Deploying Agents to Azure IaaS VMs using the Custom Script Extension

In an ideal world organizations should try to avoid creating custom images with their own special agents and configurations. This means a lot of image management as each time an agent is updated the image has to be updated in addition to the normal patching of OS instances. The Azure marketplace has a large number of OS images that are kept up-to-date which should be used if possible and any customization performed on top of that. I recently had a Proof of Concept where a number of agents needed to be deployed post VM deployment along with other configurations. Items such as domain join can be done with the domain join extension but for the other agent installs we decided to use the Custom Script Extension to call a bootstrap script which would do nothing other than pull down all content from a certain container using azcopy.exe and then launch a master script. The master script would be part of the downloaded content and would then perform all the silent installations and customization’s required.

A storage account is utilized with two containers:

  • Artifacts – This contains the master script and all the agent installers etc. This could use a zip file to enable a structure to be maintained of the various agents and the master script could unzip at the start
  • Bootstrap – This contains azcopy.exe (in my case version 10) and the bootstrap.ps1 file that does nothing other than call azcopy to copy everything from the artifacts container to the c: root, then launch the master script from the local copy

Below is my example bootstrap.ps1 file. Notice it has one parameter, the URI of the container which will be the shared access signature enabling access.

param($SourceURI)

$cmd = "&`".azcopy.exe`" cp `"$SourceURI`" `"C:`" --recursive=true"
try {
    Invoke-Expression -Command $cmd -ErrorAction Stop
    if ($LASTEXITCODE -ne 0) {
        # Error.
    }
} catch {
    # Error.
}

c:artifactsMainScript.ps1

Azcopy.exe was downloaded from https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10 and copied to the bootstrap container along with the bootstrap.ps1 file. In my case there is nothing sensitive in the file and so I made the container public. This would avoid having to have an access key as part of my ARM template that would ultimately call this script.

All the installers and the master script were uploaded to the artifacts container. For this container I wanted a shared access signature (SAS) that would give read and list rights. The idea would be some automation would generate a new SAS each week and write to a secret in key vault that only people that should deploy had access to. The SAS would have a lifetime of 2 weeks to have an overlap with the newly generated. In addition to generating and storing the complete SAS I needed a second version that was escaped for cmd.exe. This is because the SAS has & in it which was being interpreted during my testing breaking its use. I tried to use no parse (–%) but this did not work since it was being called by cmd.exe therefore the escape is to use ^&. The script below generates the SAS and the escaped SAS and writes both versions as secrets to key vault.

$resourceGroupName = "RG-Infra-SCUS"
$storageAccountName = "sasavpocscus"
$containerName = "artifacts"

# Get the access key for the Azure Storage account
$storageAccountKey = (Get-AzStorageAccountKey `
    -ResourceGroupName $resourceGroupName `
    -Name $storageAccountName)[0].Value

# Create an Azure Storage context
$storageContext = New-AzStorageContext `
    -StorageAccountName $storageAccountName `
    -StorageAccountKey $storageAccountKey

$expiryTime = (Get-Date).AddDays(14)

# Generates an SAS token for the Azure storage container
$SASToken = New-AzStorageContainerSASToken `
    -Name $containerName `
    -Permission "rl" `
    -ExpiryTime $expiryTime `
    -Context $storageContext

$fullSASURI = "$($storageContext.BlobEndPoint)$($containerName)$($SASToken)"
$fullSASURI

$secretvalue = ConvertTo-SecureString $fullSASURI -AsPlainText -Force
$secret = Set-AzKeyVaultSecret -VaultName 'SavKeyVault' -Name 'POCBLOBSASURI' -SecretValue $secretvalue

#Need an escaped for CMD since this is how passed when using the Custom Script Extension in Azure
$secretescapevalue = ConvertTo-SecureString $fullSASURI.Replace("&","^&") -AsPlainText -Force
$secret = Set-AzKeyVaultSecret -VaultName 'SavKeyVault' -Name 'POCBLOBSASURIEsc' -SecretValue $secretescapevalue

Once this was done I now had a SAS available in the key vault that would give read and list to the artifacts container. Remember to configure the Access Policy on the vault to enable use of secrets from ARM templates (advanced settings) and additionally for the users/groups to have access to the secret. A test of this process to my local machine worked, i.e.

