search

Azure / azure-powershell

Microsoft Azure PowerShell
Other
4.23k stars 3.83k forks source link

Unable to use runcommand as domain user #24369

Open marshalexander99 opened 7 months ago

marshalexander99 commented 7 months ago

Description

When running a simply script of:

try {import-module activedirectory
get-addomain}
catch {
throw $_
}

I constantly get an error stating username or password is incorrect on the VM when run via the Set-AzVMRunCommand.

When running via bicep deployment I get constant errors about not being able to find the domain when trying to perform something.

resource domainjoinstorage 'Microsoft.Compute/virtualMachines/runCommands@2023-09-01' = {
  name: 'domainjoin${storageaccount}'
  location: deploymentLocation
  parent: taskvm
  properties: {
    source: {
      scriptUri: 'https://${scriptsa}.blob.${environment().suffixes.storage}/config/Script.ps1'
      scriptUriManagedIdentity: {
        clientId: umi
      }
    }
    parameters: stdparamters
    errorBlobUri: 'https://${scriptsa}.blob.${environment().suffixes.storage}/config/error-${storageaccount}-${date}.txt'
    errorBlobManagedIdentity: {
      clientId: umi
    }
    outputBlobUri: 'https://${scriptsa}.blob.${environment().suffixes.storage}/config/output-${storageaccount}-${date}.txt'
    outputBlobManagedIdentity: {
      clientId: umi
    }
    runAsUser: '${domain}\\${domainUsername}'
    runAsPassword:runaspassword
    timeoutInSeconds: 300
  }
  dependsOn: [
    installmanagementmodules
  ]
}

Error from the runcommandhandler status output with PowerShell

image

This is the error which is generated in the blob when running the bicep for the same script and credentials

import-module : The specified module 'activedirectory' was not loaded because no valid module file was found in any 

module directory.
At C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandHandlerWindows\2.0.8\Downloads\Script_domainjoinsticihdjtest_1.ps
1:1 char:6
+ try {import-module activedirectory
+      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (activedirectory:String) [Import-Module], FileNotFoundException
    + FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand

get-addomain : Unable to contact the server. This may be because this server does not exist, it is currently down, or 

it does not have the Active Directory Web Services running.

