Az Hybrid Connection Manager Configuration - Az Powershell Function

Question

Hi All,

I am configuring a Azure PowerShell function to communicate with Windows AD using Hybrid Connection Manager. Everything seems to be connected and I was able to run the basic cmdlet "Get-Service"(Code # 1) successfully.

Code # 1

# Input bindings are passed in via param block.
param($Request, $TriggerMetadata)

# Write to the Azure Functions log stream.
Write-Output "PowerShell HTTP trigger function processed a request."

# Note that ContosoUserPassword is a function app setting, so I can access it as $env:ContosoUserPassword.
$UserName = $Env:ContosoUserName
$securedPassword = ConvertTo-SecureString  $Env:ContosoUserPassword -AsPlainText -Force
$Credential = [System.management.automation.pscredential]::new($UserName, $SecuredPassword)

# This is the name of the hybrid connection Endpoint.
$HybridEndpoint = $Env:HybridEndpoint

$Script = {
    Param(
        [Parameter(Mandatory=$True)]
        [String] $Service
    )
    Get-Service $Service
}

Write-Output "Scenario 1: Running command via Invoke-Command"
Invoke-Command -ComputerName $HybridEndpoint `
               -Credential $Credential `
               -Port 5986 `
               -UseSSL `
               -ScriptBlock $Script `
               -ArgumentList "*" `
               -SessionOption (New-PSSessionOption -SkipCACheck)

However, when I run the Active Directory cmdlet "Get-AdUser" (Code # 2)

Code # 2

# Input bindings are passed in via param block.
param($Request, $TriggerMetadata)

# Write to the Azure Functions log stream.
Write-Output "PowerShell HTTP trigger function processed a request."

# Note that ContosoUserPassword is a function app setting, so I can access it as $env:ContosoUserPassword.
$UserName = $Env:ContosoUserName
$securedPassword = ConvertTo-SecureString  $Env:ContosoUserPassword -AsPlainText -Force
$Credential = [System.management.automation.pscredential]::new($UserName, $SecuredPassword)

# This is the name of the hybrid connection Endpoint.
$HybridEndpoint = $Env:HybridEndpoint

$Script = {
    Param(
        [Parameter(Mandatory=$True)]
        [String] $Service
    )
#    Get-Service $Service
     Get-AdUser -Identity $Env:SampleSID
}

Write-Output "Scenario 1: Running command via Invoke-Command"
Invoke-Command -ComputerName $HybridEndpoint `
               -Credential $Credential `
               -Port 5986 `
               -UseSSL `
               -ScriptBlock $Script `
               #-ArgumentList "*" `
               -SessionOption (New-PSSessionOption -SkipCACheck)

I get the following error.

2023-02-02T00:33:05Z   [Information]   OUTPUT: PowerShell HTTP trigger function processed a request.
2023-02-02T00:33:05Z   [Information]   OUTPUT: Scenario 1: Running command via Invoke-Command
2023-02-02T00:33:05Z   [Warning]   The Function app may be missing a module containing the '-SessionOption' command definition. If this command belongs to a module available on the PowerShell Gallery, add a reference to this module to requirements.psd1. Make sure this module is compatible with PowerShell 7. For more details, see https://aka.ms/functions-powershell-managed-dependency. If the module is installed but you are still getting this error, try to import the module explicitly by invoking Import-Module just before the command that produces the error: this will not fix the issue but will expose the root cause.
2023-02-02T00:33:05Z   [Information]   Executed 'Functions.HttpTrigger1' (Succeeded, Id=4cb01938-da4a-418e-b662-e8020198e4e3, Duration=1787ms)

Can someone please provide some insight into this error and share any resources that would help me troubleshoot this issue.

TIA.

Answer 1

Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query.

Getting Windows AD to communicate with an Azure PowerShell function can be a tricky process, but it is possible if you know the right steps. After running the basic cmdlet "Get-Service", you'll need to make sure that the Hybrid Connection Manager (HCM) is configured properly.

The first step is to check that the service bus namespace is connected to the HCM. To do this, use the cmdlet Get-AzureRmServiceBusNamespace (Code # 2). This will give you a list of all the Namespaces that are connected, which you can then match to the one associated with the HCM.

Once that's done, you will need to create a new HCM resource group to ensure that all the settings are configured properly. To do this, use the cmdlet New-AzureRmResourceGroup (Code # 3). You can then use the cmdlet Set-AzureRmResourceGroup (Code # 4) to update the HCM configuration, which will in turn allow the Azure PowerShell function to communicate with Windows AD.

Finally, you'll need to use the cmdlet Set-AzureRmHybridConnection (Code # 5) to set the parameters for the HCM. This will allow the two systems to communicate, and you'll be ready to go.

By following these steps, you should be able to successfully configure a PowerShell function to communicate with Windows AD using Hybrid Connection Manager. Good luck!

If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

Answer 2

• @Limitless Technology thank you for your reply. While checking for AzureRmServiceBusNamespace, I am getting the following exception.

PS C:\Windows\System32> Get-AzServiceBusNamespace
Get-AzServiceBusNamespace: The 'Get-AzServiceBusNamespace' command was found in the module 'Az.ServiceBus', but the module could not be loaded. For more information, run 'Import-Module Az.ServiceBus'.
PS C:\Windows\System32> Import-Module Az.ServiceBus
Import-Module: Assembly with same name is already loaded

However, I need some more clarification on

"Once that's done, you will need to create a new HCM resource group to ensure that all the settings are configured properly."

Why would I need to create new HCM RG while I already have the existing one which is configured properly and am able to run the basic cmdlets and also would you mind explaining "all the settings" means what else should I be looking for?

"Finally, you'll need to use the cmdlet Set-AzureRmHybridConnection (Code # 5) to set the parameters for the HCM. This will allow the two systems to communicate, and you'll be ready to go"

I was able to establish the connection successfully as the basic cmdlet ran without any issues.

TIA.

Answer 3

You've effectively removed the back-tick at the end of the "-ArgumentList" parameter by making the line a comment.

If you look closely at the error message, the "function app" that's missing is "<HYPHEN>SessionOption". No function would ever use a hyphen in its name.

A better way to do this might be to use "splatting" to pass the parameters to the Invoke-Command:

$par = @{
    ComputerName = $HybridEndpoint
    Credential = $Credential
    Port = 5986
    UseSSL = $true
    ScriptBlock = $Script
#   ArgumentList = "*"
    SessionOption = (New-PSSessionOption -SkipCACheck)
}

Invoke-Command @par