$BLOBSASURI = (Get-AzKeyVaultSecret -vaultName 'SavKeyVault' -Name 'POCBLOBSASURI').SecretValueText
.bootstrap.ps1 $BLOBSASURI

Next I tried calling as I would via the Custom Script Extension which with the escaped version worked great (note its the escaped URL as this will get expanded in the template).

powershell.exe -ExecutionPolicy Unrestricted -Command .BootStrap.ps1 -SourceURI 'https://sasavpocscus.blob.core.windows.net/artifacts?sv=2018-11-09^&sr=c^&sig=blahblahD^&se=2019-05-30T14%3A21%3A50Z^&sp=rl'

Initially my test was to an existing Azure VM so I used the following (note I’m getting the escaped version of the secret from Key Vault):

$BLOBSASURI = (Get-AzKeyVaultSecret -vaultName 'SavKeyVault' -Name 'POCBLOBSASURIEsc').SecretValueText

#Container has public access since no sensitive information in files therefore no account or key required in private configuration
$fileUri = @("https://sasavpocscus.blob.core.windows.net/bootstrap/BootStrap.ps1","https://sasavpocscus.blob.core.windows.net/bootstrap/azcopy.exe")

$ExtensionName = 'BootStrap'
$ExtensionType = 'CustomScriptExtension'
$Publisher = 'Microsoft.Compute'
$Version = '1.9'
$timestamp = (Get-Date).Ticks

$PrivateConfiguration = @{"commandToExecute" = "powershell.exe -ExecutionPolicy Unrestricted -Command .BootStrap.ps1 -SourceURI '$BLOBSASURI'"}
$PublicConfiguration = @{"fileUris" = $fileUri;"timestamp" = "$timestamp"}

Set-AzVMExtension -ResourceGroupName RG-Infra-SCUS -Location southcentralus -VMName Savazuusscwin10 `
    -Name $ExtensionName -Publisher $Publisher -ExtensionType $ExtensionType -TypeHandlerVersion $Version `
    -Settings $PublicConfiguration -ProtectedSettings $PrivateConfiguration

Once this worked I finally created an ARM template that included a reference to the secret and all worked as planned.

The parameter file (note I also get a secret to join the domain even though I’m not using the domain join extension in this example):

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "adminUsername": {
            "value": "demoadmin"
        },
        "adminPassword": {
            "value": "Pa55wordPa55word"
        },
        "virtualMachineSize": {
            "value": "Standard_DS2_v2"
          },
          "virtualNetworkName": {
            "value": "VNet-Infra-EUS"
          },
          "subnetName": {
            "value": "TestSub"
          },
          "virtualNetworkResourceGroup": {
            "value": "RG-Infra-EUS"
          },
          "domainAdminUserName": {
            "value": "savilltech\savadmin"
          },
          "domainAdminPassword": {
            "reference": {
              "keyVault": {
                "id": "/subscriptions/414a658a207/resourceGroups/RG-Infra-SCUS/providers/Microsoft.KeyVault/vaults/SavKeyVault"
              },
              "secretName": "savadminpass"
            }
          },
          "domainFQDN": {
            "value": "savilltech.net"
          },
          "artifactURI": {
            "reference": {
                "keyVault": {
                    "id": "/subscriptions/414a658a207/resourceGroups/RG-Infra-SCUS/providers/Microsoft.KeyVault/vaults/SavKeyVault"
                },
                "secretName": "POCBLOBSASURIEsc"
            }
        }
   }
}

The actual template (note in the CSE extension at the end I need the single quotes around the URI or it once again tries to interpret it so you have to use two, i.e. ”, to get one ‘ when it actually executes):