At C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandHandlerWindows\2.0.8\Downloads\Script_domainjoinsticihdjtest_1.ps
1:2 char:1
+ get-addomain
+ ~~~~~~~~~~~~

    + CategoryInfo          : ResourceUnavailable: (COMPANY:ADDomain) [Get-ADDomain], ADServerDownException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADDomain

How do I perform simple domain activities using the runcommand functionality?

Issue script & Debug output

$vm = "vm-prod-nps-01"
$vmrg = "rg-vm-nps-prod-uks"
$runasuser = "scriptadmin@company.local"
$password = Read-Host -AsSecureString
$script = 'try {get-addsdomain}
catch {throw $_}'
$errorblob = "errorblob"
$outputblob = "outputblob"
$DebugPreference = 'continue'
Connect-AzAccount
Set-AzVMRunCommand -ResourceGroupName $vmrg -VMName $vm -RunCommandName getdomaininfo -Location "uksouth" -RunAsUser $runasuser -RunAsPassword $password -ScriptLocalPath "C:\temp\script.ps1" -ErrorBlobUri $errorblob -OutputBlobUri $outputblob -TimeoutInSecond 30

DEBUG: 15:41:07 - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'<tenant>', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:'azureadmin@<domain>.onmicrosoft.com'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: 
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z - 8ed3ea38-04d7-4a05-a75d-1c1a2e3235c5] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z - 8ed3ea38-04d7-4a05-a75d-1c1a2e3235c5] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z - 8ed3ea38-04d7-4a05-a75d-1c1a2e3235c5] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z - 8ed3ea38-04d7-4a05-a75d-1c1a2e3235c5] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z - 8ed3ea38-04d7-4a05-a75d-1c1a2e3235c5] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z - 8ed3ea38-04d7-4a05-a75d-1c1a2e3235c5] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z - 8ed3ea38-04d7-4a05-a75d-1c1a2e3235c5] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z - 8ed3ea38-04d7-4a05-a75d-1c1a2e3235c5] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z - 8ed3ea38-04d7-4a05-a75d-1c1a2e3235c5] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z - 8ed3ea38-04d7-4a05-a75d-1c1a2e3235c5] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z] [WamBroker] WAM supported OS.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z] [WamBroker] ListWindowsWorkAndSchoolAccounts option was not enabled.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z - 0439f6df-ec91-4378-b527-ab2946ec9881] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z] Found 6 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z] Returning 6 accounts
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z - c0eba50d-0a40-462d-9c4c-930bd01b061b] MSAL MSAL.Desktop with assembly version '4.49.1.0'. CorrelationId(c0eba50d-0a40-462d-9c4c-930bd01b061b)
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z - c0eba50d-0a40-462d-9c4c-930bd01b061b] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z - c0eba50d-0a40-462d-9c4c-930bd01b061b] LoginHint provided: False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z - c0eba50d-0a40-462d-9c4c-930bd01b061b] Account provided: True
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z - c0eba50d-0a40-462d-9c4c-930bd01b061b] ForceRefresh: False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z - c0eba50d-0a40-462d-9c4c-930bd01b061b] 
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) - 
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - True
HomeAccountId - False
CorrelationId - c0eba50d-0a40-462d-9c4c-930bd01b061b
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured: 

DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z - c0eba50d-0a40-462d-9c4c-930bd01b061b] === Token Acquisition (SilentRequest) started:
     Scopes: https://management.core.windows.net//.default
    Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z - c0eba50d-0a40-462d-9c4c-930bd01b061b] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z - c0eba50d-0a40-462d-9c4c-930bd01b061b] Access token is not expired. Returning the found cache entry. [Current time (03/14/2024 15:41:07) - Expiration Time (03/14/2024 16:30:40 +00:00) -
 Extended Expiration Time (03/14/2024 16:30:40 +00:00)]
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z - c0eba50d-0a40-462d-9c4c-930bd01b061b] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z - c0eba50d-0a40-462d-9c4c-930bd01b061b] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z - c0eba50d-0a40-462d-9c4c-930bd01b061b] 
    === Token Acquisition finished successfully:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-03-14 15:41:07Z - c0eba50d-0a40-462d-9c4c-930bd01b061b]  AT expiration time: 14/03/2024 16:30:40 +00:00, scopes: https://management.core.windows.net//user_impersonation https://management.core.windows.n
et//.default. source: Cache
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  ExpiresOn: 2024-03-14T16:30:40.0000000+00:00
WARNING: TenantId '<tenant>' contains more than one active subscription. First one will be selected for further use. To select another subscription, use Set-AzContext. 
