource group is now created and tagged.

Thanks guys and until the next post!

Azure Arc – How to add a server into it

image

Hey guys!

Today I’m going to talk about Azure Arc. This is a very useful tool nowadays, after all we have to work with more complex and heterogeneous environments. Therefore, the idea of being able to manage an entire infrastructure from a single access point saves many hours of work.

Well then, that is the role of Azure Arc. In it you can add Azure or non-azure resources, that is, other resources from other public clouds, on-premises, databases, etc.

Again, this is an intuitive and practical resource to use, let’s get right to the practice again.

Log in with your Azure account on the portal and type in the search bar “Azure Arc”. Open Azure Arc and you should see the Azure Arc Center.

image

On the home screen you have three tiles options, such as: Add your infrastructure for free, Deploy Azure Services and View Azure Arc Resources.

For this demo, we will use the first tile, so in “Add your infrastructure for free” click Add and then on the next screen, in the Servers tile click Add again.

image

On the next screen you can choose if you want to add one or more servers, add servers using Azure Migrate or Update Management (Still in preview).

image

In the tile add a single server, click Generate Script.

From now on I believe you already understand what will happen, Azure will open a wizard that will help you configure and generate a script that will do everything for you, such as downloading the agent, installing the agent and registering the server in Azure. You will only need to run the script on the server you intend to add to Azure Arc.

After clicking on Generate Script, you will see the following screen:

image

On this screen, you will need to pay attention to the basic requirements for the script to work.

  • Firewall requirements, you will need port 443 to perform this task.
  • You will need permission as a local administrator on the server or servers.
  • Finally, what is the means of communication between Azure and machine, public internet, proxy server or a private endpoint (VPN or Express Route).

Click next and select the options according to your environment.

image

Click on next and if that’s the case you can add tags to better identify your environment. Or just skip to the next screen.

image

Or just skip to the next screen.

image

Now you need to copy or download the script and run it on the intended server.

And as soon as you run the script on the desired server, it will show up in Azure Arc as Connected status.

That’s all for today guys, until the next post.

Joao Costa

Azure Authentication methods – Go Passwordless

01

Hey guys, in my last post I talked about recovering access/resetting password. So today I will talk about the Azure Authentication Methods which includes a feature to go passwordless.

This feature will bring you greater security, after all passwords are the biggest causes of frauds, ransomwares and hacking nowadays. It will also help reduce the number of password reset tickets and help with the process of creating new user accounts.

The idea of this post will be to explain some concepts/methods and demonstrate how to enable this feature (If you already have MFA, the process will become even easier to be adopted).

Let’s get started: Go to Azure portal go to Security > Authentication Methods

02

As you can see above, there are 4 different methods and here below is the explanation of each one of them.

FIDO2 Security Key: Among other words, it is based on a USB device that may or may not have Bluetooth, NFC or fingerprint recognition. The vast majority of current devices use standard authentication (WebAuthn) and Microsoft has a list of supported devices. This option will allow the user to authenticate when inserting the device plus their fingerprint or with NFC/Bluetooth approach.

Microsoft Authenticator App: Well known in the market, with this app you can approve your access through a PIN or the insertion of your fingerprint.

Text Message : This method will ask you, instead of entering your username and password, enter your phone number (which must be registered before) and then it will send you an access code.

Temporary Access Pass:
This feature will help band new employee who dont have a password or MFA that is where the new Temporary Access Pass comes in. Basically, when creating a new user’s account, the administrator will be able to provide the TAP (Temporary Access Pass) to the new user. This Temporary Access Pass is a time-limited passcode that the user can apply to register their passwordless sign-in method among the methods enabled for that organization.

That said, let’s configure the passwordless option for a specific user, the option chosen for this scenario will be Microsoft Authenticator App.

04

Simple, easy and intuitive, save your changes and let’s go to the tests.

Go to the Azure portal, enter your username and click next

09

You will receive a message as shown below.

05

Go to the Microsoft Authenticator App and enter the requested number.

08

And then confirm using your fingerprint (If it’s enabled)

07

There we go, we’re in passwordless:

06

That’s all for today guys, see you in the next post.

Joao Costa