Adding an Azure Subscription in VMM

Since VMM 2012 R2 (update rollup 6), you can add Azure subscription to VMM and perform basic actions on Azure IaaS VMs.Both VMM 2012 R2 and VMM 2016 support only classic Azure VMs and you may find that even Management Portal button in the VMM console still points to an old Azure portal ( which is no longer available.

VMM 2016 doesn’t bring any new changes to this feature and provides the same functionality for Azure VMs management through VMM console. However, VMM 1801 (the latest version available in semi-annual channel)  introduced a support for ARM-based VMs and region specific Azure subscriptions.

So, you can manage both classic VMs and ARM-based VMs using Azure AD Authentication or management certificates in VMM 1801. In this article, we will cover how to manage classic Azure VMs from VMM 2012 R2/2016, and then we briefly discuss new changes in VMM 1801 release.

What do you need?

  •  The console computer where this feature will be installed must have connectivity to the Internet in order to connect to the Azure Subscription
  • An active Azure subscription. For example, I’m using the one which goes with my MSDN subscription. You can also use a free Azure subscription.
  • You must be at least a Service Administrator for the Microsoft Azure Subscription being added. For example, I’m an owner of my subscription and no actions needed.
  • Microsoft Azure Subscription must have a Management Certificate associated with it in order to allow VMM to use the service management API in Microsoft Azure (will complete this later in this post)
  • The certificate needs to be present in the Current User \ Personal store of the computer running the VMM console. (will complete this later in this post)
  • The Management Certificate that is associated with the Azure Subscription must be present in the local certificate store on the computer that the wizard is being run on (will complete this later in this post)

How to do it?

  • On the VMM Server, open PowerShell with administrative privileges, and run the following to request a new self-signed certificate and add it to Personal store :
#This password will be used for PFX file
$pass= ConvertTo-SecureString -String "P@ssw0rd1" -AsPlainText -Force 

#New self-signed certificate
$cert = New-SelfSignedCertificate -FriendlyName  -Subject -CertStoreLocation "Cert:\CurrentUser\My" -Type Custom -KeyExportPolicy ExportableEncrypted -KeyLength 4096 -KeySpec KeyExchange

#Export PFX (if you plan to connect from another machine, import this PFX to the Personal store on your computer)
Export-PfxCertificate -Cert $cert  -FilePath C:\Cert\AzuretoVMM.pfx -Password $pass

#Export CER file which will be uploaded to Azure
Export-Certificate  -Cert $cert  -Type CERT -FilePath C:\Cert\RLVMM.cer
  • In the Azure Portal, go to Subscriptions –> Management Certificates and select C:\Cert\RLVMM.cer to upload. Once uploaded, copy your subscription ID as shown in the picture:

add azure subscription_1

  • Switch back to the VMM Console, navigate to VMs and Services and right click on Azure Subscriptions and select Add Subscription; type a display name of the subscription, paste Subscription ID and select the certificate that has been already added to the Personal store (VMM console automatically discovers all eligible certificates). If no certificates are shown, check certificates and their thumbprints in the Personal store (certmgr.msc)

add azure subscription_2

Note: Certificates and subscription setting information is stored in the Registry under HKEY_CURRENT_USER and is per login specific. This means that subscriptions that are added are visible on a per-machine, per-login basis.

  • Verify that new subscription has been added. If you have classic VMs running under the subscription, you will see a list of such VMs in the VMM.

As you can see in the following screenshot, actions are limited to Start, Stop, Shut Down, Restart and Connect via RDP


Note: Public and Internal IP addresses as well as VM size and other information is shown on the details pane

  • Repeat the same steps to add another subscription if needed.

What’s new in VMM 1801?

Unlike VMM 2012R2/2016, VMM 1801 supports management of Azure subscriptions and ARM-based VMs (which are the default in Azure now) through Azure Active Directory and region-specific Azure subscriptions. (namely Germany, China,  US Government Azure regions). VMM 1801 has also updated Azure Subscription wizard and now you can select between two authentication types: certificate-based or Azure AD-based. If Azure AD is selected, you don’t need to create and upload the certificate to Azure. Otherwise, use the steps above to integrate VMM 1801 with Azure using management certificate authentication.

