There are two types of encryption keys to consider.
BEK – Bit Locker Encryption Key
KEK – Key Encryption Key
The encryption service uses Key Vault to manage the secrets, to do this we need an application in Azure AD that has permissions (Set by a Key Vault Access Policy) to operate inside of Key Vault.
This is used if you are just using BEK or setting up KEK for Azure Backup support.
For KEK a Key must be imported or created in the Key Vault. You reference this key when running the commands.
Finally, the Backup Management Service needs permissions to access the Key Vault and the keys.
Image 1: Example of Secrets inside of Key Vault
Please note: You will need a Key Vault before you can complete this procedure. The Key Vault must be in the same region as the VM that will be encrypted.
1. Set up an Azure AD Application
In Azure Active Directory, select App registrations and create a new app registration. Enter a Name, select Web app / API and assign a sign-on URL (you will not use this so a default entry is adequate).
Image 2: App Registration in Azure Active Directory
Make a note of the Application ID and create and take note of the application Key. Please note that the Key will only be available to you after it is saved and only once on the page. After that it will be hidden.
2. Configure the permissions in the Key Vault for the new Azure AD Application
In the Key Vault set up an Access Policy for the new application.
Image 3: Setting up permissions in the Key Vault (an Access Policy)
Key Permissions need to be set to Wrap Key, Secret permissions to Set.
Image 4: Setting the Key Vault Access Policy for the Azure AD Application
3. Create a Key in Key Vault
This will be the key used to wrap the BEK, also known as the KEK
Image 5: Creating the KEK
4. Set permissions for the Backup Management Service
Select Access Policies and from the template select Azure Backup. The principal will be Backup Management Service.
Image 6: Creating the Access Policy for the Backup Management Service
5. Check the Advanced access policies to enable access to Azure Disk Encryption for volume encryption.
Image 7: Setting the Advanced Access policies for Disk Encryption
I was recently asked to quickly audit a customer’s environment for all running VMs. I quickly reached for my PowerShell toolbox and put together the following script.
In the example below I have used the table grid views available. It would be just as easy to push all this info to a csv file. For swiftness this was my approach, I’d be very interested to hear from the gurus out there to see what your preference is and how you would do this.
Remember there is always a better way, just don’t keep that to yourself!
I have a number of customers implementing HUB benefit for their IaaS VMs in Azure. In all cases to date this is a rebuild or new build as part of a migration. It works very well, if licensed, you should definitely be looking at this option to drive down costs.
This script created a new network but in most instances a network will already exist and although you will create a new NIC you will want to place this VM into an existing subnet.
The extract below can be used to create a new NIC but add this to a named vNet and Subnet.
When you define the VM configuration you would use this to be the NIC.
Finally make sure this (if the first NIC) is set as -Primary
Tagging in Azure is a massively useful feature. I have customers who are interested in identifying resources for billing but they are also a very useful tool for control. Resources can be grouped by tag and then a script can be used to apply a function to all machines or services with the same tag.
In the example below I call a variable that looks for Azure resources where the type is identified as a Microsoft virtual machine. Calling this function enables me to extract a range of information. (I fact this script then goes on and uses the ResourceId too)
As referenced in Using tags to organize your Azure resources tags are updated as a whole so if you want to add additional tags you first have to call the existing tags. In the example below I am adding the new tag to my existing tags.
Finally we are looping this for each vm and applying via a set command.
I put together a quick script to auto shutdown tagged ARM VMs.
There are many people still running ASM VMs and why wouldn’t you they are still supported (as of 9/2016).
The process is not much different and in fact now Azure Automation enables a RunAs account at set up its much easier to configure.
In the example below I have tacked on changes to the Azure Automation Team’s sample script, one of four created for you when you enable the feature.
<# .DESCRIPTION An example runbook which gets all the Classic VMs in a subscription using the Classic Run As Account (certificate) and then shuts down running VMs .NOTES AUTHOR: Azure Automation Team + Jonathan Wade LASTEDIT: 28-08-2016 #>
$ConnectionAssetName = "AzureClassicRunAsConnection"
$ServiceName = "wadeclassiv01"
# Get the connection
$connection = Get-AutomationConnection -Name $connectionAssetName
# Authenticate to Azure with certificate
Write-Verbose "Get connection asset: $ConnectionAssetName" -Verbose
$Conn = Get-AutomationConnection -Name $ConnectionAssetName
if ($Conn -eq $null)
throw "Could not retrieve connection asset: $ConnectionAssetName. Assure that this asset exists in the Automation account."
$CertificateAssetName = $Conn.CertificateAssetName
Write-Verbose "Getting the certificate: $CertificateAssetName" -Verbose
$AzureCert = Get-AutomationCertificate -Name $CertificateAssetName
if ($AzureCert -eq $null)
throw "Could not retrieve certificate asset: $CertificateAssetName. Assure that this asset exists in the Automation account."
Write-Verbose "Authenticating to Azure with certificate." -Verbose
Set-AzureSubscription -SubscriptionName $Conn.SubscriptionName -SubscriptionId $Conn.SubscriptionID -Certificate $AzureCert
Select-AzureSubscription -SubscriptionId $Conn.SubscriptionID
# Get cloud service
$VMs = Get-AzureVM -ServiceName $ServiceName
# Stop each of the started VMs
foreach ($VM in $VMs)
if ($VM.PowerState -eq "Stopped")
# The VM is already stopped, so send notice
Write-Output ($VM.InstanceName + " is already stopped")
# The VM needs to be stopped
$StopRtn = Stop-AzureVM -Name $VM.Name -ServiceName $VM.ServiceName -Force -ErrorAction Continue
if ($StopRtn.OperationStatus -ne 'Succeeded')
# The VM failed to stop, so send notice
Write-Output ($VM.InstanceName + " failed to stop")
# The VM stopped, so send notice
Write-Output ($VM.InstanceName + " has been stopped")
Disclaimer: Please note although I work for Microsoft the information provided here does not represent an official Microsoft position and is provided as is.