To override which subscription Connect-AzAccount selects by default, use `Update-AzConfig -DefaultSubscriptionForLogin 00000000-0000-0000-0000-000000000000`. Go to https://go.microsoft.com/fwlink/?linkid=2200610 for more information.

DEBUG: AzureQoSEvent:  Module: Az.Accounts:2.11.2; CommandName: Connect-AzAccount; PSVersion: 5.1.22621.2506; IsSuccess: True; Duration: 00:00:04.1954368
DEBUG: 15:41:07 - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 15:41:07 - ConnectAzureRmAccountCommand end processing.
DEBUG: 15:41:07 - GetAzureRMContextCommand end processing.
DEBUG: [CmdletBeginProcessing]: Starting command
DEBUG: CmdletBeginProcessing: 
DEBUG: CmdletProcessRecordStart: 
DEBUG: CmdletGetPipeline: 
DEBUG: CmdletBeforeAPICall: 
DEBUG: URLCreated: /subscriptions/<subscription>/resourceGroups/rg-vm-nps-prod-uks/providers/Microsoft.Compute/virtualMachines/vm-prod-nps-01/runCommands/getdomaininfo?api-version=2021-07-01
DEBUG: RequestCreated: /subscriptions/<subscription>/resourceGroups/rg-vm-nps-prod-uks/providers/Microsoft.Compute/virtualMachines/vm-prod-nps-01/runCommands/getdomaininfo?api-version=2021-07-01
DEBUG: HeaderParametersAdded: 
DEBUG: BodyContentSet: 
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
PUT

Absolute Uri:
https://management.azure.com/subscriptions/<subscription>/resourceGroups/rg-vm-nps-prod-uks/providers/Microsoft.Compute/virtualMachines/vm-prod-nps-01/runCommands/getdomaininfo?api-version=2021-07-01

Headers:
x-ms-unique-id                : 109
x-ms-client-request-id        : 20b85c28-6ef6-4771-a230-423182c9151f
CommandName                   : Az.Compute\Set-AzVMRunCommand
FullCommandName               : Set-AzVMRunCommand_UpdateExpanded
ParameterSetName              : __AllParameterSets
User-Agent                    : AzurePowershell/v0.0.0,PSVersion/v5.1.22621.2506,Az.Compute/5.4.0

Body:
{
  "location": "uksouth",
  "properties": {
    "source": {
      "script": "try {import-module activedirectory;get-addomain;};catch {;throw $_;};"
    },
    "runAsUser": "scriptadmin@company.local",
    "runAsPassword": "System.Security.SecureString",
    "timeoutInSeconds": 30,
    "outputBlobUri": "https://<storageaccount>.blob.core.windows.net/config/output.txt",
    "errorBlobUri": "https://<storageaccount>.blob.core.windows.net/config/error.txt"
  }
}

DEBUG: BeforeCall: 
DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Pragma                        : no-cache
Azure-AsyncOperation          : https://management.azure.com/subscriptions/<subscription>/providers/Microsoft.Compute/locations/uksouth/operations/d00da334-5eb4-4e38-8daa-6dc9ae7119bb?p=ae289c7f-5b7b-4b4d-8ba7-2e87f84b4894&api-version=2021-07-01&t=638460
276671450871&c=MIIHHjCCBgagAwIBAgITOgKWeRpXUo0goaa18AAEApZ5GjANBgkqhkiG9w0BAQsFADBEMRMwEQYKCZImiZPyLGQBGRYDR0JMMRMwEQYKCZImiZPyLGQBGRYDQU1FMRgwFgYDVQQDEw9BTUUgSU5GUkEgQ0EgMDEwHhcNMjQwMTMwMjEyMDAzWhcNMjUwMTI0MjEyMDAzWjBAMT4wPAYDVQQDEzVhc3luY29wZXJhdGlvbnNpZ25pbmdjZXJ0aWZpY2F0Z
S5tYW5hZ2VtZW50LmF6dXJlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOuSGRxB8wtmyVs6tBCur99_x6gFKPFneFOMxPAPHIMP9Kw91_4gdaGdrYCcPfT2UPWQ87fexZ_TqxJZgkLOAoemFCAtd3YGYVQBnyXjI0WM6nHnNvzDOlNTiLKXa23GMq6_nWpoS4Q6vA2i5Z5TtPHC-sjS_yNBw3CyzubXhtmS017_C3y669tmtGF-wDzKrtkrc-dp7wkue
nhn0QucFyoWftJQRvKW68l5lJPCPs2BZIoRiZXda6pXYQGHmZfYNkjCza_s8M_YNW6Vb5pzyhSd_VbdeK-L23LSEguVOCkg3keawCZyNF-vrUrWy6nr2pOn-PxV5799wdQh0W3FvHkCAwEAAaOCBAswggQHMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUHAwEwCgYIKwYBBQUHAwIwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIhpDjDYTVtHiE8Ys-hZvdFs6dEoFgg
vX2K4Py0SACAWQCAQowggHaBggrBgEFBQcBAQSCAcwwggHIMGYGCCsGAQUFBzAChlpodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpaW5mcmEvQ2VydHMvQlkyUEtJSU5UQ0EwMS5BTUUuR0JMX0FNRSUyMElORlJBJTIwQ0ElMjAwMSg0KS5jcnQwVgYIKwYBBQUHMAKGSmh0dHA6Ly9jcmwxLmFtZS5nYmwvYWlhL0JZMlBLSUlOVENBMDEuQU1FLkdCTF9BTUUlMjBJT
kZSQSUyMENBJTIwMDEoNCkuY3J0MFYGCCsGAQUFBzAChkpodHRwOi8vY3JsMi5hbWUuZ2JsL2FpYS9CWTJQS0lJTlRDQTAxLkFNRS5HQkxfQU1FJTIwSU5GUkElMjBDQSUyMDAxKDQpLmNydDBWBggrBgEFBQcwAoZKaHR0cDovL2NybDMuYW1lLmdibC9haWEvQlkyUEtJSU5UQ0EwMS5BTUUuR0JMX0FNRSUyMElORlJBJTIwQ0ElMjAwMSg0KS5jcnQwVgYIKwYBBQUHM
AKGSmh0dHA6Ly9jcmw0LmFtZS5nYmwvYWlhL0JZMlBLSUlOVENBMDEuQU1FLkdCTF9BTUUlMjBJTkZSQSUyMENBJTIwMDEoNCkuY3J0MB0GA1UdDgQWBBS5uRCnQj-T4YNROgKVGr_80aFUTzAOBgNVHQ8BAf8EBAMCBaAwggE1BgNVHR8EggEsMIIBKDCCASSgggEgoIIBHIZCaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraWluZnJhL0NSTC9BTUUlMjBJTkZSQSUyM
ENBJTIwMDEoNCkuY3JshjRodHRwOi8vY3JsMS5hbWUuZ2JsL2NybC9BTUUlMjBJTkZSQSUyMENBJTIwMDEoNCkuY3JshjRodHRwOi8vY3JsMi5hbWUuZ2JsL2NybC9BTUUlMjBJTkZSQSUyMENBJTIwMDEoNCkuY3JshjRodHRwOi8vY3JsMy5hbWUuZ2JsL2NybC9BTUUlMjBJTkZSQSUyMENBJTIwMDEoNCkuY3JshjRodHRwOi8vY3JsNC5hbWUuZ2JsL2NybC9BTUUlM
jBJTkZSQSUyMENBJTIwMDEoNCkuY3JsMBcGA1UdIAQQMA4wDAYKKwYBBAGCN3sBATAfBgNVHSMEGDAWgBTl2Ztn_PjsurvwwKidileIud8-YzAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAFUHIOiIJ1ZRhNIFVZ1by6NH_KWBkN_DtGbcPXxl-QWiHlBz-k3RD5KfhhgdUjZErCNDcpIW1l-fhvEbBABPMnyJfoGj7Zxl9cgeJ
