Quickstart: Create a confidential ledger using Azure PowerShell

Azure confidential ledger is a cloud service that provides a high integrity store for sensitive data logs and records that must be kept intact. In this quickstart, you use Azure PowerShell to create a confidential ledger, view and update its properties, and delete it. For more information on Azure confidential ledger and examples of what can be stored in a confidential ledger, see About Microsoft Azure confidential ledger.

If you don't have an Azure subscription, create a free account before you begin.

Azure Cloud Shell

Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article, without having to install anything on your local environment.

To start Azure Cloud Shell:

Option Example/Link
Select Try It in the upper-right corner of a code or command block. Selecting Try It doesn't automatically copy the code or command to Cloud Shell. Screenshot that shows an example of Try It for Azure Cloud Shell.
Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser. Button to launch Azure Cloud Shell.
Select the Cloud Shell button on the menu bar at the upper right in the Azure portal. Screenshot that shows the Cloud Shell button in the Azure portal

To use Azure Cloud Shell:

  1. Start Cloud Shell.

  2. Select the Copy button on a code block (or command block) to copy the code or command.

  3. Paste the code or command into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux, or by selecting Cmd+Shift+V on macOS.

  4. Select Enter to run the code or command.

In this quickstart, you create a confidential ledger with Azure PowerShell. If you choose to install and use PowerShell locally, this tutorial requires Azure PowerShell module version 1.0.0 or later. Type $PSVersionTable.PSVersion to find the version. If you need to upgrade, see Install Azure PowerShell module. If you're running PowerShell locally, you also need to run Login-AzAccount to create a connection with Azure.

Prerequisites

Create a resource group

A resource group is a logical container into which Azure resources are deployed and managed. Use the Azure PowerShell New-AzResourceGroup cmdlet to create a resource group named myResourceGroup in the eastus location.

New-AzResourceGroup -Name "myResourceGroup" -Location "EastUS"

Get your principal ID and tenant ID

To create a confidential ledger, use your Microsoft Entra principal ID (also called your object ID). To obtain your principal ID, use the Azure PowerShell Get-AzADUser cmdlet, with the -SignedIn flag:

Get-AzADUser -SignedIn

Your result is listed under "Id", in the format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.

Create a confidential ledger

Use the Azure PowerShell New-AzConfidentialLedger command to create a confidential ledger in your new resource group.

New-AzConfidentialLedger -Name "myLedger" -ResourceGroupName "myResourceGroup" -Location "EastUS" -LedgerType "Public" -AadBasedSecurityPrincipal @{ LedgerRoleName="Administrator"; PrincipalId="aaaaaaaa-bbbb-cccc-1111-222222222222"; }

A successful operation returns the properties of the newly created ledger. Take note of the ledgerUri. In the example above, this URI is "https://myledger.confidential-ledger.azure.com".

You need this URI to transact with the confidential ledger from the data plane.

View and update your confidential ledger properties

You can view the properties associated with your newly created confidential ledger using the Azure PowerShell Get-AzConfidentialLedger cmdlet.

Get-AzConfidentialLedger -Name "myLedger" -ResourceGroupName "myResourceGroup"

To update the properties of a confidential ledger, use do so, use the Azure PowerShell Update-AzConfidentialLedger cmdlet. For instance, to update your ledger to change your role to "Reader", run:

Update-AzConfidentialLedger -Name "myLedger" -ResourceGroupName "myResourceGroup" -Location "EastUS" -LedgerType "Public" -AadBasedSecurityPrincipal @{ LedgerRoleName="Reader"; PrincipalId="aaaaaaaa-bbbb-cccc-1111-222222222222"; }

If you again run Get-AzConfidentialLedger, you see that the role is updated.

"ledgerRoleName": "Reader",

Clean up resources

Other quickstarts and tutorials in this collection build upon this quickstart. If you plan to continue on to work with other quickstarts and tutorials, you may want to leave these resources in place.

When no longer needed, you can use the Azure PowerShell Remove-AzResourceGroup cmdlet to remove the resource group and all related resources.

Remove-AzResourceGroup -Name "myResourceGroup"

Next steps

In this quickstart, you created a confidential ledger by using the Azure PowerShell. To learn more about Azure confidential ledger and how to integrate it with your applications, continue on to the articles below.