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
      "adminUsername": {
        "type": "string",
        "metadata": {
          "description": "Username for the Virtual Machine."
        }
      },
      "adminPassword": {
        "type": "securestring",
        "metadata": {
          "description": "Password for the Virtual Machine."
        }
      },
      "vmName": {
        "type": "string",
        "defaultValue": "myVM",
        "metadata": {
          "description": "Name of the VM"
        }
      },
      "virtualMachineSize": {
        "type": "string",
        "defaultValue": "Standard_DS2_v2",
        "allowedValues": [
          "Standard_DS2_v2",
          "Standard_M8-2ms",
          "Standard_M8-4ms"
        ],
        "metadata": {
          "description": "Virtual Machine Size"
        }
      },
      "domainAdminUserName": {
        "defaultValue": "savilltech\savadmin",
        "type": "string",
        "metadata": {
          "description": "Administrator Username for the domain join account"
        }
      },
      "domainAdminPassword": {
        "type": "securestring",
        "metadata": {
          "description": "Administrator password for the domain join account"
        }
      },
      "domainFQDN": {
        "type": "string",
        "metadata": {
          "description": "Domain FQDN where the virtual machine will be joined"
        }
      },
      "ouPath": {
        "type": "string",
        "defaultValue": "",
        "metadata": {
          "description": "Specifies an organizational unit (OU) for the domain account. Enter the full distinguished name of the OU in quotation marks. Example: "OU=testOU; DC=domain; DC=Domain; DC=com""
        }
      },
      "virtualNetworkName": {
        "type": "string",
        "metadata": {
          "description": "VNET Name"
        }
      },
      "virtualNetworkResourceGroup": {
        "type": "string",
        "metadata": {
          "description": "Resource Group VNET is deployed in"
        }
      },
      "subnetName": {
        "type": "string",
        "metadata": {
          "description": "Name of the subnet inside the VNET"
        }
      },
      "artifactURI": {
        "type": "securestring",
        "metadata": {
          "description": "URI for the artifact BLOB including SAS"
        }
      },
      "location": {
        "type": "string",
        "defaultValue": "[resourceGroup().location]",
        "metadata": {
          "description": "Location for all resources."
        }
      }
    },
    "variables": {
      "vnetID": "[resourceId(parameters('virtualNetworkResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]",
      "subnetRef": "[concat(variables('vnetID'),'/subnets/', parameters('subnetName'))]",
      "domainJoinOptions": 3,
      "nicName": "[concat(parameters('vmName'), 'Nic')]"
    },
    "resources": [
      {
        "apiVersion": "2018-04-01",
        "type": "Microsoft.Network/networkInterfaces",
        "name": "[variables('nicName')]",
        "location": "[parameters('location')]",
        "dependsOn": [],
        "properties": {
          "ipConfigurations": [
            {
              "name": "ipconfig1",
              "properties": {
                "privateIPAllocationMethod": "Dynamic",
                "subnet": {
                  "id": "[variables('subnetRef')]"
                }
              }
            }
          ]
        }
      },
      {
        "apiVersion": "2018-04-01",
        "type": "Microsoft.Compute/virtualMachines",
        "name": "[parameters('vmName')]",
        "location": "[parameters('location')]",
        "dependsOn": [
          "[variables('nicName')]"
        ],
        "properties": {
          "hardwareProfile": {
            "vmSize": "[parameters('virtualMachineSize')]"
          },
          "osProfile": {
            "computerName": "[parameters('vmName')]",
            "adminUsername": "[parameters('adminUsername')]",
            "adminPassword": "[parameters('adminPassword')]"
          },
          "storageProfile": {
            "imageReference": {
              "publisher": "MicrosoftWindowsServer",
              "offer": "WindowsServer",
              "sku": "2016-Datacenter",
              "version": "latest"
            },
            "osDisk": {
              "createOption": "FromImage"
            }
          },
          "networkProfile": {
            "networkInterfaces": [
              {
                "id": "[resourceId('Microsoft.Network/networkInterfaces',variables('nicName'))]"
              }
            ]
          }
        },
        "resources": [
          {
            "type": "extensions",
            "name": "CustomScriptExtension",
            "apiVersion": "2017-03-30",
            "location": "[parameters('location')]",
            "dependsOn": [
              "[parameters('vmName')]"
            ],
            "properties": {
              "publisher": "Microsoft.Compute",
              "type": "CustomScriptExtension",
              "typeHandlerVersion": "1.9",
              "autoUpgradeMinorVersion": true,
              "settings": {
                "fileUris": [
                  "https://sasavpocscus.blob.core.windows.net/bootstrap/BootStrap.ps1","https://sasavpocscus.blob.core.windows.net/bootstrap/azcopy.exe"
                ],
                "commandToExecute": "[concat('powershell.exe -ExecutionPolicy Unrestricted -Command .\BootStrap.ps1 -SourceURI ''', parameters('artifactURI'),'''')]"
              }
            }
          }
        ]
      }
    ]
  }

And the execution (note the network and RG already existed in my environment).

New-AzResourceGroupDeployment -ResourceGroupName RG-Test-EUS `
    -TemplateFile 'vmdeploy.json' `
    -TemplateParameterFile 'vmdeploy.parameters.json'

Hope this helps!

PowerShell Master Class Module 1 Available!