To enable Azure AD-based authentication, you need to create AD Application using Azure Portal. Use the following step to create the AD Application:

  • Click on Azure Active Directory, go to App Registrations and click on New Application Request, then type an app name (for example, VMM1801) and sign-on URL (I used “fake” – https://rllab,com/vmm1801 and it works. You can change it later)
  • Go back to App Registration, switch to All Apps and copy the Application ID of the app you have just created.
  • In the Application properties, click on Settings, and then Keys; provide key description and duration, and click on Save; copy the key value

add azure subscription_5

  • In the Azure Portal, go to Properties of Azure AD and copy the Directory ID
  • Assign application to Classic Virtual Machine Contributor and Virtual Machine Contributor roles (Subscription – Access Control (IAM) – Add)
  • Open VMM Console and press Add Subscription, paste Subscription ID, Application ID, Directory ID and Key Value to the corresponding fields as shown in the screenshot:

add azure subscription_4

Note: Using Select Azure cloud drop-down list you can choose Azure reqion (Public, China, Germany or Government)

Once subscription is added to VMM, you can manage both classic and ARM based VMs in VMM 1801:

add azure subscription_6

Note: you might have noticed that instead of Shutdown action VMM 1801 offers Stop and Deallocate which is more preferable for Azure VMs. Also, MS fixed Management Portal button and now it’s linked to 🙂

That’s it. I hope this post will be helpful for someone Улыбка.

Automate SCOM 2016 installation with PowerShell

This blog post demonstrates how to automate installation of SCOM 2016 and its requirements using PowerShell. If you’d like, you can also use it partly to install just software prerequisites or service accounts.

My demo lab is configured in the following way:

  • SCOM Server –  VM with up to 8Gb RAM, 4vCPU, Windows Server 2016
  • SCOM VMs has an Internet Connection (to get Report Viewer/Runtime)
  • SQL Server – VM with up to 4Gb RAM. Windows Server 2016
  • Database Services, Full Text and Reporting Services – Native were installed on the SQL Server VM.
  • These machines are also joined to the same domain
  • SCOM media copied to the <systemdrive>\SCOM2016
  • I checked the script using my domain administrator account
  • Download link is available at the bottom
What does the script do?
  • Downloads and installs Report Viewer Controls and required Runtime
New-Item $env:systemdrive\SCOM2016Reqs -ItemType Directory
Invoke-WebRequest -OutFile $env:systemdrive\SCOM2016Reqs\ReportViewer.msi
Invoke-WebRequest -OutFile $env:systemdrive\SCOM2016Reqs\SQLSysClrTypes.msi
Start-Process "$env:systemdrive\SCOM2016Reqs\SQLSysClrTypes.msi" /qn -Wait
Start-Process "$env:systemdrive\SCOM2016Reqs\ReportViewer.msi" /quiet -Wait
Write-Host "The Report Viewer Controls and Runtime have been installed" -ForegroundColor DarkCyan
  • Creates required service accounts, SCOM administrator group in the specified OU and configures required permissions (local admin rights for the SCOM admin group)
Install-WindowsFeature RSAT-AD-PowerShell
New-AdUser SCOM-AccessAccount -SamAccountName scom.aa -AccountPassword (ConvertTo-SecureString -AsPlainText $svcpass -Force) -PasswordNeverExpires $true -Enabled $true -Path "OU=$ouname,$adcn"
New-AdUser SCOM-DataWareHouse-Reader -SamAccountName scom.dwr -AccountPassword (ConvertTo-SecureString -AsPlainText $svcpass -Force) -PasswordNeverExpires $true -Enabled $true -Path "OU=$ouname,$adcn"
New-AdUser SCOM-DataWareHouse-Write -SamAccountName scom.dww -AccountPassword (ConvertTo-SecureString -AsPlainText $svcpass -Force) -PasswordNeverExpires $true -Enabled $true -Path "OU=$ouname,$adcn"
New-AdUser SCOM-Server-Action -SamAccountName -AccountPassword (ConvertTo-SecureString -AsPlainText $svcpass -Force) -PasswordNeverExpires $true -Enabled $true -Path "OU=$ouname,$adcn"
New-AdGroup -Name SCOM-Admins -GroupScope Global -GroupCategory Security -Path "OU=$ouname,$adcn"
Add-AdGroupMember SCOM-Admins scom.aa,scom.dwr,scom.dww,
Add-LocalGroupMember -Member $dname\SCOM-Admins -Group Administrators
#SQL Server service accounts (SQLSSRS is a service reporting services account)
New-AdUser SQLSVC -SamAccountName sqlsvc -AccountPassword (ConvertTo-SecureString -AsPlainText $svcpass -Force) -PasswordNeverExpires $true -Enabled $true -Path "OU=$ouname,$adcn"
New-AdUser SQLSSRS -SamAccountName sqlssrs -AccountPassword (ConvertTo-SecureString -AsPlainText $svcpass -Force) -PasswordNeverExpires $true -Enabled $true -Path "OU=$ouname,$adcn"
Write-Host "The service Accounts and SCOM-Admins group have been added to OU=$ouname,$adcn" -ForegroundColor DarkCyan

