Azure – Using KeyVault with PowerShell – Updated

Azure Key Vault is used to safely manage Secrets, Certificates and Crytographic Keys used by cloud and on-premise applications. After the secrets are stored in Azure Key Vault, we can assign access policies to user accounts or SPNs to retrieve and use them.

In this post, I will cover,

  • How to create Azure Key Vault
    • Create and update secrets in Azure Key Vault
  • Create a new Azure AD application and SPN
    • Create a client Secret
  • Assign a policy in Azure Key Vault to allow access to the SPN we create
  • Store the Azure AD application ID and client secret in the SecretStore vault
  • Retrieve Secret from Azure Key vault using credentials stored in SecretStore vault

I’ll go through the steps in both the portal and via PowerShell.

Before proceeding further, make sure you are connected to Azure AD and Azure via PowerShell. You may or may not use the same global admin account to connect to both Azure AD and Azure, either way you can use the below cmdlets and adjust it accordingly where necessary.

$AzureADcred = Get-Credential
Connect-AzureAD -credential $AzureADcred
$Azcred = Get-Credential
$SubsName = Read-Host "Enter Azure Subscription Name"
Connect-AzAccount -Credential $Azcred -Subscription $SubsName

Azure Key Vault

Register Resource Provider

Using PowerShell

Use below cmdlet to register ‘Microsoft.KeyVault‘ as a resource provider in the subscription,

Register-AzResourceProvider -ProviderNamespace "Microsoft.KeyVault"

To confirm the registration is successful,

Get-AzResourceProvider | Where-Object {$_.ProviderNamespace -contains "Microsoft.KeyVault"} | select ProviderNamespace, RegistrationState

Using Azure Portal

  1. Login to Azure Portal (https://portal.azure.com/)
  2. Navigate to Subscriptions
  3. Click to select the desired Subscription
  4. In the left navigation menu, click on Resource providers
  5. Search for Microsoft.KeyVault
  6. Click on Microsoft.KeyVault
  7. Click Register
  8. Once complete, Status column for Microsoft.KeyVault will show Registered
Register Resource provider – Microsoft.KeyVault

Create Azure Key Vault

Using PowerShell

To proceed further, launch PowerShell as admin and install the Az.KeyVault PowerShell Module

Install-Module -Name Az.KeyVault

The New-AzKeyVault can be used to create a new Key Vault in Azure. To determine the locations where Key Vault is offered, use the below cmdlet,

Get-AzLocation | Where-Object {$_.Providers -contains "Microsoft.KeyVault"} | ft

Use the below cmdlets to create a new Key Vault,

$kvName = Read-Host "Enter a name for Key Vault"
$rg = Read-Host "Enter Resource Group Name"
$loc = Read-Host "Enter Azure location"
New-AzKeyVault -VaultName $kvName -ResourceGroupName $rg -Location $loc

To confirm Key Vault creation,

Get-AzKeyVault

Using Azure Portal

To cerate a new Key Vault from the Azure portal,

  1. Login to Azure Portal (https://portal.azure.com/)
  2. Search for key vault
  3. Click Create or Create key vault
  4. Provide below information,
    • Subscription
    • Resource group
    • Key vault name
    • Region
    • Pricing tier
  5. Leave the other options default and click Review + create
    • The other options in the creation steps,
      • Access policy = I’ll go through it later in this post
      • Networking = All networks to make it publicly accessible
      • Tags = As necessary

Below are my settings,

Create a key vault

Create SPN in Azure AD

In this step, we’re creating a service principal in Azure AD. We will assign permissions for this SP to retrieve secrets from the Azure Key vault in later step.

In Azure AD, the application registration is the template used to create the SP. Also, the SP is what can be authenticated and authorized. Application and SP are associated by Application ID and they differ in it Object ID.

