For those google searching the eventlog azure ad connect sync errors I just had, which I couldn’t google an answer to:
Errors for indexing: Continue reading Self Service Password Reset in AADConnect not working
I’ve been using Azure Runbooks for a long time now, but when you want to ‘really’ use them in an enterprise environment, they simply do not suffice. Vote for this suggestion if you feel same:
Provide more control of how runbooks are allocated to a sandbox
Okta natively does not allow you to sync users to Office 365 contacts; they either exist as users in Office 365, or they don’t exist at all.
In hybrid scenarios where you are doing a staged migration to Office 365, or where you simply manage your contacts in Okta, you may want to populate the Global Address List in Office 365 with your Okta users.
I’ve written a simple solution for this, you will require:
The solution will sync your users in Okta to Office 365, take note of the following: Continue reading Setting up Okta User -> Office 365 contact synchronisation
While playing around with PHP (experimental support) in Azure Functions, I noticed that there is no documentation yet and very few examples, so here’s my first simple example on how to build an Azure Function using PHP to parse a very simple GET request.
I’m assuming you’ve set up your function, go into Files and edit the function.json file:
<br />
{<br />
"bindings": [<br />
{<br />
"type": "httpTrigger",<br />
"direction": "in",<br />
"name": "req",<br />
"methods": [<br />
"get"<br />
],<br />
"authLevel": "function"<br />
},<br />
{<br />
"type": "http",<br />
"direction": "out",<br />
"name": "res"<br />
}<br />
],<br />
"disabled": false<br />
}<br />
This sets the function to listen to get requests and ignore the default Azure Table storage stuff.
Then open the run.php file and Continue reading Parsing a GET request in PHP with an Azure Function
This post describes how you can use the WIX Toolkit or any DLL file in an Azure Function, in this case to edit an MSI file on the fly. The WIX Toolkit is free, but only runs on Windows. Azure Functions run on Windows too, isn’t that nice 🙂
So, an example use case could be my OnedriveMapper MSI file, which is installed with a configuration GUID property by an admin to customize OnedriveMapper. If that GUID was already in the MSI, no such parameter would be necessary.
Using an Azure function in a download link or http request, we could insert a GUID on the fly and create personalized MSI files on demand.
I’ll leave other applications to your imagination, let’s get started!
Continue reading On-Demand MSI customization using Azure Functions
Azure has a very nice feature called ‘Dynamic Groups‘. We use these in our customer tenants to dynamically generate a group with actual users, excluding Guest accounts (marked with #EXT#).
As I couldn’t find any articles detailing how to create a Dynamic Group through the Graph API, I’m posting this for whoever it helps 🙂
<br />
$dynamicGroupProperties = @{<br />
"description" = "Dynamic Group Created through the Graph API";<br />
"displayName" = "Dynamic Group Created through the Graph API";<br />
"groupTypes" = @("DynamicMembership");<br />
"mailEnabled" = $False;<br />
"mailNickname" = "testnickname";<br />
"membershipRule" = "(user.userPrincipalName -notContains `"#EXT#@`") -and (user.userType -ne `"Guest`")";<br />
"membershipRuleProcessingState" = "On";<br />
"securityEnabled" = $True<br />
}</p>
<p>invoke-webrequest -Headers $headerParams -uri "https://graph.microsoft.com/beta/groups" -Body (ConvertTo-Json $dynamicGroupProperties) -method POST -Verbose<br />
If you’re not yet used to working with the Graph API, read up on how to connect to the Graph API using Powershell.
A handy Powershell function to lock / unlock using .NET, to prevent concurrent read/writes to files or anything else you like.
<br />
function handleThreadLock{<br />
Param(<br />
[switch]$setLock,<br />
[switch]$releaseLock,<br />
[string]$lockName="defaultLockName",<br />
[int]$timeOut=600<br />
)<br />
if($setLock){<br />
#register a thread lock<br />
$script:threadLock = New-Object System.Threading.Mutex($false, $lockName)<br />
$waited = 0<br />
while($true){<br />
try{$lockState = $script:threadLock.WaitOne(1000)}catch{$lockState=$False}<br />
if($lockState){<br />
break<br />
}else{<br />
$waited+=1<br />
if($waited -gt $timeOut){<br />
Throw "failed to get a thread within $timeOut seconds!"<br />
}<br />
}<br />
}<br />
}<br />
if($releaseLock){<br />
#release a thread lock<br />
[void]$script:threadLock.ReleaseMutex()<br />
}<br />
}<br />
In your script, call it like this:
<br />
try{<br />
handleThreadLock -setLock<br />
}catch{Throw "Failed to set lock!"}</p>
<p>try{<br />
add-content -Path "c:\yourfile.txt" -Value "log entry" -ErrorAction Stop<br />
}finally{<br />
handleThreadLock -releaseLock<br />
}<br />
While building some multithreading Azure Runbooks that log into multiple subscriptions simultaneously, I noticed that these multiple concurrent runs often end up on the same Azure Automation Host.