  • Configures SQL Server by creating required Windows Firewall rules and adding SCOM-Admins group to the administrators on the server
$secpasswd = ConvertTo-SecureString $sqlpass -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ("$dname\$sqluser", $secpasswd)
$psrem = New-PSSession -ComputerName $sqlsrv -Credential $cred
Invoke-Command -Session $psrem -ScriptBlock{
Install-WindowsFeature RSAT-AD-Powershell
Set-NetFirewallRule -Name WMI-WINMGMT-In-TCP -Enabled True
New-NetFirewallRule -Name "SQL DB" -DisplayName "SQL Database" -Profile Domain -Direction Inbound -LocalPort 1433 -Protocol TCP -Action Allow
New-NetFirewallRule -Name "SQL Server Admin Connection" -DisplayName "SQL Admin Connection" -Profile Domain -Direction Inbound -LocalPort 1433 -Protocol TCP -Action Allow
New-NetFirewallRule -Name "SQL Browser" -DisplayName "SQL Browser" -Profile Domain -Direction Inbound -LocalPort 1434 -Protocol UDP -Action Allow
New-NetFirewallRule -Name "SQL SRRS (HTTP)" -DisplayName "SQL SRRS (HTTP)" -Profile Domain -Direction Inbound -LocalPort 80 -Protocol TCP -Action Allow
New-NetFirewallRule -Name "SQL SRRS (SSL)" -DisplayName "SQL SRRS (SSL)" -Profile Domain -Direction Inbound -LocalPort 443 -Protocol TCP -Action Allow
New-NetFirewallRule -Name "SQL Instance Custom Port" -DisplayName "SQL Instance Custom Port" -Profile Domain -Direction Inbound -LocalPort $sqlserverport -Protocol TCP -Action Allow
New-NetFirewallRule -Name "SQL Server 445" -DisplayName "SQL Server 445" -Profile Domain -Direction Inbound -LocalPort 445 -Protocol TCP -Action Allow
New-NetFirewallRule -Name "SQL Server 135" -DisplayName "SQL Server 135" -Profile Domain -Direction Inbound -LocalPort 135 -Protocol TCP -Action Allow
Add-LocalGroupMember -Member $arg[0]\SCOM-Admins -Group Administrators} -ArgumentList $dname
Write-Host "The SQL Server $sqlsrv has been configured" -ForegroundColor DarkCyan
  • Installs Web Console prerequisites (ISS and so on)
Install-WindowsFeature NET-WCF-HTTP-Activation45,Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors, `
Write-Host "The Web Console prerequisites have been installed" -ForegroundColor DarkCyan
  • Installs the SCOM Server (OMServer, OMConsole and OMWebConsole).
$arglist= @("/install /components:OMServer,OMConsole,OMWebConsole /ManagementGroupName:$mgmtgroup /SqlServerInstance:$sqlsrv\$sqlinstancename /SqlInstancePort:$sqlserverport",
"/DatabaseName:OperationsManager /DWSqlServerInstance:$sqlsrv\$sqlinstancename /DWDatabaseName:OperationsManagerDW /ActionAccountUser:$dname\",
"/ActionAccountPassword:$svcpass /DASAccountUser:$dname\scom.aa /DASAccountPassword:$svcpass /DataReaderUser:$dname\scom.dwr",
"/DataReaderPassword:$svcpass /DataWriterUser:$dname\scom.dww /DataWriterPassword:$svcpass /WebSiteName:""Default Web Site""",
'/WebConsoleAuthorizationMode:Mixed /EnableErrorReporting:Always /SendCEIPReports:1 /UseMicrosoftUpdate:1 /AcceptEndUserLicenseAgreement:1 /silent')
Start-Process -FilePath $env:systemdrive\SCOM2016\setup.exe -ArgumentList $arglist -Wait
Write-Host "The SCOM has been installed. Don't forget to license SCOM" -ForegroundColor DarkCyan
  • Once SCOM is installed, verify installation logs located at  <username>\AppData\Local\SCOM\LOGS\OpsMgrSetupWizard.txt .
    Additionally, don’t forget to set a valid SCOM 2016 product key by using the  Set-SCOMLicense –ProductId <key>


That’s it. Just run the script, provide values for SQL Server connection/credentials and etc and wait until the SCOM installation is complete.

I uploaded the script, so feel free to use it (please mention my blog once you shared the script or part of it. Let’s respect each other!)