0

Hope you all well,

I had similar kind of requirement a year ago, however that was for the adding machine to on-prem AD group. Add onprem AD group while provisioning Azure VM with ARM template -Azure virtual desktop

Which I got succeeded using the custom extension script. now we have a requirement to get the machine added to only Azure AD group (not the onprem group that synced with AAD). And due to security, we had to restrict to have delegated api permissions on our provisioning SPN.

I can run a powershell script with machine as input to add the machine to AD group manually.

How can I integrate the powershell to the ARM template? as delegated api permissions need both SPN and user to authenticate AAD to perform the activity.

Wondering if any one have some thoughts?

Regards, Naveen. S

ramoj kumar
  • 13
  • 5

1 Answers1

0

How can I integrate the powershell to the ARM template?

Follow the steps below to add the machine to a group using a PowerShell script in an ARM Template

I have followed this MS Doc as a reference to create a custom script extension using ARM Template.

1.Upload the following PowerShell script to your storage account 2. Assign the required role to the VM for accessing the script from the storage account.


    $MachineName = "<VMName>"
    $GroupName   = "<ADGroupName>"
    $machine = Get-AzureADDevice -Filter "DisplayName eq '$MachineName'"
    if ($machine -eq $null) {
        Write-Host "Machine '$MachineName' not found."
        exit
    }
    $group = Get-AzureADGroup -Filter "DisplayName eq '$GroupName'"
    if ($group -eq $null) {
        Write-Host "Group '$GroupName' not found."
        exit
    } 
  Add-AzureADGroupMember -ObjectId $group.ObjectId -RefObjectId $machine.ObjectId
  Write-Host "Machine '$MachineName' added to group '$GroupName' successfully."
  1. You can find the fileUris by navigating to the following path.

Azure Portal > Storage Account > Your Storage Account > Select your Container

  1. Deploy the below ARM Template

enter image description here

ARM Template.

    {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {},
      "variables": {},
      "resources": [
        {
          "type": "Microsoft.Compute/virtualMachines",
          "apiVersion": "2022-03-01",
          "name": "<VMName>",
          "location": "<ResourceGroup Location>",
          "properties": {},
          "resources": [
            {
              "type": "extensions",
              "name": "customScript",
              "location": "<ResourceGroup Location>",
              "dependsOn": [
                "[concat('Microsoft.Compute/virtualMachines/', 'sampleVM')]"
              ],
              "apiVersion": "2022-03-01",
              "properties": {
                "publisher": "Microsoft.Compute",
                "type": "CustomScriptExtension",
                "typeHandlerVersion": "1.10",
                "settings": {
                  "fileUris": [
                    "powershell_script_url"
                  ],
                  "commandToExecute": "powershell -ExecutionPolicy Unrestricted -File script.ps1 -MachineName 'sampleVM'"
                }
              }
            }
          ]
        }
      ],
      "outputs": {}
    }

A custom extension is created in the Azure VM once the ARM deployment is complete, and the device is also added to an Azure AD group.

enter image description here

Venkat V
  • 2,197
  • 1
  • 1
  • 10
  • thank you venkat for your response, which access do you use to run the script in custom script extension? – ramoj kumar May 12 '23 at 06:55
  • Yes, if you deploy the ARM templates, it will create the extension in the VM and add the VM to a particular group as specified in PowerShell. – Venkat V May 12 '23 at 06:59
  • Okay, however, you need an account to run the PowerShell script in the extension, that account (SPN) should have the access to add the members to AAD group. Thanks for your response, we have used the dynamic membership rules in that specific AAD group, to filter the naming and the type of the machine and get added to the AAD group. So now job is quite easier not to use any extensions :) – ramoj kumar May 22 '23 at 08:05