Apparently, these runbooks then don’t run in full isolation, and the following error may occur:
The running command stopped because the preference variable “ErrorActionPreference” or common parameter is set to Stop: The process cannot access the file ‘C:\Windows\system32\config\systemprofile\AppData\Roaming\Windows Azure Powershell\TokenCache.dat’ because it is being used by another process.
AzureProfile.json may also get locked. I resolved this by doing a retry on the Save-AzureRMContext, and using a randomized file name for the azure json profile:
</p> <p>$randomProfileName = [System.IO.Path]::GetRandomFileName()</p> <p>Save-AzureRmContext -Path .\$randomProfileName -Force -Confirm:$False</p> <p>
And for my full Azure Login code snippet:
<br />
$randomProfileName = [System.IO.Path]::GetRandomFileName()<br />
$tries=0<br />
while($true){<br />
$tries++<br />
try{<br />
Write-Output "Logging in to Azure $azureSubscription"<br />
$res = Login-AzureRmAccount -Credential $azureCreds -SubscriptionId $azureSubscription -TenantId $tenantId -ErrorAction Stop<br />
Select-AzureRmSubscription -SubscriptionId $azureSubscription -ErrorAction Stop -TenantId $tenantId<br />
if($res.Context.Subscription.Id -eq $azureSubscription){<br />
Write-Output "Logged in to Azure subscription $($res.Context.Subscription.Id)"<br />
}else{<br />
Throw "Failed, we were logged in to $($res.Context.Subscription.Id) while trying to log in to $azureSubscription"<br />
}<br />
Save-AzureRmContext -Path .\$randomProfileName -Force -Confirm:$False<br />
break<br />
}catch{<br />
if($tries -ge 30){<br />
Throw<br />
Exit<br />
}<br />
#sleep on failed attempts, as the azure token cache gets locked by concurrent jobs<br />
sleep -s (Get-Random -minimum 1 -maximum 6)<br />
}<br />
}<br />
NOTE: this post has been superceded! Use the Microsoft AppService API to create or update your domains.
Tip: Jack Rudlin wrote a great post on using the API for this.
—-old content from here—
Lately I’ve been playing with custom domains in Azure, Microsoft has been allowing us to directly purchase domain in Azure for a while now. This leverages GoDaddy’s API, but Microsoft bills you for the domain, consolidating your domains, management and usage nicely in Azure.
The portal only allows you to purchase new domains, so how do you transfer existing domains to Azure DNS?
First you’ll need a transfer code, which you can get from your current DNS provider. Then, execute the following script:
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.DomainRegistration
$rgName = "NAME OF YOUR RESOURCE GROUP"
$ResourceLocation = "Global"
$ResourceName = "MYDOMAINNAME.NL"
$PropertiesObject = @{
'Consent' = @{
'AgreementKeys' = @("DNPA","DNTA");
'AgreedBy' = '122.13.11.20'; #ip address you're running this script from
'AgreedAt' = '2017-17-07T08:37:40'; #roughly the current time
};
'authCode' = 'DOMAIN TRANSFER CODE'; #code by current domain provider
'Privacy' = 'true';
'autoRenew' = 'true';
}
New-AzureRmResource -ResourceName $ResourceName -Location $ResourceLocation -PropertyObject $PropertiesObject -ResourceGroupName $rgName -ResourceType Microsoft.DomainRegistration/domains -ApiVersion 2015-02-01 -Verbose
It will take a long time to run, but you’ll have a custom domain in Azure that you can now connect to websites and/or manage through AzureDNS.
Note:Â this only works for domains OLDER than 60 days and can take 5-7 days until the domain is usable in Azure, all domain records will be copied to an Azure DNS zone.
If you use Azure Runbooks, but develop scripts locally first…you may like to display progress indicators to yourself when handling large amounts of records / data with Write-Progress.
Be sure to parameterise this, because if you use Write-Progress in an Azure Runbook, it will seriously slow your runbook down, increasing the cost, and if there are over 4000 write-progress calls the runbook will hang and crash.