- Print
- DarkLight
- PDF
AZ Store Azure Credentials
- Print
- DarkLight
- PDF
Before you can run any of our Azure scripts, you need to create a credentials file to authenticate your Azure tenant with ControlUp. For this purpose, you need to use the AZ Store Azure Credentials script that you can either download from here or, as shown in this article, you can download and run the script from the Real-Time Console.
Download and Add the Azure Credentials Script to the Console
If you are running the credentials script for the first time, you need to add the AZ Store Azure Credentials script to your Organizational Scripts manually. You can skip this section, if you already have this script installed in your ControlUp organization.
To add the AZ Store Azure Credentials script to your ControlUp organization
Open the Real-Time Console with a user that has permissions to download and manage script actions, ideally a ControlUp Admin.
In the Home ribbon of the Real-Time Console, click Script Actions. The Script Management window opens.
In the search box, type “AZ Store”. The AZ Store Azure Credentials script is displayed. Click Add Script to add the script to your Organizational Scripts.
Accept the terms and conditions by clicking the I accept the terms of the License Agreement button. Click Next.
Select the user groups that are allowed to run the script. Click Add Action to save the script to the Organizational Scripts library.
You need to change the execution context of the script after it has been downloaded and saved. The execution context indicates where the script should run. In this case, the console machine. You must also change the security context. The security context defines which user executes the script on the console machine. Ideally, the script should be run by someone from the Shared Credentials Store.
To set the context of the script:
Locate the AZ Store Azure Credentials script and click Modify.
Under Execution Context, select ControlUp Console/Monitor.
Under Security Context, select Prompt upon execution and select a user from your shared credentials so that you can use the script as an Automated Action. Click OK to exit the window.
You can see that the version number has been incremented. Click Finalize to save the script.
In the Share script options, decide if you want to share the script with ControlUp community members. Click Next.
Define the user groups that should be allowed to run the script. Click OK.
The script moved to the Organizational Scripts and is now ready to be executed on the console machine. Follow the instructions in the next section in which you will learn how to use the script.
Run the Script on the Console Machine
Now that you have downloaded and installed the script, it is time to run it. In the previous section, while setting up the script, we defined the security context ControlUp Console/Monitor. This means that the credentials script is executed on the machine running the Real-Time Console or the monitor. To execute Script-based Action, you need to install the ControlUp Agent on the console machine otherwise you can not run the script.
To create the credential files:
In the Real-Time Console, connect to the console machine. If the machine has no ControlUp Agent installed yet, you will be asked to install it. As mentioned above, we need to have the agent installed to run the script.
In the Machines tab, right click the console machine and locate and click the AZ Store Azure Credentials script action.
Enter the details of your Azure tenant:
Azure Tenant ID. The ID of your Azure tenant.
Azure Application ID. The Application ID that you already use for your Azure connection in ControlUp.
Azure Client Secret. The client secret value that you already use for the registered ControlUp application in your Azure AD.
Click OK and the script runs on your console machine. It creates 2 PowerShell credential files in the %ALLUSERSPROFILE%\ControlUp\ScriptSupport folder.
Credential Files
It's worth looking at the credential files briefly. As it is best practice not to use plain-text user credentials, another security mechanism is needed to protect the credentials of your Azure tenant. A credentials file fulfills this requirement perfectly.
In a nutshell, the credential file:
- Streamlines the authentication process. No manual authentication needed.
- Encrypts the Client Secret and saves it in a PSCredentials object.
- Is created for a specific Active Directory user, as indicated by the first part of the filename. Only users with valid credential files in the %ALLUSERSPROFILE%\ControlUp\ScriptSupport folder are allowed to execute Azure scripts.
Do not delete credential files from your console machine, since running an Azure script will fail at runtime if they are removed.