sH3EeKMisuw1ACBCn1uGaVu1fBNSS2-GL_A_CfxOIW79ciwvahy1_1dxbiRZR3guuRLg-oGR97RBRyM29szK1ALN3JObkqeeSGFIdm5k9BVMFUTghPhva3SYu76_XvcAl2v9hfqWksbwrpbPww0fe5ksKFuRIve19jrHww8CkFKvvxkILnwJC-oFjoIDYLIV1PHVPPkb1qjZX9UcM05HCVUw2ZvywmXnUvOgZ2w_LE7uGBRQsw&s=SeDp9WBUQ8BYJWgLbUyS-tuoNmwyApT
8u6pAwGp235ztul0phAEe_Uiq7wpyDXOQFm6R4EjrmhrnqibE7S4QGsw7DdUK5_Pj0LwUB_kI48t-sbLpttycwgbNdIQ_AMvUMcmw9xrJtBGUsgZDGZf9UJEB6mOHQSxmquG9nJce_eni_z0MDGq2ddqKyTELD1mrRZSOwGa1stYubJHTLTeFr7_0lFL0SgNPEL33nXP__VTSLHqqwQJiey-0ZIIten0R_kywMCGunNSwTwqOwn1UWVHEkhBkT2qG06k5XtlyT3lufRR9JF6
cL1dSl0xb4m8JzuXN1ZDTKhBojZspxMEqdg&h=KlSegSQHfFw95sKAtG-_Prahc7tqkgvyhQochOoSGBE
azure-asyncnotification       : Enabled
x-ms-ratelimit-remaining-resource: Microsoft.Compute/UpdateVMSubscriptionMaximum;1499,Microsoft.Compute/UpdateVMResource;11
Strict-Transport-Security     : max-age=31536000; includeSubDomains
x-ms-request-id               : d00da334-5eb4-4e38-8daa-6dc9ae7119bb
Cache-Control                 : no-cache
Server                        : Microsoft-HTTPAPI/2.0,Microsoft-HTTPAPI/2.0
x-ms-ratelimit-remaining-subscription-writes: 1198
x-ms-correlation-request-id   : 39224d55-02aa-4156-9dd8-c787f1cbac38
x-ms-routing-request-id       : UKSOUTH:20240314T154107Z:39224d55-02aa-4156-9dd8-c787f1cbac38
X-Content-Type-Options        : nosniff
Date                          : Thu, 14 Mar 2024 15:41:06 GMT

Body:
{
  "name": "getdomaininfo",
  "id": "/subscriptions/<subscription>/resourceGroups/rg-vm-nps-prod-uks/providers/Microsoft.Compute/virtualMachines/vm-prod-nps-01/runCommands/getdomaininfo",
  "type": "Microsoft.Compute/virtualMachines/runCommands",
  "location": "uksouth",
  "properties": {
    "source": {
      "script": "try {import-module activedirectory;get-addomain;};catch {;throw $_;};"
    },
    "runAsUser": "scriptadmin@company.local",
    "timeoutInSeconds": 30,
    "outputBlobUri": "https://<storageaccount>.blob.core.windows.net/config/output.txt",
    "errorBlobUri": "https://<storageaccount>.blob.core.windows.net/config/error.txt",
    "provisioningState": "Updating",
    "asyncExecution": false
  }
}

DEBUG: ResponseCreated: 
DEBUG: DelayBeforePolling: Delaying 30 seconds before polling.
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/subscriptions/<subscription>/providers/Microsoft.Compute/locations/uksouth/operations/d00da334-5eb4-4e38-8daa-6dc9ae7119bb?p=ae289c7f-5b7b-4b4d-8ba7-2e87f84b4894&api-version=2021-07-01&t=638460276671450871&c=MIIHHjCCBgagAwIBA
gITOgKWeRpXUo0goaa18AAEApZ5GjANBgkqhkiG9w0BAQsFADBEMRMwEQYKCZImiZPyLGQBGRYDR0JMMRMwEQYKCZImiZPyLGQBGRYDQU1FMRgwFgYDVQQDEw9BTUUgSU5GUkEgQ0EgMDEwHhcNMjQwMTMwMjEyMDAzWhcNMjUwMTI0MjEyMDAzWjBAMT4wPAYDVQQDEzVhc3luY29wZXJhdGlvbnNpZ25pbmdjZXJ0aWZpY2F0ZS5tYW5hZ2VtZW50LmF6dXJlLmNvbTCCA
SIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOuSGRxB8wtmyVs6tBCur99_x6gFKPFneFOMxPAPHIMP9Kw91_4gdaGdrYCcPfT2UPWQ87fexZ_TqxJZgkLOAoemFCAtd3YGYVQBnyXjI0WM6nHnNvzDOlNTiLKXa23GMq6_nWpoS4Q6vA2i5Z5TtPHC-sjS_yNBw3CyzubXhtmS017_C3y669tmtGF-wDzKrtkrc-dp7wkuenhn0QucFyoWftJQRvKW68l5lJPCPs2BZ
IoRiZXda6pXYQGHmZfYNkjCza_s8M_YNW6Vb5pzyhSd_VbdeK-L23LSEguVOCkg3keawCZyNF-vrUrWy6nr2pOn-PxV5799wdQh0W3FvHkCAwEAAaOCBAswggQHMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUHAwEwCgYIKwYBBQUHAwIwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIhpDjDYTVtHiE8Ys-hZvdFs6dEoFggvX2K4Py0SACAWQCAQowggHaBggrBgEFB
QcBAQSCAcwwggHIMGYGCCsGAQUFBzAChlpodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpaW5mcmEvQ2VydHMvQlkyUEtJSU5UQ0EwMS5BTUUuR0JMX0FNRSUyMElORlJBJTIwQ0ElMjAwMSg0KS5jcnQwVgYIKwYBBQUHMAKGSmh0dHA6Ly9jcmwxLmFtZS5nYmwvYWlhL0JZMlBLSUlOVENBMDEuQU1FLkdCTF9BTUUlMjBJTkZSQSUyMENBJTIwMDEoNCkuY3J0MFYGC
CsGAQUFBzAChkpodHRwOi8vY3JsMi5hbWUuZ2JsL2FpYS9CWTJQS0lJTlRDQTAxLkFNRS5HQkxfQU1FJTIwSU5GUkElMjBDQSUyMDAxKDQpLmNydDBWBggrBgEFBQcwAoZKaHR0cDovL2NybDMuYW1lLmdibC9haWEvQlkyUEtJSU5UQ0EwMS5BTUUuR0JMX0FNRSUyMElORlJBJTIwQ0ElMjAwMSg0KS5jcnQwVgYIKwYBBQUHMAKGSmh0dHA6Ly9jcmw0LmFtZS5nYmwvY
WlhL0JZMlBLSUlOVENBMDEuQU1FLkdCTF9BTUUlMjBJTkZSQSUyMENBJTIwMDEoNCkuY3J0MB0GA1UdDgQWBBS5uRCnQj-T4YNROgKVGr_80aFUTzAOBgNVHQ8BAf8EBAMCBaAwggE1BgNVHR8EggEsMIIBKDCCASSgggEgoIIBHIZCaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraWluZnJhL0NSTC9BTUUlMjBJTkZSQSUyMENBJTIwMDEoNCkuY3JshjRodHRwOi8vY
3JsMS5hbWUuZ2JsL2NybC9BTUUlMjBJTkZSQSUyMENBJTIwMDEoNCkuY3JshjRodHRwOi8vY3JsMi5hbWUuZ2JsL2NybC9BTUUlMjBJTkZSQSUyMENBJTIwMDEoNCkuY3JshjRodHRwOi8vY3JsMy5hbWUuZ2JsL2NybC9BTUUlMjBJTkZSQSUyMENBJTIwMDEoNCkuY3JshjRodHRwOi8vY3JsNC5hbWUuZ2JsL2NybC9BTUUlMjBJTkZSQSUyMENBJTIwMDEoNCkuY3JsM
BcGA1UdIAQQMA4wDAYKKwYBBAGCN3sBATAfBgNVHSMEGDAWgBTl2Ztn_PjsurvwwKidileIud8-YzAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAFUHIOiIJ1ZRhNIFVZ1by6NH_KWBkN_DtGbcPXxl-QWiHlBz-k3RD5KfhhgdUjZErCNDcpIW1l-fhvEbBABPMnyJfoGj7Zxl9cgeJsH3EeKMisuw1ACBCn1uGaVu1fBNSS2-G
L_A_CfxOIW79ciwvahy1_1dxbiRZR3guuRLg-oGR97RBRyM29szK1ALN3JObkqeeSGFIdm5k9BVMFUTghPhva3SYu76_XvcAl2v9hfqWksbwrpbPww0fe5ksKFuRIve19jrHww8CkFKvvxkILnwJC-oFjoIDYLIV1PHVPPkb1qjZX9UcM05HCVUw2ZvywmXnUvOgZ2w_LE7uGBRQsw&s=SeDp9WBUQ8BYJWgLbUyS-tuoNmwyApT8u6pAwGp235ztul0phAEe_Uiq7wpyDXO
QFm6R4EjrmhrnqibE7S4QGsw7DdUK5_Pj0LwUB_kI48t-sbLpttycwgbNdIQ_AMvUMcmw9xrJtBGUsgZDGZf9UJEB6mOHQSxmquG9nJce_eni_z0MDGq2ddqKyTELD1mrRZSOwGa1stYubJHTLTeFr7_0lFL0SgNPEL33nXP__VTSLHqqwQJiey-0ZIIten0R_kywMCGunNSwTwqOwn1UWVHEkhBkT2qG06k5XtlyT3lufRR9JF6cL1dSl0xb4m8JzuXN1ZDTKhBojZspxME
