powershellazure-rest-apiazure-identity

Replicate Azure Virtual Machine Managed Identity configuration REST API with PowerShell Invoke-RestMethod

I recently received helpful guidance on enabling both system-assigned and user-assigned managed identities for an Azure Virtual Machine (VM) through REST API calls. Now, I'm seeking assistance to replicate this process using PowerShell's Invoke-RestMethod.

Here's the REST API call I used to achieve this:

PATCH https://management.azure.com/subscriptions/<SUBSCRIPTION
ID>/resourceGroups/<RESOURCE
GROUP>/providers/Microsoft.Compute/virtualMachines/<VM
NAME>?api-version=2017-12-01 HTTP/1.1 
{
    "identity":{
       "type":"SystemAssigned,UserAssigned",
       "identityIds":[
          "/subscriptions/<SUBSCRIPTION ID>/resourcegroups/<RESOURCE
GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER
ASSIGNED IDENTITY NAME>"
       ]
    }
}

Could someone assist me in translating this into a PowerShell script using Invoke-RestMethod? Specifically, I need guidance on how to incorporate the authentication using a service principal, constructing the JSON payload, and making the PATCH request.

Any help or examples would be greatly appreciated. Thank you!

Solution

  • You can make use of below PowerShell script to enable both identities by calling REST API with Invoke-RestMethod:

    # Authentication
$tenantId = "tenantId"
$clientId = "appId"
$clientSecret = "secret"
$tokenEndpoint = "https://login.microsoftonline.com/$tenantId/oauth2/token"

$body = @{
    "grant_type"    = "client_credentials"
    "client_id"     = $clientId
    "client_secret" = $clientSecret
    "resource"      = "https://management.azure.com/"
}

$response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $body
$accessToken = $response.access_token

# Define variables
$subscriptionId = "subId"
$resourceGroup = "Sri"
$vmName = "testvm"
$userAssignedIdentityName = "testusermi"
$apiVersion = "2017-12-01"

# Construct JSON payload
$jsonPayload = @{
    "identity" = @{
        "type" = "SystemAssigned,UserAssigned"
        "identityIds" = @(
            "/subscriptions/$subscriptionId/resourcegroups/$resourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$userAssignedIdentityName"
        )
    }
} | ConvertTo-Json

# Construct PATCH URL with formatted vmName 
$patchUrl = "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.Compute/virtualMachines/{0}?api-version=$apiVersion" -f $vmName

# PATCH request
$result = Invoke-RestMethod -Method Patch -Uri $patchUrl -Headers @{
    "Authorization" = "Bearer $accessToken"
    "Content-Type"  = "application/json"
} -Body $jsonPayload

$result

    Response:

    enter image description here

    When I checked the same in Portal, both identities enabled successfully in Azure virtual machine as below:

    System assigned managed identity:

    enter image description here

    User assigned managed identity:

    enter image description here