Cloud Spelunking, Managing Azure form your Desktop via PowerShell (the Setup)

These next few posts are going to deviate from the normal SQL, but in time I  will get back to that.   

It recently came to pass that I had to build a domain in the cloud and I will admit setting up the PowerShell management aspects of this task took much longer than it should have, not because it is difficult, but the information is difficult to find.  This post will focus on getting your machine or a management VM setup to run PowerShell commands against your Azure Subscription.  I encourage you to jump to option 2 as it takes just a few minutes to get setup.  You are welcome to perform option 1 if you want to understand the internal workings of Option 2.


For the case I am using, I decided to use an IaaS VM as my management server, these tasks can be done on your local machine with internet access.  If you want to use your local machine the steps are the same. The reason I chose a small VM in Azure is since I am between functional machines at the moment, and I can select to have my VM replicated, it will always be easy for me to get to it and will always be there.  If you do choose this route, do not join it to one of your affinity groups or storage account or network.  I simply chose West DC and accepted all of the defaults.  The other nice thing about this is you get internet access with no configuration changes.  These steps will work for your local machine just as easily as well.


Getting your machine ready to run Azure cmdlets  

Install the Azure PowerShell CmdLets


  1. Build an IaaS VM accept all of the defaults.  If you are using an on premise machine go to step 2.
  2. Download and install the Windows Azure PowerShell cmdlets


Option 1 (Hard way)

Configuring your certificate and subscription manually


The annoying part of this is, where do you get makecert?  Visual Studio, Windows SDK, any IIS Server will have it.  While it is annoying, if you are a windows admin or a developer you have access to makecert.


1.  This part is not actually that hard, but can be troublesome, the actual doc is here Create a Management Certificate for Windows Azure but it is less useful than you might hope.  The painful details of MakeCert are located here

makecert -sky exchange -r -n "CN=<CertificateName>" -pe -a sha1 -len 2048 -ss My "<CertificateName>.cer"

 2.  From the machine you created the cert on, Log in to the Windows Azure Portal Select Settings from the Bottom Left of the Azure portal, then on the bottom center of the ribbon select upload.  Browse for file and choose the cert you create in the prior step. Choose your subscription and select the Check!

 3.  Now, the parameters you will need to load up for Set-AzureSubscription, run the following in a PowerShell Azure CMD window.

a.       $subID = <Subscription ID> 

b.      $thumbprint = <Certificate Thumbprint>  (In the Azure Portal, on the settings page under Management Certificates, scroll all the way to the right of subscription id to the Thumbprint Column, copy that value.)

c.       $myCert = Get-Item cert:\\CurrentUser\My\$thumbprint 

d.      Set-AzureSubscription –SubscriptionName "TestSub" –SubscriptionId $subID -Certificate $myCert

e.       To verify run “Get-AzureService | select ServiceName” (If you are good and pure of heart this should return a list of services that are running under the subscriptions that were imported in the above step.)


Option 2 (the easy way)


Let us do the work for you

1. Launch the Windows Azure Powershell CMD window

2. Get-AzurePublishSettingsFile

3. Log into your Azure Portal if you have not already.  (You will notice this launches the old Azure portal.  If this ever changes I will try to make sure this post gets updated.  )

4. Select Save As and save the file in a location you will remember.

5. Import-AzurePublishSettingsFile –PublishSettingsFile "C:\FolderIRemember\SubScriptionName-date-credentials.publishsettings"  (You should receive “VERBOSE: Setting: Subscription XYZ as the default and current subscription.

6. To verify run "Get-AzureService | select ServiceName"  (If you are good and pure of heart this should return a list of services that are running under the subscriptions that were imported in the above step.)


More to come soon on what to do with your new PowerShell Azure enabled machine.

Comments (2)

  1. CindyGross says:

    Some additional clarifications:

    * The "hard way" may take more effort up front but makes managing multiple subscriptions easier over time and is more secure. And it's not all that hard the 2nd time around. 🙂

    * MakeCert has to be run from something like the "Developer Command Prompt for VS2012" which must be run as an administrator.

    * The certificate location defaults to %windir%system32

    * The select/set/get subscription cmdlets apply to your own machine and are stored in %appdata%Windows Azure PowerShellWindowsAzureProfile.xml

    * Some activities such as VM creation require that you also set the current/default storage account:

    Set-AzureSubscription -SubscriptionName $subName -CurrentStorageAccount $defaultStorageAccountName

    * If you manage multiple Azure subscriptions you can set one to be the default for PowerShell on your machine:

    Select-AzureSubscription –Default $subName

  2. CindyGross says:

    Getting Started with Azure PowerShell Cmdlets–Subscription Management…/getting-started-with-azure-powershell-cmdlets-subscription-management.aspx

Skip to main content