# Storing Azure SPN in Azure Key Vault with Secret Management


As well as the local key vault that comes by default with the SecretManagement module, you can also register other key vaults to use with the module.

In this notebook, we will show how to add an Azure Key Vault to be used with the module and how to add and retrieve secrets.

## Get the modules

Lets make sure we have the modules we require. This code block will trust the PowerShell Gallery and install the AZ modules 

In [None]:
if((Get-PsRepository -Name PSGallery).InstallationPolicy -ne 'Trusted'){
    Write-Output "The PowerShell Gallery is not trusted so I will trust it so that we can install the modules without interaction"
    Set-PsRepository -Name PSGallery -InstallationPolicy Trusted
} else {
    Write-Output "The PowerShell Gallery is trusted I will continue"
}
If((Get-Module Az.* -ListAvailable)){
    Write-Output "We have some AZ modules"
} else {
    Write-Output "We need to install the AZ modules"
    Install-Module -Name Az -AllowClobber -Scope CurrentUser
}
If((Get-Module dbatools -ListAvailable)){
    Write-Output "We have the dbatools module"
} else {
    Write-Output "We need to install the dbatools module"
    Install-Module -Name dbatools -Scope CurrentUser
}

## Connect to Azure

Next we will run `Connect-AzAccount`, you will need to open this link https://microsoft.com/devicelogin sign in and provide the authentication code

In [2]:
# Connect to Azure with a browser sign in token - 
Connect-AzAccount








Account                 SubscriptionName            TenantId                             Environmen


                                                                                         t


-------                 ----------------            --------                             ----------


mrrobsewell@outlook.com Microsoft Azure Sponsorship add02cc8-7eaf-4746-902a-53d0ceeff326 AzureCloud





## Choose the subscription

If you have multiple subscriptions, choose the one that your key vault is in.

In [31]:
# list subscriptions
Get-AzSubscription





Name                               Id                                   TenantId


----                               --                                   --------                   


Microsoft Azure Sponsorship        6d8f994c-9051-4cef-ba61-528bab27d213 add02cc8-7eaf-4746-902a-53…


TP Visual Studio Premium with MSDN 18107f13-584f-4e56-8824-31dfbfffaf7f add02cc8-7eaf-4746-902a-53…


Visual Studio Professional         dd6620e8-486c-4bf7-8c62-115d3e04ea6c add02cc8-7eaf-4746-902a-53…


MVP - Visual Studio Enterprise     71df03d4-33d9-40ca-8924-a69d8ae8924a add02cc8-7eaf-4746-902a-53…


Free Trial                         e8a3b955-9a1e-46ac-a9eb-c0cd80b20980 add02cc8-7eaf-4746-902a-53…





In [33]:
# Set subscription by Name
$AzureSubscription = Set-AzContext -SubscriptionName "Microsoft Azure Sponsorship"




Name               : Microsoft Azure Sponsorship (6d8f994c-9051-4cef-ba61-528bab27d213) - 


                     mrrobsewell@outlook.com


Account            : mrrobsewell@outlook.com


Environment        : AzureCloud


Subscription       : 6d8f994c-9051-4cef-ba61-528bab27d213


Tenant             : add02cc8-7eaf-4746-902a-53d0ceeff326


TokenCache         : Microsoft.Azure.Commands.Common.Authentication.Core.ProtectedFileTokenCache


VersionProfile     : 


ExtendedProperties : {}








## Register your Azure Key Vault with Secret Management Module

For the Secret Management Module to manage the Azure Key Vault, you first need to register it. 

Ensure that you have permissions to connect by following the details in the network security documentation https://docs.microsoft.com/en-us/azure/key-vault/general/network-security and the secure access documentation https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault

Then you can run `Register-SecretVault` You need to provide the local name for the key vault, the module name `Az.KeyVault`, and a `VaultParameters` hashtable with the KeyVault name and the Azure Subscription ID. You can register other types of Key Vaults to the Secret Management module, they will require different values for the `VaultParameters` parameter.