qdg&h=KlSegSQHfFw95sKAtG-_Prahc7tqkgvyhQochOoSGBE

Headers:
x-ms-unique-id                : 110
x-ms-client-request-id        : 20b85c28-6ef6-4771-a230-423182c9151f
CommandName                   : Az.Compute\Set-AzVMRunCommand
FullCommandName               : Set-AzVMRunCommand_UpdateExpanded
ParameterSetName              : __AllParameterSets
User-Agent                    : AzurePowershell/v0.0.0,PSVersion/v5.1.22621.2506,Az.Compute/5.4.0

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Pragma                        : no-cache
x-ms-ratelimit-remaining-resource: Microsoft.Compute/GetOperationResource;44,Microsoft.Compute/GetOperationSubscriptionMaximum;14999
Strict-Transport-Security     : max-age=31536000; includeSubDomains
x-ms-request-id               : a542b77a-f925-4c0d-a00e-f74439f5a5f5
Cache-Control                 : no-cache
Server                        : Microsoft-HTTPAPI/2.0,Microsoft-HTTPAPI/2.0
x-ms-ratelimit-remaining-subscription-reads: 11996
x-ms-correlation-request-id   : 02856b0e-0bf7-4d23-a42c-0d775724a15f
x-ms-routing-request-id       : UKSOUTH:20240314T154137Z:02856b0e-0bf7-4d23-a42c-0d775724a15f
X-Content-Type-Options        : nosniff
Date                          : Thu, 14 Mar 2024 15:41:36 GMT

Body:
{
  "startTime": "2024-03-14T15:41:07.0924339+00:00",
  "status": "InProgress",
  "name": "d00da334-5eb4-4e38-8daa-6dc9ae7119bb"
}

DEBUG: Polling: 
DEBUG: DelayBeforePolling: Delaying 30 seconds before polling.
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/subscriptions/<subscription>/providers/Microsoft.Compute/locations/uksouth/operations/d00da334-5eb4-4e38-8daa-6dc9ae7119bb?p=ae289c7f-5b7b-4b4d-8ba7-2e87f84b4894&api-version=2021-07-01&t=638460276671450871&c=MIIHHjCCBgagAwIBA
gITOgKWeRpXUo0goaa18AAEApZ5GjANBgkqhkiG9w0BAQsFADBEMRMwEQYKCZImiZPyLGQBGRYDR0JMMRMwEQYKCZImiZPyLGQBGRYDQU1FMRgwFgYDVQQDEw9BTUUgSU5GUkEgQ0EgMDEwHhcNMjQwMTMwMjEyMDAzWhcNMjUwMTI0MjEyMDAzWjBAMT4wPAYDVQQDEzVhc3luY29wZXJhdGlvbnNpZ25pbmdjZXJ0aWZpY2F0ZS5tYW5hZ2VtZW50LmF6dXJlLmNvbTCCA
SIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOuSGRxB8wtmyVs6tBCur99_x6gFKPFneFOMxPAPHIMP9Kw91_4gdaGdrYCcPfT2UPWQ87fexZ_TqxJZgkLOAoemFCAtd3YGYVQBnyXjI0WM6nHnNvzDOlNTiLKXa23GMq6_nWpoS4Q6vA2i5Z5TtPHC-sjS_yNBw3CyzubXhtmS017_C3y669tmtGF-wDzKrtkrc-dp7wkuenhn0QucFyoWftJQRvKW68l5lJPCPs2BZ
IoRiZXda6pXYQGHmZfYNkjCza_s8M_YNW6Vb5pzyhSd_VbdeK-L23LSEguVOCkg3keawCZyNF-vrUrWy6nr2pOn-PxV5799wdQh0W3FvHkCAwEAAaOCBAswggQHMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUHAwEwCgYIKwYBBQUHAwIwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIhpDjDYTVtHiE8Ys-hZvdFs6dEoFggvX2K4Py0SACAWQCAQowggHaBggrBgEFB
QcBAQSCAcwwggHIMGYGCCsGAQUFBzAChlpodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpaW5mcmEvQ2VydHMvQlkyUEtJSU5UQ0EwMS5BTUUuR0JMX0FNRSUyMElORlJBJTIwQ0ElMjAwMSg0KS5jcnQwVgYIKwYBBQUHMAKGSmh0dHA6Ly9jcmwxLmFtZS5nYmwvYWlhL0JZMlBLSUlOVENBMDEuQU1FLkdCTF9BTUUlMjBJTkZSQSUyMENBJTIwMDEoNCkuY3J0MFYGC
CsGAQUFBzAChkpodHRwOi8vY3JsMi5hbWUuZ2JsL2FpYS9CWTJQS0lJTlRDQTAxLkFNRS5HQkxfQU1FJTIwSU5GUkElMjBDQSUyMDAxKDQpLmNydDBWBggrBgEFBQcwAoZKaHR0cDovL2NybDMuYW1lLmdibC9haWEvQlkyUEtJSU5UQ0EwMS5BTUUuR0JMX0FNRSUyMElORlJBJTIwQ0ElMjAwMSg0KS5jcnQwVgYIKwYBBQUHMAKGSmh0dHA6Ly9jcmw0LmFtZS5nYmwvY
WlhL0JZMlBLSUlOVENBMDEuQU1FLkdCTF9BTUUlMjBJTkZSQSUyMENBJTIwMDEoNCkuY3J0MB0GA1UdDgQWBBS5uRCnQj-T4YNROgKVGr_80aFUTzAOBgNVHQ8BAf8EBAMCBaAwggE1BgNVHR8EggEsMIIBKDCCASSgggEgoIIBHIZCaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraWluZnJhL0NSTC9BTUUlMjBJTkZSQSUyMENBJTIwMDEoNCkuY3JshjRodHRwOi8vY
3JsMS5hbWUuZ2JsL2NybC9BTUUlMjBJTkZSQSUyMENBJTIwMDEoNCkuY3JshjRodHRwOi8vY3JsMi5hbWUuZ2JsL2NybC9BTUUlMjBJTkZSQSUyMENBJTIwMDEoNCkuY3JshjRodHRwOi8vY3JsMy5hbWUuZ2JsL2NybC9BTUUlMjBJTkZSQSUyMENBJTIwMDEoNCkuY3JshjRodHRwOi8vY3JsNC5hbWUuZ2JsL2NybC9BTUUlMjBJTkZSQSUyMENBJTIwMDEoNCkuY3JsM
BcGA1UdIAQQMA4wDAYKKwYBBAGCN3sBATAfBgNVHSMEGDAWgBTl2Ztn_PjsurvwwKidileIud8-YzAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAFUHIOiIJ1ZRhNIFVZ1by6NH_KWBkN_DtGbcPXxl-QWiHlBz-k3RD5KfhhgdUjZErCNDcpIW1l-fhvEbBABPMnyJfoGj7Zxl9cgeJsH3EeKMisuw1ACBCn1uGaVu1fBNSS2-G
L_A_CfxOIW79ciwvahy1_1dxbiRZR3guuRLg-oGR97RBRyM29szK1ALN3JObkqeeSGFIdm5k9BVMFUTghPhva3SYu76_XvcAl2v9hfqWksbwrpbPww0fe5ksKFuRIve19jrHww8CkFKvvxkILnwJC-oFjoIDYLIV1PHVPPkb1qjZX9UcM05HCVUw2ZvywmXnUvOgZ2w_LE7uGBRQsw&s=SeDp9WBUQ8BYJWgLbUyS-tuoNmwyApT8u6pAwGp235ztul0phAEe_Uiq7wpyDXO
QFm6R4EjrmhrnqibE7S4QGsw7DdUK5_Pj0LwUB_kI48t-sbLpttycwgbNdIQ_AMvUMcmw9xrJtBGUsgZDGZf9UJEB6mOHQSxmquG9nJce_eni_z0MDGq2ddqKyTELD1mrRZSOwGa1stYubJHTLTeFr7_0lFL0SgNPEL33nXP__VTSLHqqwQJiey-0ZIIten0R_kywMCGunNSwTwqOwn1UWVHEkhBkT2qG06k5XtlyT3lufRR9JF6cL1dSl0xb4m8JzuXN1ZDTKhBojZspxME
qdg&h=KlSegSQHfFw95sKAtG-_Prahc7tqkgvyhQochOoSGBE

Headers:
x-ms-unique-id                : 111
x-ms-client-request-id        : 20b85c28-6ef6-4771-a230-423182c9151f
CommandName                   : Az.Compute\Set-AzVMRunCommand
FullCommandName               : Set-AzVMRunCommand_UpdateExpanded
ParameterSetName              : __AllParameterSets
