Azure, Azure Government, PowerShell, Technical

Get Started with PowerShell on Azure Government

Many folks using Azure Government probably have a subscription or two on public Azure. If you’re bouncing between environments and using PowerShell on each, it could become cumbersome to switch between them. This post shows a method that I’ve found to be easy to implement and simple to switch between environments. As a footnote, this can also be used to set up multiple environments beyond Azure Government, such as on-premises Azure.

If you do nothing after installing the Azure PowerShell modules and then run Get-AzureEnvironment, you’ll get two results (as of this posting): AzureCloud and AzureChinaCloud. So the first thing we need to do is add another environment for Azure Government. After that, we’ll use the certificate method to connect to our subscription. I prefer this method for three reasons:

  1. I can use this same certificate for my other subscriptions, allowing me to easily switch between them on the same machine
  2. Azure Government doesn’t support using Azure AD (Add-AzureAccount), at least based on my experiences (see edit below)
  3. Using a publishing settings file may work, but honestly I haven’t spent time using this method to see if it works or works as well as using a certificate

Ok, let’s add that new local environment. Run the following Posh command (I included line breaks for readability):

Add-AzureEnvironment -name “AzureGovernment”
-PublishSettingsFileUrl “https://manage.windowsazure.us/publishsettings/index?client=xplat”
-ServiceEndpoint “https://management.core.usgovcloudapi.net”
-ManagementPortalUrl “https://manage.windowsazure.us” -StorageEndpoint “core.usgovcloudapi.net”
-ActiveDirectoryEndpoint “https://login.windows.net/” -ActiveDirectoryServiceEndpointResourceId “https://management.core.usgovcloudapi.net/”

 Feel free to change the –name parameter value to whatever you want to use as this is a local environment name, but leave the rest as-is. And don’t forget the trailing slash on -ActiveDirectoryServiceEndpointResourceId or you’ll get an error when authenticating.

Now let’s create a local certificate. Open up a Visual Studio command prompt or other cli that supports makecert and run:

makecert -sky exchange -r -n “CN=<YourCertName>” -pe -a sha1 -len 2048 -ss My “c:temp<YourCertName>.cer”

For a reference on how to do that, look here: https://msdn.microsoft.com/en-us/library/azure/gg551722.aspx

Once that cert is created, you need to add it to your subscription in Azure Government.

  1. Navigate to https://manage.windowsazure.us and log in
  2. At the bottom of the left navigation, click on “Settings”
  3. Click on “Management Certificates”
  4. At the bottom of the screen, click on “Upload” and choose the .cer file you created earlier and stored in c:temp, then upload the file

Once the certificate has been added, you can now add a new subscription entry using the Azure environment and certificate previously created. First, you need to grab some configuration values:

$subId “<YourSubscriptionId>”
$thumbprint 
“<YourCertificateThumbprint>”
$cert Get-Item Cert:\CurrentUser\My\$thumbprint
$localSubName 
“<LocalSubscriptionName>”
$environmentName “AzureGovernment”

 <YourSubscriptionId> can be copied from the Management Certificates screen where you uploaded your certificate. Double click the value next to your cert and it will highlight the entire value so you can copy it, although it won’t show the entire value. You can expand the width of the column if you’d like to see the entire value (that was recently added J)

<YourCertificateThumbprint> can be copied from the same location under the Thumbprint column.

<LocalSubscriptionName> is a local name you will use to refer to this subscription, so use a name that makes sense to you. Maybe “ProdAzureGovernment”, as an example.

For environmentName, use the same name you used earlier when creating the local Azure Environment. If you kept my default, the name will be “AzureGovernment”.

Now run the following (I included line breaks for readability):

Set-AzureSubscription -SubscriptionName $localSubName
-SubscriptionId $subId -Certificate $cert -Environment $environmentName

If all went well, you’re all set! To see your local subscriptions, run Get-AzureSubscription. You should see your new ProdAzureGovernment subscription (or whatever you called it) along with any other subscriptions you already had configured, if any. You will also see which one is default and also current. The one flagged as default will be used by default when you first fire up PowerShell. The one marked current is what you’re currently hitting when you run commands against your subscription. You can change which subscription is default and current by running Select-AzureSubscription and passing in the desired config.

Assuming you have one subscription called “MSDN” and another called “ProdAzureGovernment”, within the same PowerShell window you can switch between them by simply running Select-AzureSubscription.

Select-AzureSubscription “MSDN” –Current
Get-AzureVM

Will show you all VMs on your MSDN subscription.

Select-AzureSubscription “ProdAzureGovernment” –Current
Get-AzureVM

Will show you all VMs on your Azure Government subscription.

If you have your Azure Government subscription set to current and then run Get-AzureSubscription, you may receive an error stating “The given key was not present in the dictionary.” I’m not sure what the cause of this is, but all other commands I’ve run against the subscription have succeeded just fine. If I figure that out I’ll post an update.

It’s just that simple! Hope that helps. As always, if you have any questions or suggestions please post a comment.

<EDIT>Thanks to a tip from my colleague Keith Mayer, I discovered why I couldn’t get Azure AD to work. My previous script for Add-AzureEnvironment was missing the -ActiveDirectoryEndpoint parameter, which is kind of important. After adding that to the environment definition I was able to use Azure AD and the Add-AzureAccount cmdlet to authenticate against Azure Government. Yeah! This is actually the preferred method going forward as opposed to using a certificate.</EDIT>

Leave a Reply

Your email address will not be published. Required fields are marked *