Share via

How to execute password rotation for non-admin users of a VM using Azure Key Vault and Azure Automation Account?

Syed Harith Zaki 180 Reputation points
2024-07-29T02:24:27.9666667+00:00

I want to set up automated password rotation for my VM using Azure Key Vault and Azure Automation Account. I have used this article: https://www.advatek.co.uk/blog/enhancing-security-with-azure-key-vault-automated-password-rotation as a guide to do this. However, I found that the script provided is only applicable to rotate the password for the local admin of the VM. In my case, I plan to rotate the passwords for the local admin along with other users of the VM. I was wondering if the 'Set-AzVMExtension' with the name 'VMAccessAgent' only works for local admin credentials. If it does, are there any alternative methods to change the password of other local users using PowerShell? Thank you.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,448 questions
Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,366 questions
Windows for business Windows Server User experience PowerShell
0 comments
Accepted answer
  1. Raja Pothuraju 23,465 Reputation points Microsoft External Staff Moderator
    2024-07-30T20:13:19.0266667+00:00

    Hello @Syed Harith Zaki,

    Thank you for posting your query on Microsoft Q&A.

    The Set-AzVMExtension cmdlet with the VMAccessAgent extension is primarily used for resetting or updating the credentials of the local administrator account on an Azure VM. However, it does not directly support changing the passwords of other local user accounts.

    To change the passwords of other local user accounts on a VM, you can use a custom script that runs inside the VM itself. This can be done using the Run Command feature of Azure Virtual Machines, which allows you to run scripts on the VM remotely.

    Here's an alternative method you can use to change the passwords of other local users using PowerShell and Azure Automation Account:

    1. Create a PowerShell script that changes the password of the desired local user accounts on the VM.
    2. Create a Runbook in Azure Automation Account: Create a PowerShell Runbook in your Azure Automation Account that downloads and executes the script on the VM. You can save this script as a .ps1 file and then use the 'Invoke-AzVMRunCommand' cmdlet to run it on the VM. Here is an example command that you can use: Invoke-AzVMRunCommand -ResourceGroupName "myResourceGroup" -Name "myVM" -CommandId "RunPowerShellScript" -ScriptPath "C:\Scripts\Reset-LocalUserPassword.ps1"
    3. Schedule the Runbook: Schedule the Runbook to run at your desired interval to rotate the passwords of the specified users.

    By using the Invoke-AzVMRunCommand cmdlet, you can execute the custom script that changes the password of any local user on the VM.

    Invoke-AzVMRunCommand

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    Thanks,
    Raja Pothuraju.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.