User-Agent                    : AzurePowershell/v0.0.0,PSVersion/v5.1.22621.2506,Az.Compute/5.4.0

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Pragma                        : no-cache
x-ms-ratelimit-remaining-resource: Microsoft.Compute/GetOperationResource;42,Microsoft.Compute/GetOperationSubscriptionMaximum;14998
Strict-Transport-Security     : max-age=31536000; includeSubDomains
x-ms-request-id               : e3061016-cc55-4577-a8db-3bfbefaf3706
Cache-Control                 : no-cache
Server                        : Microsoft-HTTPAPI/2.0,Microsoft-HTTPAPI/2.0
x-ms-ratelimit-remaining-subscription-reads: 11995
x-ms-correlation-request-id   : a9e86d0b-ec43-42ae-973a-cf9ff8ac5536
x-ms-routing-request-id       : UKSOUTH:20240314T154207Z:a9e86d0b-ec43-42ae-973a-cf9ff8ac5536
X-Content-Type-Options        : nosniff
Date                          : Thu, 14 Mar 2024 15:42:07 GMT

Body:
{
  "startTime": "2024-03-14T15:41:07.0924339+00:00",
  "endTime": "2024-03-14T15:41:37.5302895+00:00",
  "status": "Succeeded",
  "name": "d00da334-5eb4-4e38-8daa-6dc9ae7119bb"
}

DEBUG: Polling: 
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/subscriptions/<subscription>/resourceGroups/rg-vm-nps-prod-uks/providers/Microsoft.Compute/virtualMachines/vm-prod-nps-01/runCommands/getdomaininfo?api-version=2021-07-01

Headers:
x-ms-unique-id                : 112
x-ms-client-request-id        : 20b85c28-6ef6-4771-a230-423182c9151f
CommandName                   : Az.Compute\Set-AzVMRunCommand
FullCommandName               : Set-AzVMRunCommand_UpdateExpanded
ParameterSetName              : __AllParameterSets
User-Agent                    : AzurePowershell/v0.0.0,PSVersion/v5.1.22621.2506,Az.Compute/5.4.0

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Pragma                        : no-cache
x-ms-ratelimit-remaining-resource: Microsoft.Compute/LowCostGetSubscriptionMaximum;23998,Microsoft.Compute/LowCostGetResource;34
Strict-Transport-Security     : max-age=31536000; includeSubDomains
x-ms-request-id               : 1f8b3813-01d8-4564-907a-b13c6e623859
Cache-Control                 : no-cache
Server                        : Microsoft-HTTPAPI/2.0,Microsoft-HTTPAPI/2.0
x-ms-ratelimit-remaining-subscription-reads: 11994
x-ms-correlation-request-id   : e394899c-dd79-47fe-afd1-c5c3400cc8ad
x-ms-routing-request-id       : UKSOUTH:20240314T154207Z:e394899c-dd79-47fe-afd1-c5c3400cc8ad
X-Content-Type-Options        : nosniff
Date                          : Thu, 14 Mar 2024 15:42:07 GMT

Body:
{
  "name": "getdomaininfo",
  "id": "/subscriptions/<subscription>/resourceGroups/rg-vm-nps-prod-uks/providers/Microsoft.Compute/virtualMachines/vm-prod-nps-01/runCommands/getdomaininfo",
  "type": "Microsoft.Compute/virtualMachines/runCommands",
  "location": "uksouth",
  "properties": {
    "source": {
      "script": "try {import-module activedirectory;get-addomain;};catch {;throw $_;};"
    },
    "runAsUser": "scriptadmin@company.local",
    "timeoutInSeconds": 30,
    "outputBlobUri": "https://<storageaccount>.blob.core.windows.net/config/output.txt",
    "errorBlobUri": "https://<storageaccount>.blob.core.windows.net/config/error.txt",
    "provisioningState": "Succeeded",
    "asyncExecution": false
  }
}

DEBUG: Polling: 
DEBUG: BeforeResponseDispatch: 
Account                                    SubscriptionName              TenantId                             Environment
-------                                    ----------------              --------                             -----------
azureadmin@<domain>inhere.onmicrosoft.com Visual Studio Enterprise - CS <tenant> AzureCloud 

AsyncExecution               : False
ErrorBlobUri                 : https://<storageaccount>.blob.core.windows.net/config/error.txt
Id                           : /subscriptions/<subscription>/resourceGroups/rg-vm-nps-prod-uks/providers/Microsoft.Compute/virtualMachines/vm-prod-nps-01/runCommands/getdomaininfo
InstanceViewEndTime          : 
InstanceViewError            : 
InstanceViewExecutionMessage : 
InstanceViewExecutionState   : 
InstanceViewExitCode         : 
InstanceViewOutput           : 
InstanceViewStartTime        : 
InstanceViewStatuses         : 
Location                     : uksouth
Name                         : getdomaininfo
OutputBlobUri                : https://<storageaccount>.blob.core.windows.net/config/output.txt
Parameter                    : 
ProtectedParameter           : 
ProvisioningState            : Succeeded
RunAsPassword                : 
RunAsUser                    : scriptadmin@company.local
SourceCommandId              : 
SourceScript                 : try {import-module activedirectory;get-addomain;};catch {;throw $_;};
SourceScriptUri              : 
Tag                          : Microsoft.Azure.PowerShell.Cmdlets.Compute.Models.Api20210701.ResourceTags
TimeoutInSecond              : 30
Type                         : Microsoft.Compute/virtualMachines/runCommands

DEBUG: Finally: 
DEBUG: CmdletAfterAPICall: 
DEBUG: [CmdletProcessRecordAsyncEnd]: Finish HTTP process
DEBUG: CmdletProcessRecordAsyncEnd: 