In [None]:
$KeyVaultName = 'beard-key-vault'
Register-SecretVault -Name BeardKeyVault -ModuleName Az.KeyVault -VaultParameters @{ AZKVaultName = $KeyVaultName; SubscriptionId = $AzureSubscription.Subscription }

## Create an SPN in Azure

With the Az modules you can create a new Service Principal Name and then store the appid and the secret in the key vault

In [4]:
$sp = New-AzADServicePrincipal -DisplayName BeardElasticPoolSPN
Set-Secret -Vault BeardKeyVault -Name BeardElasticPoolSPNApplicationID -Secret (ConvertTo-SecureString  $sp.ApplicationId.Guid -AsPlainText)
Set-Secret -Vault BeardKeyVault -Name BeardElasticPoolSPNSecret -Secret $sp.secret
Set-Secret -Vault BeardKeyVault -Name BeardElasticPoolSPNSecret -Secret bKjNF4-M7w004JrnTlZnvY.C-fAyg1-whd



In [43]:
Get-SecretVault -Name BeardKeyVault
Get-SecretInfo -Vault BeardKeyVault -Name BeardElasticPoolSPNApplicationID 
Get-SecretInfo -Vault BeardKeyVault -Name BeardElasticPoolSPNSecret




Name          ModuleName  ImplementingType


----          ----------  ----------------


BeardKeyVault Az.KeyVault 





Name      : BeardElasticPoolSPNApplicationID


Type      : SecureString


VaultName : BeardKeyVault








Name      : BeardElasticPoolSPNSecret


Type      : SecureString


VaultName : BeardKeyVault








In [69]:
Set-Secret -Vault BeardKeyVault -Name BeardElasticPoolSPNSecret -Secret (ConvertTo-SecureString  'bKjNF4-M7w004JrnTlZnvY.C-fAyg1-whd' -AsPlainText) 

In [78]:
$AzureSql = 'beard-elasticsql-dev.database.windows.net'
$appid = Get-Secret -Vault BeardKeyVault -Name BeardElasticPoolSPNApplicationID -AsPlainText
$Clientsecret = Get-Secret -Vault BeardKeyVault -Name BeardElasticPoolSPNSecret
$credential = New-Object System.Management.Automation.PSCredential ($appid,$Clientsecret)
$appid 
$Clientsecret
$credential.GetNetworkCredential().Password
Invoke-DbaQuery -SqlInstance $AzureSql -Database devbeardsqldma  -SqlCredential $credential -Query "Select 1 as one" -Verbose


8851588b-3041-4024-8fac-812b07199258


System.Security.SecureString


bKjNF4-M7w004JrnTlZnvY.C-fAyg1-whd


[93mVERBOSE: [08:47:58][Connect-DbaInstance] Connecting to Data Source=TCP:beard-elasticsql-dev.database.windows.net,1433;Initial Catalog=devbeardsqldma;User ID=8851588b-3041-4024-8fac-812b07199258;Password=********;MultipleActiveResultSets=False;Connect Timeout=30;Encrypt=True;TrustServerCertificate=False;Application Name="dbatools PowerShell module - dbatools.io"[0m


[93mVERBOSE: [08:47:58][Connect-DbaInstance] Connecting to Azure: beard-elasticsql-dev.database.windows.net[0m




In [75]:
Get-Error




[92mException             : [0m


    [92mType           : [0mSystem.Exception


    [92mMessage        : [0mLogin failed for user '8851588b-3041-4024-8fac-812b07199258'.


    [92mInnerException : [0m


        [92mType               : [0mSystem.Data.SqlClient.SqlException


        [92mErrors             : [0m


            [92mSource     : [0mCore .Net SqlClient Data Provider


            [92mNumber     : [0m18456


            [92mState      : [0m1


            [92mClass      : [0m14


            [92mServer     : [0mTCP:beard-elasticsql-dev.database.windows.net,1433


            [92mMessage    : [0mLogin failed for user '8851588b-3041-4024-8fac-812b07199258'.