To create a new Azure AD application,

$appname = Read-Host "Enter a name for the Azure AD application"
New-AzureADApplication -DisplayName $appname

To create a service principal,

$appname = Read-Host "Enter name of Azure AD application"
$AppId = (Get-AzureADApplication -Filter "DisplayName eq '$appname'").AppId
New-AzureADServicePrincipal -AccountEnabled $true -AppId $AppId -DisplayName $appname

Create Client Secret

Next, we create a new client secret using the Get-AzureADApplicationPasswordCredential cmdlet,

$appname = Read-Host "Enter Azure AD application name to determine Object ID"
$appObjID = (Get-AzureADApplication -Filter "DisplayName eq '$appname'").Objectid
$KeyId = Read-Host "Enter value for secret identifier"
New-AzureADApplicationPasswordCredential -ObjectId $appObjID -CustomKeyIdentifier $KeyId

Copy the value in the output to a notepad as I have highlighted above. This value will not be available to copy later.

Assign Permissions

Using PowerShell

We can assign necessary permissions to the Azure AD application we created in above step, using the Set-AzKeyVaultAccessPolicy cmdlet,

$appname = Read-Host "Enter Azure AD application name to determine Object ID"
$Appid = (Get-AzureADApplication -Filter "DisplayName eq '$appname'").AppId
$kvName = Read-Host "Enter a name for Key Vault"
Set-AzKeyVaultAccessPolicy -VaultName $kvName -ServicePrincipalName $Appid -PermissionsToSecrets list,get

Using Azure Portal

  1. Login to Azure Portal (https://portal.azure.com/)
  2. Search for Key vault
  3. Click on the Key Vault we created earlier
  4. In the left navigation menu, click on Access policies
  5. Select Permission model as Vault access policy
  6. Click +Add Access Policy
  7. In the Add access policy window
    • For Secret permissions, select Get and List
    • For Select principal, select the SPN we created earlier
  8. Click Add
  9. Click Save to save policy

Manage Secrets in Key Vault

Applications, scripts or users can create, update, delete and retrieve secrets if they have the necessary policy assigned to them

Creating/Updating Secrets

To create a new secret, we can use the Set-AzureKeyVaultSecret cmdlet,

$Secret = ConvertTo-SecureString -String 'Password' -AsPlainText -Force
$kvName = Read-Host "Enter a name for Key Vault"
$SecName = Read-Host "Enter a name for secret"
Set-AzKeyVaultSecret -VaultName $kvName -Name $SecName -SecretValue $Secret

The secret can be updated to a new value using the same Set-AzureKeyVaultSecret cmdlet,

$Secret = ConvertTo-SecureString -String 'Password' -AsPlainText -Force
$kvName = Read-Host "Enter a name for Key Vault"
$SecName = Read-Host "Enter a name for secret"
$Expires = (Get-Date).AddYears(2).ToUniversalTime()
$NBF =(Get-Date).ToUniversalTime()
$Tags = @{ 'Department' = 'IT'; 'Environment' = 'Production'}
Set-AzKeyVaultSecret -VaultName $kvName -Name $SecName -SecretValue $Secret -Expires $Expires -NotBefore $NBF -Tags $Tags

Retrieving Secrets

To retrieve the current version of a secret, we use the Get-AzureKeyVaultSecret cmdlet,

$kvName = Read-Host "Enter a name for Key Vault"
$SecName = Read-Host "Enter a name for secret"
$secruretext = (Get-AzKeyVaultSecret -VaultName $kvName -Name $SecName).SecretValue

This will assign the stored secret to the $secruretext variable as a SecureString. We can now pass this to any other cmdlets that require a SecureString.

As I’ve already covered the Microsoft.PowerShell.SecretManagement and Microsoft.PowerShell.SecretStore PS modules in an earlier post, I’ll follow on the premise and store the client secret we created in the local vault. This way, I don’t have to save the client secret in the code as plaintext. To do this, we can store the Application ID and Client secret in a PSCredential object to the store,

$credential = Get-Credential
Set-Secret -Name azkv-01 -Secret $credential

In the Windows PowerShell Credential request window, for User Name input the Application (client) ID of the Azure AD application and for password input the Client Secret value we copied into a notepad earlier.

