Archive for the ‘Azure’ Category

Create Azure AD user with PowerShell

Posted: December 5, 2016 in Azure

In one of my previous posts we created user in Azure portal.On of the drawback of this approach is that user is created with a temporary password and the user must log in to set a new one.

Download and install Microsoft Online Services Sign-In Assistant for IT Professionals RTW and Azure Active Directory Module for Windows PowerShell (64-bit version)

Run Windows Azure Active Directory Module for Windows PowerShell

Untitled.png

Put credentials of Global Admininstrator user.This has to be non-microsoft account !!

$msolcred = Get-Credential

capture

Connect to Azure:

Connect-MsolService -Credential $msolcred

Create user:

New-MsolUser -UserPrincipalName admin01@bigfirm.info -DisplayName "admin01" -FirstName "Peter" -LastName "Parker" -Password Password00 -PasswordNeverExpires $true -AlternateEmailAddresses spiderman@bigfirm.info

capture

By Default,this new user has user role

Capture.PNG

To see all available roles with description run next cmdlet:

Get-MsolRole | ft -Wrap

Capture.PNG

Assigning role to user:

Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberEmailAddress admin01@bigfirm.info

Add domain to Azure:

From Azure portal click Azure Active Directory

untitled

Domain Names:

5.png

Click Add:

6.PNG

Create new domain (the same name as on-premisses one).When creating new domain in Azure,we need to verify it.To do so,we need to add TXT entry in  DNS of domain which we want to add to Azure

7.png

I have domain in GoDaddy,so i created TXT file in DNS:

8.png

Then we can click Verify on Azure portal:

9.png

Now,on bigfirm.biz DC we need to install Azure AD connect.

For this blog i created 3 users:

Untitled.png

I clicked Use express settings

1

Enter credentials of user who have Global Admin Role in Azure portal

capture

Now enter username/password of Enterprise Admin (on premises domain)

capture

 

 

capture

4-5

 

Capture.PNG

Now all on premises accounts are transfered to Azure

4-7.png

In previous post we added new disk to VM using Azure Portal,in this one we’ll do exactly the same think using PowerShell only:

#Specify your VM Name
$vmName="myazurevm"
#Specify Resource Group
$rgName = "rg"
#Specify Storage account name
$saName="mystorageaccount112016"
#Export storage account into variable
$storageAcc=Get-AzureRmStorageAccount -ResourceGroupName $rgName -Name  $saName
#Pulls the VM info
$vmdiskadd=Get-AzurermVM -ResourceGroupName $rgname -Name $vmname
#Sets the URL string for where to store your vhd files - converts to https://azmonkeyplrs.blob.core.windows.net/vhds
#Also adds the VM name to the beginning of the file name
$DataDiskUri=$storageAcc.PrimaryEndpoints.Blob.ToString() + "vhds/" + $vmName
Add-AzureRmVMDataDisk -CreateOption empty -DiskSizeInGB 100 -Name $vmname-Data01 -VhdUri $DataDiskUri-Data01.vhd -VM $vmdiskadd -Caching ReadOnly -lun 0
#Updates the VM with the disk config - does not require a reboot
Update-AzureRmVM -ResourceGroupName $rgname -VM $vmdiskadd

On VM bring new disk online:

Get-Disk | Where-Object IsOffline –Eq $True | fl
Get-Disk | Where-Object IsOffline –Eq $True | Set-Disk –IsOffline $False

17

First command output shows disk number (2 in this case)

Initialize disk:

Initialize-Disk 2

Create new volume:

New-Partition –DiskNumber 2 -UseMaximumSize -AssignDriveLetter

18

And finally,format disk:

Format-Volume -DriveLetter E

In previous post i created new VM,now we’ll add disk to it

Click Virtual Machine-Disks-Attach New

1.png

Set Name and disk type (HDD or SSD)

2.png

Set size

3

Configure additional settings:

4

Select storage account

5

Select container or create new one:

6.PNG

Choose host caching:

Read/Write:Caching Both reads and writes leverage the local host cache.
Read-Only:Writes are always persisted directly to the Azure Storage.
None:No caching is used, and all reads and writes are serviced directly from
Azure Storage.