            [92mLineNumber : [0m65536


        [92mClientConnectionId : [0m5491b22d-e392-4db3-bd9b-f298c05caee6


        [92mClass              : [0m14


        [92mLineNumber         : [0m65536


        [92mNumber             : [0m18456


        [92mServer             : [0mTCP:beard-elasticsql-dev.database.windows.net,1433


        [92mState              : [0m1


        [92mSource             : [0mCore .Net SqlClient Data Provider


        [92mErrorCode          : [0m-2146232060


        [92mTargetSite         : [0m


            [92mName          : [0mCheckPoolBlockingPeriod


            [92mDeclaringType : [0mSystem.Data.ProviderBase.DbConnectionPool, 


System.Data.SqlClient, Version=4.6.1.1, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a


            [92mMemberType    : [0mMethod


            [92mModule        : [0mSystem.Data.SqlClient.dll


        [92mStackTrace         : [0m


   at System.Data.ProviderBase.DbConnectionPool.CheckPoolBlockingPeriod(Exception e)


   at System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject, 


DbConnectionOptions userOptions, DbConnectionInternal oldConnection)


   at System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject, 


DbConnectionOptions userOptions, DbConnectionInternal oldConnection)


   at System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 


waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, 


DbConnectionOptions userOptions, DbConnectionInternal& connection)


   at System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, 


TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection)


   at System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, 


TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, 


DbConnectionInternal& connection)


   at System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection 


outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, 


DbConnectionOptions userOptions)


   at System.Data.ProviderBase.DbConnectionClosed.TryOpenConnection(DbConnection outerConnection, 


DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions 


userOptions)


   at System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1 retry)


   at System.Data.SqlClient.SqlConnection.Open()


   at Microsoft.SqlServer.Management.Common.ConnectionManager.InternalConnect()


   at Microsoft.SqlServer.Management.Common.ConnectionManager.Connect()


        [92mMessage            : [0mLogin failed for user '8851588b-3041-4024-8fac-812b07199258'.


        [92mData               : [0mSystem.Collections.ListDictionaryInternal


        [92mHResult            : [0m-2146232060


    [92mHResult        : [0m-2146233088


[92mTargetObject          : [0mbeard-elasticsql-dev.database.windows.net


[92mCategoryInfo          : [0mNotSpecified: (beard-elasticsql-de…atabase.windows.net:PSObject) 


[Write-Error], Exception


[92mFullyQualifiedErrorId : [0mdbatools_Invoke-DbaQuery,Stop-Function


[92mErrorDetails          : [0mLogin failed for user '8851588b-3041-4024-8fac-812b07199258'.


[92mInvocationInfo        : [0m


    [92mMyCommand        : [0mStop-Function


    [92mScriptLineNumber : [0m47464


    [92mOffsetInLine     : [0m17


    [92mHistoryId        : [0m83


    [92mScriptName       : 


[0mC:\Users\mrrob\OneDrive\Documents\PowerShell\Modules\dbatools\1.0.113\allcommands.ps1


    [92mLine             : [0mStop-Function -Message "Failure" -ErrorRecord $_ -Target $instance 


-Continue


                       


    [92mPositionMessage  : [0mAt 


C:\Users\mrrob\OneDrive\Documents\PowerShell\Modules\dbatools\1.0.113\allcommands.ps1:47464 char:17


                       + …             Stop-Function -Message "Failure" -ErrorRecord $_ -Target  …


                       +               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


    [92mPSScriptRoot     : 


[0mC:\Users\mrrob\OneDrive\Documents\PowerShell\Modules\dbatools\1.0.113


    [92mPSCommandPath    : 


[0mC:\Users\mrrob\OneDrive\Documents\PowerShell\Modules\dbatools\1.0.113\allcommands.ps1


    [92mInvocationName   : [0mStop-Function


    [92mCommandOrigin    : [0mInternal


[92mScriptStackTrace      : [0mat Stop-Function, 


C:\Users\mrrob\OneDrive\Documents\PowerShell\Modules\dbatools\1.0.113\allcommands.ps1: line 83443


                        at Invoke-DbaQuery<Process>, 


C:\Users\mrrob\OneDrive\Documents\PowerShell\Modules\dbatools\1.0.113\allcommands.ps1: line 47464


                        at <ScriptBlock>, <No file>: line 8


[92mPipelineIterationInfo : [0m