I’ve also created another secret as string in the local vault with my tenant ID value.

Putting this all together, we can use these below lines in PowerShell automation scripts,

$vpwd = (Import-CliXml "C:\Scripts\vpd.xml").Password
Unlock-SecretStore -Password $vpwd
$TenantId = Get-Secret -Vault CredsDB -Name TenantId -AsPlainText
$credential = Get-Secret -Vault CredsDB -Name azkv-01
Connect-AzAccount -ServicePrincipal -Credential $credential -Tenant $TenantId

To retrieve the secure string stored in the Azure Key vault, I’m using these lines below. Also for demo purposes, I’m including the -AsPlainText to the Get-AzKeyVaultSecret cmdlet but as I mentioned earlier, we can store this secure string to a variable and pass it on to other cmdlets.

$kvName = Read-Host "Enter a name for Key Vault"
$SecName = Read-Host "Enter a name for secret"
Get-AzKeyVaultSecret -VaultName $kvName -Name $SecName -AsPlainText
#or
$secruretext = (Get-AzKeyVaultSecret -VaultName $kvName -Name $SecName).SecretValue

I know this was a lengthy post and it may have gotten a little confusing right at the end with too many things named vault🤷‍♂️

Hope this helped you out in figuring out in including Azure Key Vault in your PowerShell automations.

Thank you for stopping by ✌

Azure – Integrate Azure AD B2C with ServiceNow

If you aren’t familiar with Azure AD B2C, it is a customer identity access management (CIAM) solution and is a separate service from Azure Active Directory (Azure AD). It is built on the same technology as Azure AD but for a different purpose. It allows businesses to build customer facing applications, and then allow anyone to sign up into those applications with no restrictions on user account. Azure AD B2C uses standards-based authentication protocols including OpenID Connect, OAuth 2.0, and SAML.

In an earlier post, I detailed steps on how to configure ServiceNow with Azure AD SSO. In this post, I will go through steps on how to integrate Azure AD B2C with ServiceNow.

Below is a diagram show the high level implementation steps on how to do this integration,

OpenID Connect (OIDC) is an identity layer built on top of the OAuth protocol, which provides a modern and intuitive Single Sign-on (SSO) experience. ServiceNow supports OIDC to authenticate users in Azure B2C.

I will not cover the Azure AD B2C tenant creation steps in this post.

Create new user flow

A user flow lets us determine how users interact with our application when they do things like sign-in, sign-up, edit a profile, or reset a password.

  1. Sign in to the Azure portal
  2. Make sure you’re using the directory that contains your Azure AD B2C tenant. Select the Directories + subscriptions icon in the portal toolbar
  3. On the Portal settings | Directories + subscriptions page, find your Azure AD B2C directory in the Directory name list, and then select Switch
  4. In the Azure portal, search for and select Azure AD B2C
  5. Under Policies, select User flows, and then select New user flow
  1. On the Create a user flow page, select the Sign up and sign in user flow
  2. Under version, select Recommended, and then select Create
  1. Enter a Name for the user flow. For example, su_si-1
  2. For Identity providers, select Email signup
  3. Under User attributes and token claims, choose the claims and attributes to collect and send from the user during sign-up. Select Show more, and then choose attributes and claims. Click OK. Below screenshot shows the attributes I’m collecting but it is up to you. These attributes can be modified in the user flow at any time
  1. Click Create to add the user flow. A prefix of B2C_1_ is automatically prefixed to the name

Create App Registration

  1. Stay logged into the Azure portal
  2. Make sure you are in the B2C directory
  3. In the left navigation menu, under Manage, Click App registrations, and then select New registration
  4. Enter a Name for the application. For example, ServiceNow
  5. Under Supported account types, select Accounts in any identity provider or organizational directory (for authenticating users with user flows)
  6. Under Redirect URI, select Web then enter your ServiceNow instance with /navpage.do in the URL text box
  7. Under Permissions, select the Grant admin consent to openid and offline_access permissions check box
  8. Click Register

