Rotate secrets on Azure Local, version 23H2
Applies to: Azure Local, version 23H2
This article describes how you can change the password associated with the deployment user on Azure Local.
Change deployment user password
Use the PowerShell cmdlet Set-AzureStackLCMUserPassword
to rotate theAzureStackLCMUserCredential
domain administrator credential secrets. This cmdlet changes the password of the user that connects to the server hosts.
Note
When you run Set-AzureStackLCMUserPassword
, the cmdlet only updates what was previously changed in Active Directory.
PowerShell cmdlet and properties
The Set-AzureStackLCMUserPassword
cmdlet takes the following parameters:
Parameter | Description |
---|---|
Identity |
Username of the user whose password you want to change. |
OldPassword |
The current password of the user. |
NewPassword |
The new password for the user. |
UpdateAD |
Optional parameter used to set a new password in Active Directory. |
Run Set-AzureStackLCMUserPassword cmdlet
Set the parameters and then run the Set-AzureStackLCMUserPassword
cmdlet to change the password:
$old_pass = convertto-securestring "<Old password>" -asplaintext -force
$new_pass = convertto-securestring "<New password>" -asplaintext -force
Set-AzureStackLCMUserPassword -Identity mgmt -OldPassword $old_pass -NewPassword $new_pass -UpdateAD
Once the password is changed, the session ends. You then need to sign in with the updated password.
Here's a sample output when using Set-AzureStackLCMUserPassword
:
PS C:\Users\MGMT> $old_pass = convertto-securestring "Passwordl23!" -asplaintext -force
PS C:\Users\MGMT> $new_pass = convertto-securestring "Passwordl23!1" -asplaintext -force
PS C:\Users\MGMT> Set-AzureStackLCMUserPassword -Identity mgmt -OldPassword $old_pass -NewPassword $new_pass -UpdateAD
WARNING: !WARNING!
The current session will be unresponsive once this command completes. You will have to login again with updated credentials. Do you want to continue?
Updating password in AD.
WARNING: Please close this session and log in again.
PS C:\Users\MGMT>
Change deployment service principal
This section describes how you can change the service principal used for deployment.
Note
This scenario applies only when you upgraded Azure Local 2306 software to Azure Local, version 23H2.
Follow these steps in to change the deployment service principal:
Sign on to your Microsoft Entra ID.
Locate the service principal that you used when deploying the Azure Local instance. Create a new client secret for the service principal.
Make a note of the
appID
for the existing service principal and the new<client secret>
.Sign on to one of your Azure Local machines using the deployment user credentials.
Sign in to Azure. Run the following PowerShell command:
Connect-AzAccount
Set the subscription context. Run the following PowerShell command:
Set-AzContext -Subscription <Subscription ID>
Update the service principal name. Run the following PowerShell commands:
cd "C:\Program Files\WindowsPowerShell\Modules\Microsoft.AS.ArcIntegration" Import-Module Microsoft.AS.ArcIntegration.psm1 -Force $secretText=ConvertTo-SecureString -String <client secret> -AsPlainText -Force Update-ServicePrincipalName -AppId <appID> -SecureSecretText $secretText
Change ARB service principal secret
This section describes how you can change the service principal used for Azure resource bridge that you created during deployment.
To change the deployment service principal, follow these steps:
Sign in to your Microsoft Entra ID.
Locate the service principal for Azure resource bridge. The name of the service principal includes DefaultARBApplication.
Create a new client secret for the service principal.
Make a note of the
appID
for the existing service principal and the new<client secret>
.Sign in to one of your Azure Local machines using the deployment user credentials.
Run the following PowerShell command:
$SubscriptionId= "<Subscription ID>" $TenantId= "<Tenant ID>" $AppId = "<Application ID>" $secretText= "<Client secret>" $NewPassword = ConvertTo-SecureString -String $secretText -AsPlainText -Force Set-AzureStackRPSpCredential -SubscriptionID $SubscriptionId -TenantID $TenantId -AppId $AppId -NewPassword $NewPassword
Next steps
Complete the prerequisites and checklist and install Azure Local, version 23H2.