Azure Cloud Services
An Azure platform as a service offer that is used to deploy web and cloud applications.
483 questions
Azure DevOps: Execute `Set-AzSqlServer`
Mike-E-angelo
241
Reputation points
I have spent the past few days securing my Azure resources. Mostly, this involves turning off Sql Server from having public access.
Everything has been great until I fired off an Azure DevOps release pipeline and ran into this problem:
https://learn.microsoft.com/en-us/answers/questions/95497/deploy-with-pipelines-to-endpoint-of-private-link.html
Basically, the server is not in the same virtual network as the private link, and it seems incredibly involved/complicated to make it work.
So then I see this: https://github.com/MicrosoftDocs/azure-docs/issues/57316
And then the thought struck me: why not introduce a PowerShell script to toggle Public mode before and then after my SQL deployment in my pipeline?
I tried doing so, but I am getting an error:
##[error]Cannot find the Azure Active Directory object <name> Please make sure that the user or group or application you are authorizing is registered in the current subscription's Azure Active directory. To get a list of Azure Active Directory groups use Get-AzADGroup, or to get a list of Azure Active Directory users use Get-AzADUser or to get a list of Azure Active Directory applications use Get-AzADApplication. ##[error]PowerShell exited with code '1'.
The <name> is the name of my Sql Administrator.
I am wondering if it is possible to do what I would like to do here? The idea is:
- Toggle on public access mode:
Set-AzSqlServer -ServerName <server> -ResourceGroupName <rg> -PublicNetworkAccess "Enabled" - Deploy Sql script(s)
- Toggle off public access mode:
Set-AzSqlServer -ServerName <server> -ResourceGroupName <rg> -PublicNetworkAccess "Disabled"
I am thinking this is a permissions issue, but I am not so familiar with Azure PowerShell, either.
If it helps, this is the output in the Azure DevOps PowerShell script:
==========================
Starting Command Output ===========================
##[command]"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". 'D:\a\_temp\8a1bda73-b876-4cfd-bfc4-1047eaf9fd1d.ps1'"
##[command]Import-Module -Name C:\Modules\az_7.1.0\Az.Accounts\2.7.1\Az.Accounts.psd1 -Global
WARNING: Both Az and AzureRM modules were detected on this machine. Az and AzureRM modules cannot be imported in the
same session or used in the same script or runbook. If you are running PowerShell in an environment you control you can
use the 'Uninstall-AzureRm' cmdlet to remove all AzureRm modules from your machine. If you are running in Azure
Automation, take care that none of your runbooks import both Az and AzureRM modules. More information can be found
here: https://aka.ms/azps-migration-guide
##[command]Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
##[command]Clear-AzContext -Scope Process
##[command]Connect-AzAccount -ServicePrincipal -Tenant *** -Credential System.Management.Automation.PSCredential -Environment AzureCloud @processScope
##[command] Set-AzContext -SubscriptionId <subscription> -TenantId ***
Thank you for any assistance you can provide.
{count} votes
-
Sam Cogan 7,712 Reputation points MVP2022-01-27T08:36:23.9+00:00 Please post the script you are running. The error mentions your SQL admin user, but Azure Devops is connecting using a service principal, so how are you attempting to login to Azure?
Hi @Sam Cogan thank you for your reply. I actually posted the script I am running in the question above, in steps 1 and 3. There are two instances when I am wanting to run the script: before and after.
I agree this seems to be a permissions issue. I am wanting to determine there that sits and how to remedy it. I am getting the sense that it might involve adding my Azure DevOps service principal to a Sql Server group of some kind.
Please further note that my Sql Server is Azure Active Directory authentication-only enabled.
If that is the entire script you are running, then is the Azure DevOps service connection that you are using setup with your SQL Admin user? If not then where is it getting that from?
To offer a little more context here @Sam Cogan this is running under the PowerShell Task in Azure DevOps, and it has been assigned the service principal of the Azure DevOps identity executing this process.
FWIW this seems a little closer to what I am suspecting, @Sam Cogan :
https://stackoverflow.com/a/61724752/10340424
I did set the permission, and granted admin consent, but it still does not seem to work. It seems like the PowerShell script running in the Azure DevOps context under the Managed Identity Principal is not properly seeing the directory.
It could be that there needs to be more time to wait, as AAD (despite being a security concern) seems to take a while to synchronize its security permissions.
I figured it out @Sam Cogan , thank you for poking/prodding... it set me on the right path. :) I've added an answer with my findings. VICTORY!!!
Sign in to comment
1 answer
Sort by: Most helpful
BOOOOOOOOOOOOOOOOOOMMMMMMMMMMMMMMMMMM!!!
https://learn.microsoft.com/en-us/azure/active-directory/roles/manage-roles-portal#assign-a-role
Add
Directory readersto your Azure DevOps service connection principal and you should be good to go.Note that I also have the AAD
Directory.ReadWrite.Allpermission added here, so that might be a consideration as well:https://stackoverflow.com/a/61724752/10340424
@Mike-E-angelo Thank you for sharing this with the community. Please mark your answer as "accept answer" so it will be beneficial for other community members facing the same.
Regards,
Oury
Unfortunately, I do not see that as an option @Oury Ba-MSFT . It would seem one cannot currently mark their own answers as the accepted answer.
Sign in to comment
Activity