DEBUG: CmdletProcessRecordEnd: 
DEBUG: AzureQoSEvent:  Module: Az.Compute:5.4.0; CommandName: Set-AzVMRunCommand; PSVersion: 5.1.22621.2506; IsSuccess: True; Duration: 00:01:00.4862524

Environment data

Name                           Value                                                                                                                                                                                                                                               
----                           -----                                                                                                                                                                                                                                               
PSVersion                      5.1.22621.2506                                                                                                                                                                                                                                      
PSEdition                      Desktop                                                                                                                                                                                                                                             
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                                                                                                             
BuildVersion                   10.0.22621.2506                                                                                                                                                                                                                                     
CLRVersion                     4.0.30319.42000                                                                                                                                                                                                                                     
WSManStackVersion              3.0                                                                                                                                                                                                                                                 
PSRemotingProtocolVersion      2.3                                                                                                                                                                                                                                                 
SerializationVersion           1.1.0.1

Module versions

Script     2.11.2     Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault...}                                                                                                                                                 
Script     5.4.0      Az.Compute                          {Add-AzImageDataDisk, Add-AzVhd, Add-AzVMAdditionalUnattendContent, Add-AzVMDataDisk...}                                                                                                                                 
Script     5.4.0      Az.Storage                          {Add-AzRmStorageContainerLegalHold, Add-AzStorageAccountManagementPolicyAction, Add-AzStorageAccountNetworkRule, Close-AzStorageFileHandle...}

Error output

No response

marshalexander99 commented 7 months ago

After some more troubleshooting, how foolish of me for thinking that the runaspassword would take a secure variable input for the password... So I now have the following script that works, what I can't do is perform get-addomain, which is a key step to automating the domain join of storage accounts.

Set-AzVMRunCommand -ResourceGroupName $vmrg -VMName $vm -RunCommandName getdomaininfo -Location "uksouth" -RunAsUser 'company.local\scriptadmin' -RunAsPassword 'PlainTextPassword' -SourceScriptUri $script -ErrorBlobUri $errorblob -OutputBlobUri $outputblob -TimeoutInSecond 30

Here is the error output from the errorblob stream

C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandHandlerWindows\2.0.8\Downloads\Script_getdomaininfo_0.ps1 : Unable 

to contact the server. This may be because this server does not exist, it is currently down, or it does not have the 
Active Directory Web Services running.
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Script_getdomaininfo_0.ps1

The server is not a domain controller, it does have AD PowerShell installed and running the script locally works fine. I can see the kerberos auth service and kerberos service ticket operations requesting access but it gets rejected.

Have followed this to try and get it working but to no avail Resource-Based Kerberos Constrained Delegation. I can only assume this is what the issue is as to why this AD error occurs

isra-fel commented 6 months ago

The Get-AdDomain cmdlet works locally but failed when using Set-AzVMRunCommand. Let me involve Compute team.

GabstaMSFT commented 6 months ago

