Close

Upgrading PowerShell

For over two years I use Powershell to deploy my Logic Apps, API Apps and functions to Azure. The client moved from ADFS to Azure Active Directory Seamless Single Sign-On. I don’t know exactly what this means, to be honest, but what I do know is that I ran into problems with my Powershell scripts. This was the error:

Add-AzureRmAccount : -Credential parameter can only be used with Organization ID credentials. For more information, please refer to http://go.microsoft.com/fwlink/?linkid=331007&clcid=0x409 for more information about the difference between an organizational account and a Microsoft account.

Hum? At once I couldn’t use the AzureRM module anymore to log on to Azure. First, I thought something was wrong with my account, but soon after a Microsoft consultant reported to me that I was using an old version of Powershell and that I should use the AzureRM module from the new Az module.

Note that the Az module has a compatibility mode to help you use existing scripts. Use the Enable-AzureRmAlias cmdlet. This cmdlet defines AzureRM cmdlet names as aliases for the new Az cmdlet names. If you want to uses aliases, it’s recommended to uninstall AzureRM before installing the Az module. With both modules installed, enabling aliases will cause conflicts between AzureRM cmdlets and Az command aliases, and could cause unexpected behavior.

This is the test script I’m using:

Import-Module AzureRM.Resources
$username  = "user@domain.nl"
$password  = convertto-securestring "xxx" -asplaintext -force
$credential = New-Object System.Management.Automation.PSCredential($username,$password)
Add-AzureRmAccount -Credential $credential

To check your the PowerShell version, I first ran the following command:

PS C:\> $PSVersionTable.PSVersion

Major  Minor  Build  Revision
-----  -----  -----  --------
4      0      -1     -1

Version 4.0 is an old version indeed, but up to now I simply had no reason to update it. Moreover, I didn’t want to change all of my scripts. So, I first looked at the option to keep using the scripts with the latest AzureRM.Resources module. Currently, the latest AzureRM module is version 6.13.1. This version requires Powershell 5.0 or higher. Powershell needs to be installed as part of Windows Management Framework (WMF). There’s no stand-alone installer for Powershell. Since you can’t install version 5.0 anymore, you will have to install WMF version 5.1.

Before installing the new version, I looked at the system requirements for installing Powershell 5.1 via WMF 5.1. I am running a Windows Server 2012R2 machine, which is OK. The other requirement is to use .Net framework 4.5 or higher, which is installed on Windows Server 2012 R2 by default. Links:
Requirements: Go To
Download WMF 5.1: Go To

Unfortunately, after I ran the installer, I received an error saying that “The update is not applicable to your computer”. Huh? All requirements were satisfied, so I didn’t quite understand what was wrong.

As a last resort, I checked the installed programs (via the Control Panel) and found that Microsoft Azure Powershell December 2017 was already installed. That’s strange, because this Powershell installation is of version 5.1 and Powershell command $PSVersionTable.PSVersion says I’m using version 4.0. Anyhow, I decided to reinstall Microsoft Azure Powershell December 2017 and then (very importantly) I restarted my development machine.

Download Microsoft Azure Powershell December 2017: Go To

Guess what. My scripts did work again! To summarize. This blog post doesn’t give you a crystal clear solution. By describing my quest for a solution, I hope to give you new inspiration and ideas to steer you in the right direction. There’s also a call for action. Within a year, I should switch from the AzureRM module to Azure Az, so I will end with some links on that matter:

Link Azure Az: Go To

An important question is how to log in with a non-interactive Azure account. This is functionality that you need in scripts like my deployment scripts. To be very specific, the question is how to create a service principal in Azure Active Directory. This is what I tried (and didn’t work):

$credentials = New-Object Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential -Property @{ StartDate=Get-Date; EndDate=Get-Date -Year 2024; Password="xxx"}
$sp = New-AzAdServicePrincipal -DisplayName PBaarsPrincipal -PasswordCredential $credentials

$tenantId="eea7d518-...1a965"
$passwd = ConvertTo-SecureString "xxx" -AsPlainText -Force
$pscredential = New-Object System.Management.Automation.PSCredential('PBaarsPrincipal', $passwd)
Connect-AzAccount -ServicePrincipal -Credential $pscredential -TenantId $tenantId

Error:
Connect-AzAccount : AADSTS700016: Application with identifier 'PBaarsPrincipal' was not found in the directory 'eea7d518-15bf-4e07-8342-71208871a965'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

Further reading: Go To