I’ve finally got round to starting recording on my PowerShell Master Class. This will be a long course that will be free on YouTube. I’ll be adding modules over the next month and updating as needed. I’ll tweet (@NTFAQGuy) when I add new things.

Module 1 is PowerShell Fundamentals and available at https://youtu.be/sQm4zRvvX58.

The course playlist is available at https://www.youtube.com/playlist?list=PLlVtbbG169nFq_hR7FcMYg32xsSAObuq8.

The course assets are available via GitHub at https://github.com/johnthebrit/PowerShellMC.

New Free Data Courses on Pluralsight Available!

Over the past two months I’ve been busy on some Data in Azure courses for Microsoft and Pluralsight. These are free and you just need to sign-up for a free account on Pluralsight. These will shortly be available via Azure as well but are available now through Pluralsight.

Azure Stack Marketplace Management

Been doing some work with Azure Stack and wanted to easily update all the Microsoft provided extensions and a set of core images if there are new versions by running a simple script.

Script available at https://github.com/johnthebrit/AzureStack/blob/master/azurestackmarketplace.ps1. Simply run the script and after it downloads the assets it will check if there are older versions and prompt you if you want to delete the old ones.

Lots of new Azure Design and Identity free training available

I may have seemed to be very quiet over the past few months but that’s because I’ve been working pretty much every night and weekend on 11 new courses for azure.com that will shortly be available via the site but are immediately available for free via PluralSight. If you don’t have an account simply sign up for a free account and you can then access my (and other peoples tracks).

Planning Microsoft Azure Identity and Security

Planning Microsoft Azure Infrastructure

The identity track looks at identity management before diving into authentication, authorization, auditing, monitoring and risk. The infrastructure track looks at compute, storage, networking and monitoring.

I hope you find these courses useful and there are more to come.

On a side note I’m trying to raise money for Cure Childhood Cancer as part of my Ironman Chattanooga on 9/30/2018. This will be my 5th Ironman this year and 12th overall. If you can help even a little please head over to https://www.firstgiving.com/fundraiser/john-savill/IM2018 and maybe your company matches so if they do that helps as well. I’ll be trackable on the day via https://bat.live/track/imchattanooga2018?bib=356.

Thank you!

Two new videos on Azure AD – Conditional Access and Tokens!

Recorded two new videos this week. The first is an understanding of how tokens work with Azure AD and then one looking at conditional access (which can control the access to get those tokens for various scenarios).

Word of caution – I talk about terms of use in the second video. If you just enable this for ALL users it will break things that can’t accept it, for example the account you use for Azure AD Connect to sync to Azure AD so make sure you exclude accounts that can’t accept!

Understand the authentication pros and cons with Azure AD

When using Azure AD there are two types of authentication available:

  • Cloud authentication where the authentication takes place against Azure AD
  • Federated authentication where the authentication takes place against the federated service, for example using ADFS against Active Directory Domain Services

When using the cloud authentication there are two ways to validate the password:

  • A hash of the password hash from AD is replicated to Azure AD (and no matter which authentication option used this is recommended to enable Azure AD to help detect leaked credentials and give a “break the glass” fallback authentication option if your primage configuration fails) and this is used for the cloud based authentication
  • The password validation is done against Active Directory Domain Services using Passthrough Authentication (PTA) which works by writing the username/password (in an encrypted form for each PTA agent configured) to a service bus instance which are then read by PTA instances deployed to Windows OS instances which take the entry, decrypt, authenticate against ADDS then respond with the result to then complete the authentication request

There are therefore three options for the authentication configuration

  • Password hash
  • PTA
  • Federation

The order I have them is generally the preference but there are some pros and cons of each (in addition to a few considerations) and I wanted to outline them briefly here.

Password Hash

  • Pro – Cloud scale/resilience since this is all native Azure AD with no other reliance during authentication
  • Pro – Provides breach replay protection and reports of leaked credentials since the stored hash can be used to compare against credentials found on dark web (visibility varies depending on Azure AD license, P2 provides best insight). Also enabled the ability to block banned passwords during password change. This benefit is for any configuration providing password hash is replicated and does not have to be used for the authentication
  • Pro – As above even if not using password hash for authentication if its stored and the primary method, e.g. PTA of federation fails (such as loss of connectivity to infrastructure) you can quickly switch to password hash based authentication
  • Con – If the ADDS account has been locked, restricted hours set or password expired it will not impact the ability to logon via Azure AD
  • There is a delay for new accounts or changes to be reflected from AD to Azure AD. This is typically a 30 minute replication window (except for passwords which replicate every 2 minutes). Therefore plan for a delay for new accounts/changes to be reflected in Azure AD
  • You may hear talk of a con is you want the authentication to occur against on-premises DCs however the way tokens and specifically refresh tokens work is only the first authentication would hit AD and after that future access in the same session would not re-authenticate via PTA/federation anyway as the refresh token would be used to acquire additional access tokens. I will cover this in a separate video.