Hello @marshalexander99 have you successfully ran this PowerShell script successfully in the local machine when using a PowerShell shell window that is running as "scriptadmin@company.local"?

marshalexander99 commented 6 months ago

Hello @marshalexander99 have you successfully ran this PowerShell script successfully in the local machine when using a PowerShell shell window that is running as "scriptadmin@company.local"?

Yes. No issues doing that as you don't have the double hop issue.

GabstaMSFT commented 6 months ago

Hello @marshalexander99 have you successfully ran this PowerShell script successfully in the local machine when using a PowerShell shell window that is running as "scriptadmin@company.local"?

Yes. No issues doing that as you don't have the double hop issue.

Thank you for the quick confirmation. I am reviewing this with the dev team.

vivlingaiah commented 6 months ago

@marshalexander99, does the command Get-AdDomain work when RunAsUser parameter is not used ? If so, could you possibly use that workaround until the issue is investigated and fixed ? We've had similar issues reported in past with other commands when RunAsUser paramter is used. We are tracking the issue using Bug 24542208: RC2W RunAsUser - Some commands not working when RunAsUser parameter is used

marshalexander99 commented 6 months ago

Hi That would only work if we grant the computer account the run as commands run on permissions to create the necessary objects in AD (the commands run as system I do believe) which I don't believe to be a suitable solution at this moment in time. While the get-addomain command would work as all AD objects can read, none of the others which actually perform any actions on AD would without appropriate permission delegation

marshalexander99 commented 5 months ago

is there any update on this? We're seeing more and more requests to domain join storage accounts and being able to do this as part of a IaC deployment without significant additional work would be advantageous

vivlingaiah commented 4 months ago

@marshalexander99, This looks expected to me. Set-AzVmRunCommand would not provide any necessary permissions to RunAsUser to perform AD operations. We won't be able to do that. It is on the user/owner of VM to provide necessary permissions to RunAsUser before running Set-AzVMRunCommand.

That's what the error message provided by you highlights: image

Debugging option: Are you able to accomplish same AD operations without using Run Command and RunAsUser (using Set-AzVMRunCommand) ? Say remote into that VM as that user () and execute AD operations ? If you are not able to do so using , Set-AzVMRunCommand just mirrors the permissions held by on VM just similar to what you can do after logging in as RunAsUser directly on VM.

marshalexander99 commented 4 months ago

@marshalexander99, This looks expected to me. Set-AzVmRunCommand would not provide any necessary permissions to RunAsUser to perform AD operations. We won't be able to do that. It is on the user/owner of VM to provide necessary permissions to RunAsUser before running Set-AzVMRunCommand.

That's what the error message provided by you highlights: image

Debugging option: Are you able to accomplish same AD operations without using Run Command and RunAsUser (using Set-AzVMRunCommand) ? Say remote into that VM as that user () and execute AD operations ? If you are not able to do so using , Set-AzVMRunCommand just mirrors the permissions held by on VM just similar to what you can do after logging in as RunAsUser directly on VM.

I have provided the necessary permissions to the user specified in the run as command... All domain user accounts have permissions to run get-addomain and view domain info. I can do everything required logging in directly, the run as command is the issue here

vivlingaiah commented 4 months ago

@marshalexander99, Could you confirm this - Are you able to accomplish the desired operations as that RunAsUser without using any RunCommand ? Say execute a PowerShell script as that on that VM directly ?

marshalexander99 commented 4 months ago

@marshalexander99, Could you confirm this - Are you able to accomplish the desired operations as that RunAsUser without using any RunCommand ? Say execute a PowerShell script as that on that VM directly ?

Yes

vivlingaiah commented 4 months ago

@marshalexander99, Could you let me know the steps you used to install ActiveDirectory module ? I'll try to repro on my end.

marshalexander99 commented 4 months ago

Installed via server manager as part of rsat tools.

On Wed, 12 Jun 2024 at 16:29, Viv Lingaiah @.***> wrote:

@marshalexander99 https://github.com/marshalexander99, Could you let me know the steps you used to install ActiveDirectory module ? I'll try to repro on my end.

— Reply to this email directly, view it on GitHub https://github.com/Azure/azure-powershell/issues/24369#issuecomment-2163328662, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANEPKHTNHWBJGFWQNZKTXWLZHBSL7AVCNFSM6AAAAABEWNFIEGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNRTGMZDQNRWGI . You are receiving this because you were mentioned.Message ID: @.***>