Create a client secret

The client secret is also known as an application password. The secret will be used by ServiceNow to exchange an authorization code for an access token

  1. In the left menu, under Manage, select Certificates & secrets
  2. Click New client secret
  3. Enter a description for the client secret in the Description box. For example, SnowSecret
  4. Under Expires, select a duration for which the secret is valid, and then select Add
    • Note down the secret’s Value for use in ServiceNow. This value is never displayed again after you leave this page

Information needed to configure ServiceNow instance

  1. Click on the Overview, copy the Application (client) ID
  2. Next Click Endpoints
  3. Copy the value in Azure AD B2C OpenID Connect metadata document
  4. Replace with the User flow name we created earlier e.g. B2C_1_su_si-1. Browse to the URL in a Web browser to confirm you have the right URL
  5. You should have these 3 values,
    • Application (client) ID
    • Client Secret Value
    • OIDC well-known endpoint

Configure ServiceNow Instance

Hopefully, you already have SSO enabled in your ServiceNow instance. If not, please refer to this earlier post of mine

  1. Search for multi-provider sso and click Properties
  2. Enable multiple provider SSO
    • You’ll be asked to setup a recovery account
  1. Under Multi-Provider SSO and click Identity Providers
  2. Click New
  3. Click OpenID Connect
  4. In the Import OpenID Connect Well Known Configuration window, provide following information
    • Name = Name of the IdP you wish. Example, B2C
    • Client ID = Application (client) ID from Azure B2C application
    • Client Secret = Client Secret Value we created earlier in the application
    • Well Known Configuration URL = URL we constructed earlier with the policy name
  5. Click Import
  1. Make sure the new IdP is marked Active and Show as Login option is checked
  1. Click on the OIDC Entity tab and click to open the OIDC Entity
  2. Click on OAuth Entity Scopes, double-click on OAuth scope and replace openid with the below value
    • Use your Application (client) ID from B2C app registration
<Application (client) ID> openid offline_access profile email

This OAuth Scope value is required to generate an access token and without that ServiceNow will error out with a missing parameter. I realized this later on based on my research. I initially left it at openid and searching with the error, lead me to this.

  1. Click Update to save changes
  2. Click on OIDC Provider Configuration
  3. Click on OIDC provider value
  1. Update the User Claim to emails
  1. Click Update
  2. To keep things simple, I’m not enabling the Automatic user provisioning option
    • You can choose to enable automatic user provisioning during user login. When automatic user provisioning is enabled, a user record is automatically created in the ServiceNow instance if that user record does not exist.
  3. Back in the Identity provider window, Click Update to save the OIDC Identity Provider values
  4. Navigate to the login page of the instance to verify that IdP appears as a login option
  1. Create a test user in ServiceNow and login with the credentials to test if the IdP configuration works
  2. Optionally you can browse to the login page with the URL in following format,
    • To determine the sys_id, open the OIDC Identity provider we created, right-click on the grey bar and click Copy sys_id
    • Replace this sys_id in the URL below
    • This URL will take you directly to the sign-in page
https://<yourinstance>/login_with_sso.do?glide_sso_id=<sys_id>

Hope this post helped you in setting up your ServiceNow instance with Azure AD B2C.

Thank you for stopping by. ✌

Power BI – Analyze Azure Costs

Most organizations have Enterprise Agreement (EA) accounts for Azure billing. Microsoft offers the Cost Management App which can be used to view and analyze Azure costs using Power BI. The Cost Management App only works with EA accounts.

But you might have situations where you are managing Azure billing using Customer Agreement. Microsoft has updated the Azure Cost Manager connector in Power BI to support Customer Agreement. The Azure Cost Management connector for Power BI Desktop can be used to build powerful, customized visualizations and report to help us understand Azure spending.

Azure Cost Management allows 3 kinds of connections:

  • Customer Agreement: Common for small business or individual accounts
  • Enterprise Agreement: Accounts used by big organizations where payment goes through via purchase orders and such
  • Billing Profile: This is sort of like a subset of Customer Agreement. Allows us to organize via rules, like, cost-center, department, etc

To proceed further, make sure you have the Power BI desktop App downloaded and installed on your machine.