7

Disk is being created:

8.png

9.png

10.png

On Azure VM click File and Storage Service:

11

Disks-select new disk-New volume

12.png

13

14

Assign Drive letter:

15

Set a label:

16

Create empty file called template.json and paste the following code:

{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminUsername": {
"type": "string",
"metadata": {
"description": "Username for the Virtual Machine."
}
},
"adminPassword": {
"type": "securestring",
"metadata": {
"description": "Password for the Virtual Machine."
}
},
"dnsLabelPrefix": {
"type": "string",
"metadata": {
"description": "Unique DNS Name for the Public IP used to access the Virtual Machine."
}
},
"windowsOSVersion": {
"type": "string",
"defaultValue": "2016-Datacenter",
"allowedValues": [
"2008-R2-SP1",
"2012-Datacenter",
"2012-R2-Datacenter",
"2016-Nano-Server",
"2016-Datacenter-with-Containers",
"2016-Datacenter"
],
"metadata": {
"description": "The Windows version for the VM. This will pick a fully patched image of this given Windows version."
}
}
},
"variables": {
"storageAccountName": "mystorageaccount112016",
"nicName": "myVMNic",
"addressPrefix": "10.0.0.0/16",
"subnetName": "Subnet",
"subnetPrefix": "10.0.0.0/24",
"publicIPAddressName": "myPublicIP",
"vmName": "MyAzureVM",
"virtualNetworkName": "MyVNET",
"subnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"name": "[variables('storageAccountName')]",
"apiVersion": "2016-01-01",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS"
},
"kind": "Storage",
"properties": {}
},
{
"apiVersion": "2016-03-30",
"type": "Microsoft.Network/publicIPAddresses",
"name": "[variables('publicIPAddressName')]",
"location": "[resourceGroup().location]",
"properties": {
"publicIPAllocationMethod": "Dynamic",
"dnsSettings": {
"domainNameLabel": "[parameters('dnsLabelPrefix')]"
}
}
},
{
"apiVersion": "2016-03-30",
"type": "Microsoft.Network/virtualNetworks",
"name": "[variables('virtualNetworkName')]",
"location": "[resourceGroup().location]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"[variables('addressPrefix')]"
]
},
"subnets": [
{
"name": "[variables('subnetName')]",
"properties": {
"addressPrefix": "[variables('subnetPrefix')]"
}
}
]
}
},
{
"apiVersion": "2016-03-30",
"type": "Microsoft.Network/networkInterfaces",
"name": "[variables('nicName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/publicIPAddresses/', variables('publicIPAddressName'))]",
"[resourceId('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]"
],
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAllocationMethod": "Static",
"privateIPAddress": "10.0.0.5",
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses',variables('publicIPAddressName'))]"
},
"subnet": {
"id": "[variables('subnetRef')]"
}
}
}
]
}
},
{
"apiVersion": "2015-06-15",
"type": "Microsoft.Compute/virtualMachines",
"name": "[variables('vmName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]",
"[resourceId('Microsoft.Network/networkInterfaces/', variables('nicName'))]"
],
"properties": {
"hardwareProfile": {
"vmSize": "Standard_D1"
},
"osProfile": {
"computerName": "[variables('vmName')]",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]"
},
"storageProfile": {
"imageReference": {
"publisher": "MicrosoftWindowsServer",
"offer": "WindowsServer",
"sku": "[parameters('windowsOSVersion')]",
"version": "latest"
},
"osDisk": {
"name": "osdisk",
"vhd": {
"uri": "[concat(reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))).primaryEndpoints.blob, 'vhds/osdisk.vhd')]"
},
"caching": "ReadWrite",
"createOption": "FromImage"
},
"dataDisks": [
{
"name": "datadisk1",
"diskSizeGB": "100",
"lun": 0,
"vhd": {
"uri": "[concat(reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))).primaryEndpoints.blob, 'vhds/datadisk1.vhd')]"
},
"createOption": "Empty"
}
]
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces',variables('nicName'))]"
}
]
},
"diagnosticsProfile": {
"bootDiagnostics": {
"enabled": "true",
"storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))).primaryEndpoints.blob]"
}
}
}
}
],
}

After declaring schema,In Parameters section we define parameters:username/password,public DNS name

"parameters": {
"adminUsername": {
"type": "string",
"metadata": {
"description": "Username for the Virtual Machine."
}
},
"adminPassword": {
"type": "securestring",
"metadata": {
"description": "Password for the Virtual Machine."
}
},
"dnsLabelPrefix": {
"type": "string",
"metadata": {
"description": "Unique DNS Name for the Public IP used to access the Virtual Machine."
}

Then we specified OS version:

"windowsOSVersion": {
"type": "string",
"defaultValue": "2016-Datacenter",
"allowedValues": [
"2008-R2-SP1",
"2012-Datacenter",
"2012-R2-Datacenter",
"2016-Nano-Server",
"2016-Datacenter-with-Containers",
"2016-Datacenter"
],
"metadata": {
"description": "The Windows version for the VM. This will pick a fully patched image of this given Windows version."
}
}

In next section we specify StorageAccountName,VM NIC,subnet,public IP,VM name and Virtual Network name

