Unable to run Azure-Setup ps1 script - Corporate Environment

[aaslanyan2]

We are experiencing an issue with running the setup script in our corporate environment. To troubleshoot a basic set of assumptions, I was able to run the script using my personal pay-as-you-go subscription without an issue. Our Azure subscription is federated with Office 365 tenant for Azure AD. My personal pay-as-you-go subscription does not have any federation; Azure AD is part of the existing subscription. Could the issue with the script boil down to using a given Azure subscription and having the Azure AD point to a federated tenant in Office 365?

Prior to launching the script, the engineer who was prepped to execute the script was setup with owner rights to the Azure subscription and has admin rights to Azure AD. Additionally, the context in PowerShell ISE was set to the right Azure subscription that we're looking to get logs out of. After running the script, it eventually errored out (even though the resource group, event hub and key vault were created):

Set-AzureRmKeyVaultAccessPolicy : Cannot find the Active Directory object '' in tenant '[REDACTED]'. Please make sure that the user or application service principal you are authorizing is registered in the current subscription's Azure Active directory. The TenantID displayed by the cmdlet 'Get-AzureRmContext' is the current subscription's Azure Active directory. At C:\Users\XXXXX\scripts\azure-setup.ps1:33 char:1

Set-AzureRmKeyVaultAccessPolicy -ResourceGroupName $keyVault.Resource ...

• CategoryInfo : CloseError: (:) [Set-AzureRmKeyVaultAccessPolicy], ArgumentException
• FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.SetAzureKeyVaultAccessPolicy

I've done some research and do not see an issue with the script (creates an app ID and not a client ID).

Please help us get through this as this piece is critical for us to standardize on log forwarding to Splunk (out of Azure). There are +3 subscriptions that are in the queue and we need to get this to work.

[sebastus]

Hi @aaslanyan2. Please email golive@Microsoft.com.

[aaslanyan2]

I can certainly reach out to Microsoft, but doesn't this script require modification to change subscriptions when authenticating to a different Azure subscription, one that you're federated with? I think such an enhancement can definitely help this script because as things stand right now, we need to pick apart the code and change context to execute each step (even then it has application credential vaulting issues).

[aaslanyan2]

Resolved the issue. Long story short, when dealing with multiple subscriptions, as would be the case if you are using federation with Azure AD, you will need to add lines to your script to instruct it to log into different Azure contexts.

We ended up using a single account that has owner-like privilege to both Azure subscriptions, added the following:

• Add this to the top of the script (make it the first line) Get-AzureRmSubscription -SubscriptionName "Name of Subscription" | Select-AzureRmSubscription

• Add this to the line above where it says "#Create an Azure AD App Registration" : Get-AzureRmSubscription -SubscriptionName "Name of subscription that you are federated with, since this is where the Azure AD App registration account gets created" | Select-AzureRmSubscription

• Add this to the line above where it says "# Assign the service principal to the Reader role for the Azure subscription" : Get-AzureRmSubscription -SubscriptionName "Name of Subscription" | Select-AzureRmSubscription

Adding these AzureRM commands allows the script to jump between contexts and allow proper creation of resources, app account, registration, enrollment of secrets into the key vault and all other setup in between. This was the only way we could get things to work when dealing with a federated environment. The web-based guide that's also published did not work with a federated environment, but did work just fine with a single subscription/Azure AD environment.

Hope this helps.

[sebastus]

Thank you for sharing the solution. I'm sure others will appreciate it.

On Thu, Dec 6, 2018 at 8:06 PM aaslanyan2 notifications@github.com wrote:

Resolved the issue. Long story short, when dealing with multiple subscriptions, as would be the case if you are using federation with Azure AD, you will need to add lines to your script to instruct it to log into different Azure contexts.

We ended up using a single account that has owner-like privilege to both Azure subscriptions, added the following:

-

Add this to the top of the script (make it the first line) Get-AzureRmSubscription -SubscriptionName "Name of Subscription" | Select-AzureRmSubscription

Add this to the line above where it says "#Create an Azure AD App Registration" : Get-AzureRmSubscription -SubscriptionName "Name of subscription that you are federated with, since this is where the Azure AD App registration account gets created" | Select-AzureRmSubscription

Add this to the line above where it says "# Assign the service principal to the Reader role for the Azure subscription" : Get-AzureRmSubscription -SubscriptionName "Name of Subscription" | Select-AzureRmSubscription

Adding these AzureRM commands allows the script to jump between contexts and allow proper creation of resources, app account, registration, enrollment of secrets into the key vault and all other setup in between. This was the only way we could get things to work when dealing with a federated environment. The web-based guide that's also published did not work with a federated environment, but did work just fine with a single subscription/Azure AD environment.

Hope this helps.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Microsoft/AzureMonitorAddonForSplunk/issues/102#issuecomment-445011926, or mute the thread https://github.com/notifications/unsubscribe-auth/ABOrrAHY3QDzY7B3DHOHk79HIFefl79Tks5u2XjOgaJpZM4Y2kXo .