Determine Billing Information in Azure

To connect to a billing account, we need to retrieve the Billing account ID from Azure portal:

  1. In the Azure portal, search for Cost Management + Billing
  2. Select Billing profile
  3. In the left navigation menu, under Settings in the menu, select Properties
    • Make sure this billing account has a at least Billing account reader assigned to it
    • This can be determined by clicking on Billing scopes in the left navigation menu or in the Properties tab
  4. Under Billing profile, copy ID
Billing Account ID

Connect using Azure Cost Management in Power BI

To use the Azure Cost Management connector in Power BI Desktop:

  1. Launch Power BI Desktop
  2. Click Get data from the splash page or from the Home ribbon
  3. Click Azure from the list of data categories
  4. Select Azure Cost Management
Connect Azure Cost Management
  1. Under Choose Scope,
    • To connect to a Billing Account
      • Select Manually Input Scope and input the connection string in below format, with {billingAccountId} that we determined in the earlier section
        • /providers/Microsoft.Billing/billingAccounts/{billingAccountId}
    • To connect to a Billing profile
      • Select Manually Input Scope and input the connection string in below format, the {billingAccountId} and {billingProfileId} can be determined in the same properties tab as in earlier section
        • /providers/Microsoft.Billing/billingAccounts/{billingAccountId}/billingProfiles/{billingProfileId}
    • To connect to an EA account
      • Select Enrollment Number and type the account number
  1. I’m entering 12 months but this is up to you
    • The Advanced Options can be left blank
  2. Click OK
Azure Cost Management
  1. A Navigator window shows all the available data tables
    • Select a table to see a preview dialog
    • One or more tables can be selected by selecting the boxes beside their name and then click Load
      • For the report I have in mind, I only need the Usage details table and I’m selecting it to be loaded
Available Tables
Table Description
Balance summarySummary of the balance for the current billing month for EA
Billing eventsEvent log of new invoices, credit purchases, etc. Microsoft Customer Agreement only
BudgetsBudget details to view actual costs or usage against existing budget targets
ChargesA month-level summary of Azure usage, Marketplace charges, and charges billed separately. Microsoft Customer Agreement only.
Credit lotsAzure credit lot purchase details for the provided billing profile. Microsoft Customer Agreement only.
PricesheetsApplicable meter rates for the provided billing profile or EA enrollment.
RI chargesCharges associated to Reserved Instances over the last 24 months. This table is in the process of being deprecated, please use RI transactions
RI recommendations (shared)Reserved Instance purchase recommendations based on all subscription usage trends for the last 30 days
RI recommendations (single)Reserved Instance purchase recommendations based on single subscription usage trends for the last 30 days
RI transactionsList of transactions for reserved instances on billing account scope
RI usage detailsConsumption details for existing Reserved Instances over the last month
RI usage summaryDaily Azure reservation usage percentage
Usage detailsA breakdown of consumed quantities and estimated charges for the given billing profile on EA enrollment
Usage details amortizedA breakdown of consumed quantities and estimated amortized charges for the given billing profile on EA enrollment
Data available through the connector
  1. When we select Load, the data is loaded into Power BI Desktop
    • Depending on the tables you choose, you may be asked to for authentication
    • When the data we selected is loaded, the data tables and fields are shown in the Fields pane
Loaded fields

I built this visualization below using some of these fields,

Visualization showing Azure cost by ResourceGroup Name, Date, Meter and Meter sub-category

The data is there and you are only limited by the amount on time you have, to spend within Power BI and your imagination.😉

I’m a big fan of Tableau and I love creating visualizations. Now I’ve started using Power BI more and more with Azure related stuff. Plus Power BI Pro comes bundled with Office 365 E5.

Hope this post helped you in setting up your Azure cost reports with Power BI.

Thank you for stopping by. ✌