"variables": {
"storageAccountName": "mystorageaccount112016",
"nicName": "myVMNic",
"addressPrefix": "10.0.0.0/16",
"subnetName": "Subnet",
"subnetPrefix": "10.0.0.0/24",
"publicIPAddressName": "myPublicIP",
"vmName": "MyAzureVM",
"virtualNetworkName": "MyVNET",
"subnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]"
},

Then Storage Account Type:

"sku": {
"name": "Standard_LRS"
},

Optionally,we can set internal IP:

"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAllocationMethod": "Static",
"privateIPAddress": "10.0.0.5",
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses',variables('publicIPAddressName'))]"
},
"subnet": {
"id": "[variables('subnetRef')]"
}
}
}
]
}

VM disk configuration:

"dataDisks": [
{
"name": "datadisk1",
"diskSizeGB": "100",
"lun": 0,
"vhd": {
"uri": "[concat(reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))).primaryEndpoints.blob, 'vhds/datadisk1.vhd')]"
},
"createOption": "Empty"
}
]

Now create second empty file,param.json and paste code below:

{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
"adminUserName": { "value": "batman" },
"adminPassword": { "value": "Password1234" },
"dnsLabelPrefix": { "value": "server-201601"}
}
}

Here we specified admin username/password and public DNS name

Create Resource Group where new VM will be stored:

New-AzureRmResourceGroup -Name rg -Location 'west europe'

Deploy VM:

New-AzureRmResourceGroupDeployment -ResourceGroupName 'rg' -TemplateFile 'c:\template.json' -TemplateParameterFile 'c:\param.json'

 

1

 

capture

 

I wanted to install Windows Server 2016,but in that case,VM has no Public IP and NIC is not associated to any security group (Connect option grayed out),but all works as expected with Windows Server 2012 R2 !!???,is it bug or something else,i don’t know

For creating VM we need Azure Power Shell (see this blog for reference).First step is to create Resource Group.Resource Group can be seen as container for storing Azure resources (Virtual machines,Networks,Subnets,Storage accounts..).

This is resource group content i created in one of my previous posts

Untitled.png

New-AzureRmResourceGroup -Name "My_Resource_Group" -Location "West Europe"

We also need Azure Storage Account.With this account we have access to Azure Storage services such as Tables, Queues, Files, Blobs and Azure virtual machine disks

Binary Large Object (BLOB) collection of bytes that can be used
to store anything (up to 200 TB)

Tables are used to store large amounts of data for massive scale where some basic structure is required, but relationships between data don’t need to be maintained.

Queues provide reliable and persistent messaging between applications
within Azure

Files  provide an easy method to share storage within an Azure region

When creating a storage account, we can select one of the following replication options:

Locally redundant storage (LRS) replicates your data three times within a storage scale unit which is hosted in a datacenter in the region in which you created your storage account. A write request returns successfully only once it has been written to all three replicas. These three replicas each reside in separate fault domains and upgrade domains within one storage scale unit.

Zone-redundant storage (ZRS) replicates your data asynchronously across datacenters within one or two regions in addition to storing three replicas similar to LRS, thus providing higher durability than LRS. Data stored in ZRS is durable even if the primary datacenter is unavailable or unrecoverable

Geo-redundant storage (GRS) replicates your data to a secondary region that is hundreds of miles away from the primary region. If your storage account has GRS enabled, then your data is durable even in the case of a complete regional outage or a disaster in which the primary region is not recoverable.

Read-access geo-redundant storage (RA-GRS) maximizes availability for your storage account, by providing read-only access to the data in the secondary location, in addition to the replication across two regions provided by GRS.

New-AzureRmStorageAccount -ResourceGroupName My_Resource_Group -Name myresourceaccount11201 -SkuName "Standard_LRS" -Kind "Storage" -Location 'west europe'

Creating Virtual Network:

Create subnet first:

$mySubnet = New-AzureRmVirtualNetworkSubnetConfig -Name "mySubnet" -AddressPrefix 192.168.2.0/24

Create Virtual Network and add subnet to it:

$myVnet = New-AzureRmVirtualNetwork -Name "myVnet" -ResourceGroupName My_Resource_Group -Location 'west europe' -AddressPrefix 192.168.2.0/24 -Subnet $mySubnet

We can also specify custom DNS server adding -DNSServer ‘ip address’ switch

Check IP Address Availability

We can check if address we want to assign to VM is in use:

Get-AzureRmVirtualNetwork -Name myvnet -ResourceGroupName My_Resource_Group | Test-AzureRmPrivateIPAddressAvailability -IPAddress "192.168.2.1"

1

Creating NIC and assigning IP address:

$myNIC = New-AzureRmNetworkInterface -Name "dc-01" -ResourceGroupName My_Resource_Group -Location 'west europe' -SubnetId $myVnet.Subnets[0].Id -PublicIpAddressId $myPublicIp.Id -PrivateIpAddress 192.168.2.4

Creating Public IP

In order for VM to comunicate with virtual network we need public IP (AllocationMethod can be static and dynamic)

$myPublicIp = New-AzureRmPublicIpAddress -Name "myPublicIp" -ResourceGroupName 'My_Resource_Group' -Location 'west europe' -AllocationMethod Dynamic

Creating local admin credentials:

We’ll store credentials in variable

$username = 'daredevil'
$password = 'Password1234!'
$passwordsec = convertto-securestring $password -asplaintext -force
$creds = New-Object System.Management.Automation.PSCredential($username, $passwordsec)

Configuring VM-Set Size

 $myVm = New-AzureRmVMConfig -VMName "dc-01" -VMSize "Standard_D2"

For all available VM sizes check out this link

Configuring VM-Set the computer name, operating system type, and  credentials

$myVM = Set-AzureRmVMOperatingSystem -VM $myVM -Windows -ComputerName "dc-01" -Credential $creds -ProvisionVMAgent -EnableAutoUpdate

Configuring VM-Set the OS image:

$myVM = Set-AzureRmVMSourceImage -VM $myVM -PublisherName "MicrosoftWindowsServer" -Offer "WindowsServer" -Skus "2012-R2-Datacenter" -Version "latest"

Configuring VM-Add network interface:

$myVM = Add-AzureRmVMNetworkInterface -VM $myvm -Id $mynic.Id

Configuring VM-Define the name and location of the VM hard disk:

$storacct = Get-AzureRmStorageAccount -ResourceGroupName 'my_resource_group' –StorageAccountName 'myresourceaccount11201'
$blobPath = "vhds/myOsDisk1.vhd"
$osDiskUri = $storacct.PrimaryEndpoints.Blob.ToString() + $blobPath

With above commands,VM disk is created in storage account myresourceaccount11201

Configuring VM-Add hard disk to VM:

$vm = Set-AzureRmVMOSDisk -VM $myVM -Name "myOsDisk1" -VhdUri $osDiskUri -CreateOption fromImage

Create VM:

New-AzureRmVM -ResourceGroupName 'my_resource_group' -Location 'west europe' -VM $myVM

 

To find out Domain name,on (new) Azure web portal click Azure Active Directory

1

And Domain Names

2.PNG

This domain name we’ll use during user creation

Creating New User

Click again Azure Active Directory-Users and Groups-Add a User:

3.png

Give user name and Job title and click OK:

4.PNG

On Directory role choose role

User:can access assigned resources but cannot manage most directory resources.

Global Administrator:Full admin rights

Limited Administrator:has the one of following roles:

Helpdesk administrator: Resets passwords, manages service requests, and monitorsservice health

Billing administrator: Makes purchases, manages subscriptions, manages support tickets, and monitors service health.

Service support administrator: Manages service requests and monitors service health.

Exchange service administrator: Users with this role have global permissions within Microsoft Exchange Online, when the service is present

Lync (Skype for Business) service administrator: Users with this role have global permissions within Microsoft Skype for Business, when the service is present.

User account administrator: Resets passwords, monitors service health, and manages user accounts, user groups, and service requests

SharePoint service administrator: Users with this role have global permissions within Microsoft SharePoint Online, when the service is present.

Security reader: Read-only access to a number of security features of Identity Protection Center, Privileged Identity Management, Monitor Office 365 Service Health, and Office 365 Security & Compliance Center.

Security administrator: All of the read-only permissions of the Security reader role, plus a number of additional administrative permissions for the same services: Identity Protection Center, Privileged Identity Management, Monitor Office 365 Service Health, and Office 365 Security & Compliance Center.

Privileged Role Administrator:perform common role management related tasks

Guest inviter:invite guest users

1.PNG

 

6.PNG

Copy password to clipboard and click create

Adding Windows 10 to Azure AD

On windows 10,click settings-System

1.PNG

About-Connect to work or school

 

1.PNG

Connect

1.PNG

Join this device to Azure Active Directory

1.PNG

Enter username/password (copied to clipboard)

10

Need to set a new password:

 

11

Click Join

 

12

 

13

When log in to Windows 10 we are asked to set PIN (You can skip next 4 pictures if don’t want to set up a PIN)

14

 

15

Provide cell phone number,you’ll get verification code

 

16.PNG

Set desired PIN

 

17

 

18

Next time You log on,You’ll have two options to log in (Password and PIN)

18-1a.PNG

When logged in,click change account settings:

18a.png

Manage my account:

 

18b

Azure portal web page opens:

 

19