Azure Custom Extension Policy
Question
I am creating a custom policy to force all VM's that have an image from a certain resource group to join the domain by deploying an extension.
I have run into an issue with it not working and it keeps saying I do not have permissions even when I hard code the username and password into the variables.
{ "if": { "allOf": [ { "field": "type", "in": [ "Microsoft.Compute/virtualMachines", "Microsoft.Compute/VirtualMachineScaleSets" ] }, { "field": "Microsoft.Compute/imageId", "contains": "resourceGroups/Templates" } ] }, "then": { "effect": "deployIfNotExists", "details": { "name": "Microsoft.PowerShell", "type": "Microsoft.Compute/virtualMachines/extensions", "existenceCondition": { "allOf": [ { "field": "Microsoft.Compute/virtualMachines/extensions/type", "equals": "CustomScriptExtension" }, { "field": "Microsoft.Compute/virtualMachines/extensions/publisher", "equals": "Microsoft.PowerShell" } ] }, "deployment": { "properties": { "mode": "incremental", "template": { "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "vmName": { "type": "string" }, "location": { "type": "string" } }, "variables": { "domainJoinUserName": "", "domainJoinUserPassword": "", "domainFQDN": "myDomain.com", "domainJoinOptions": 3 }, "resources": [ { "comments": "Join domain - JsonADDomainExtension", "apiVersion": "2015-06-15", "type": "Microsoft.Compute/virtualMachines/extensions", "name": "[concat(trim(parameters('vmName')[copyIndex()]),'/joindomain')]", "location": "[parameters('location')]", "copy": { "name": "vmDomainJoinCopy", "count": "[length(parameters('vmName'))]" }, "properties": { "publisher": "Microsoft.Compute", "type": "JsonADDomainExtension", "typeHandlerVersion": "1.3", "autoUpgradeMinorVersion": true, "settings": { "Name": "[variables('domainFQDN')]", "User": "[variables('domainJoinUserName')]", "Restart": "true", "Options": "[variables('domainJoinOptions')]" }, "protectedSettings": { "Password": "[variables('domainJoinUserPassword')]" } } } ] } } } } } }
1 answers
solution1
0 ACCPTED 2019-03-20 09:00:54
Here is a very detailed Azure policy to join the VM with the Domain and it worked for me.Please check and see if it helps:
{ "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Compute/virtualMachines" }, { "anyOf": [ { "field": "Microsoft.Compute/imageId", "in": "[parameters('listOfImageIdToInclude')]" }, { "allOf": [ { "field": "Microsoft.Compute/imagePublisher", "equals": "MicrosoftWindowsServer" }, { "field": "Microsoft.Compute/imageOffer", "equals": "WindowsServer" }, { "field": "Microsoft.Compute/imageSKU", "in": [ "2008-R2-SP1", "2008-R2-SP1-smalldisk", "2012-Datacenter", "2012-Datacenter-smalldisk", "2012-R2-Datacenter", "2012-R2-Datacenter-smalldisk", "2016-Datacenter", "2016-Datacenter-Server-Core", "2016-Datacenter-Server-Core-smalldisk", "2016-Datacenter-smalldisk", "2016-Datacenter-with-Containers", "2016-Datacenter-with-RDSH" ] } ] }, { "allOf": [ { "field": "Microsoft.Compute/imagePublisher", "equals": "MicrosoftWindowsServer" }, { "field": "Microsoft.Compute/imageOffer", "equals": "WindowsServerSemiAnnual" }, { "field": "Microsoft.Compute/imageSKU", "in": [ "Datacenter-Core-1709-smalldisk", "Datacenter-Core-1709-with-Containers-smalldisk", "Datacenter-Core-1803-with-Containers-smalldisk" ] } ] }, { "allOf": [ { "field": "Microsoft.Compute/imagePublisher", "equals": "MicrosoftWindowsServerHPCPack" }, { "field": "Microsoft.Compute/imageOffer", "equals": "WindowsServerHPCPack" } ] }, { "allOf": [ { "field": "Microsoft.Compute/imagePublisher", "equals": "MicrosoftSQLServer" }, { "anyOf": [ { "field": "Microsoft.Compute/imageOffer", "like": "*-WS2016" }, { "field": "Microsoft.Compute/imageOffer", "like": "*-WS2016-BYOL" }, { "field": "Microsoft.Compute/imageOffer", "like": "*-WS2012R2" }, { "field": "Microsoft.Compute/imageOffer", "like": "*-WS2012R2-BYOL" } ] } ] }, { "allOf": [ { "field": "Microsoft.Compute/imagePublisher", "equals": "MicrosoftRServer" }, { "field": "Microsoft.Compute/imageOffer", "equals": "MLServer-WS2016" } ] }, { "allOf": [ { "field": "Microsoft.Compute/imagePublisher", "equals": "MicrosoftVisualStudio" }, { "field": "Microsoft.Compute/imageOffer", "in": [ "VisualStudio", "Windows" ] } ] }, { "allOf": [ { "field": "Microsoft.Compute/imagePublisher", "equals": "MicrosoftDynamicsAX" }, { "field": "Microsoft.Compute/imageOffer", "equals": "Dynamics" }, { "field": "Microsoft.Compute/imageSKU", "equals": "Pre-Req-AX7-Onebox-U8" } ] }, { "allOf": [ { "field": "Microsoft.Compute/imagePublisher", "equals": "microsoft-ads" }, { "field": "Microsoft.Compute/imageOffer", "equals": "windows-data-science-vm" } ] }, { "allOf": [ { "field": "Microsoft.Compute/imagePublisher", "equals": "MicrosoftWindowsDesktop" }, { "field": "Microsoft.Compute/imageOffer", "equals": "Windows-10" } ] } ] } ] }, "then": { "effect": "deployIfNotExists", "details": { "type": "Microsoft.Compute/virtualMachines/extensions", "roleDefinitionIds": [ "/providers/microsoft.authorization/roleDefinitions/" ], "existenceCondition": { "allOf": [ { "field": "Microsoft.Compute/virtualMachines/extensions/type", "equals": "JsonADDomainExtension" }, { "field": "Microsoft.Compute/virtualMachines/extensions/publisher", "equals": "Microsoft.Compute" }, { "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState", "equals": "Succeeded" } ] }, "deployment": { "properties": { "mode": "incremental", "template": { "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "ouPath": { "type": "string" }, "domainFQDN": { "type": "string" }, "vmName": { "type": "string" }, "location": { "type": "string" } }, "variables": { "domainJoinOptions": 131075 }, "resources": [ { "type": "Microsoft.Compute/virtualMachines/extensions", "comments": "Join domain - JsonADDomainExtension", "name": "[concat(parameters('vmName'), '/JsonADDomainExtension')]", "apiVersion": "2018-06-01", "location": "[parameters('location')]", "properties": { "publisher": "Microsoft.Compute", "type": "JsonADDomainExtension", "typeHandlerVersion": "1.3", "autoUpgradeMinorVersion": true, "settings": { "Name": "[parameters('domainFQDN')]", "User": "username", "Restart": "true", "Options": "[variables('domainJoinOptions')]", "OUPath": "[parameters('ouPath')]" }, "protectedSettings": { "Password": "Password" } } } ], "outputs": { "policy": { "type": "string", "value": "[concat('Enabled extension for VM', ': ', parameters('vmName'))]" } } }, "parameters": { "vmName": { "value": "[field('name')]" }, "location": { "value": "[field('location')]" }, "ouPath": { "value": "[parameters('ouPath')]" }, "domainFQDN": { "value": "[parameters('domainFQDN')]" } } } } } } }
Make sure , you are passing correct user name and password.
Also alternatively , you can refer this article for the same request.
Hope it helps.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Azure custom script extension never finishes deploying
How to pass multiple parameters into an Azure RM Template Custom Script Extension
Azure Policy to turn Firewall on
Create Azure policy with Terraform
Custom Policy to Enforce on Tag
How to prepare JSON in Azure Policy
Azure Policy Deploying using Powershell
Set Azure Location Policy Restriction
Azure Policy Not Denying Route Creation
Trying to inject powershell commands in to Azure RM VMs via JSON template Custom Extension
Related Tags