Passthrough-Authentication (PTA)

  • Pro – If a concern with this method you don’t have to store password hashes in Azure AD (however this is a risk vs reward discussion and the benefit of having the hash greatly outweighs any downside IMO)
  • Pro – This is lighter than using federation and establishes an outbound 443 connection to Azure AD not requiring any inbound port exceptions
  • Pro – Any AD account restrictions like hours, account lockout, password expired would be enforced
  • Con – Legacy authentication (pre 2013 Office clients) may not work with PTA
  • This is lighter than federation and easy to deploy multiple PTA instances on-premises for scale and resiliency but does still require deployments
  • When users authenticate, their password is sent to Azure AD (encrypted via HTTPS and then sent via PTA for authentication)

Federation

  • Pro – 3rd party MFA, Azure MFA Server and custom policies/claim rules (outside of the Azure AD 3rd party MFA integration like Duo). It is also possible to create a multi-site ADFS farm, then coupled with some type of geo-DNS solution you can authenticate a user to their closest ADFS “presence
  • Pro – Certificate based authentication
  • Single-sign on if on AD joined machine in corp network. This can be matched with password hash and PTA with seamless-sign on enabled
  • Password never hits the cloud, it is send to federation server. Both others the password is sent to the cloud
  • INITIAL authentication hits federation servers for policy (but subsequent app requests won’t go via ADFS since will use refresh token gained)
  • INITIAL authentication against AD DS domain controllers
  • Con – Large amount of infrastructure required (proxy, adfs servers) especially when other federations moved to Azure AD. The OpEx cost is also a major consideration. Think about the maintenance (managing servers, trusts, certificates) and staff to operate this.
  • Con – With the ADFS proxy it means firewall exceptions to enable inbound traffic
  • Con – Can limit scale/availability

Note that for all scenarios I can still use features like Conditional Access. I try to start at the top of the options and work down if needed. I really consider the federation a legacy option that most organizations are moving away from since Azure AD would be used for the actual application federations moving forward.

Microsoft has a good doc at https://docs.microsoft.com/en-us/azure/security/azure-ad-choose-authn which should also be reviewed.

Any thoughts, please post below!

Getting PowerShell 6

PowerShell 5.1 marks the last major update to PowerShell we are likely to see built into Windows. The future of PowerShell has gone the open-source path with PowerShell 6 being available via GitHub and available not just for Windows but also multiple Linux distributions and MacOSX. This is made possible as PowerShell 6, or rather PowerShell CORE 6.0 is built on .NET Core (which is cross platform) instead of the Windows exclusive .NET.

The good news is PowerShell 6 can be installed alongside the PowerShell that is part of Windows/WMF. Download and install from https://github.com/PowerShell/PowerShell/releases. Once installed you can launch by running pwsh.exe. If you look at $psversiontable you will see you have the Core PSEdition instead of the standard Desktop.

I recommend installing this and running alongside the regular PowerShell and getting used to it. The good news is most regular PowerShell will run and if you execute get-module -listavailable you will see the built-in modules. For non-built in modules you will need to check if they are supported with PowerShell Core.

Read the Microsoft article at https://blogs.msdn.microsoft.com/powershell/2018/01/10/powershell-core-6-0-generally-available-ga-and-supported/ for a great overview and walks through the key features that are not part of PowerShell Core 6, e.g. workflows in addition to key considerations.

Tools like Visual Studio Code can be used with PowerShell 5.1 and PowerShell Core 6.0. Simply change the settings for Visual Studio Code to add pwsh, e.g. add the following to user settings (File – Preferences – Settings) (change to your specific PowerShell version). I added this just under the existing User Setting (the , goes after the existing line in the file).

,
    "terminal.integrated.shell.windows": "C:\Program Files\PowerShell\6.1.0-preview.1\pwsh.exe"

Happy PowerShelling!