This is my steps that I took from this very long document.
First we need to create a Key vault and then an AAD application, then you connect them. Make note of the output of $aadClientID.
$KeyVaultName="YourName-EastUS" $ResourceGroupName="Default-EastUS" $Location="East US" #Create New KeyVault New-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $ResourceGroupName -Location $Location #Create New AAD Application $aadClientSecret = "YourLongSecret" $azureAdApplication = New-AzureRmADApplication -DisplayName "Encryption-EastUS" -HomePage "https://IThinkAnythingCanGoHere" -IdentifierUris "https://IThinkAnythingCanGoHereURi" -Password $aadClientSecret $servicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId $aadClientID = $azureAdApplication.ApplicationId $aadClientID Set-AzureRmKeyVaultAccessPolicy -VaultName $KeyVaultName -ServicePrincipalName $aadClientID -PermissionsToKeys all -PermissionsToSecrets all -ResourceGroupName $ResourceGroupName; Set-AzureRmKeyVaultAccessPolicy -VaultName $KeyVaultName -EnabledForDiskEncryption
Once that is setup, you can encrypt a VM:
$KeyVaultName="YourName-EastUS" $ResourceGroupName="Default-EastUS" $Location="East US" $vmName="VMNAME" $aadClientSecret = "YourLongSecret" $aadClientID = "YouMadeNoteOfThisAbove" $KeyVault = Get-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $ResourceGroupName; $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri; $KeyVaultResourceId = $KeyVault.ResourceId; Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $ResourceGroupName -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;
If you did not make note of your aadClientID, then you run:
And the ApplicationId is what you are looking for.
I forgot how I set this up, so I went back and made some notes, and now I hope this helps someone.
Thank you for posting this! Super helpful for learning in my Azure subscription.
Good afternoon, I’m trying to encrypt my VM disks in linux and I can not because it marks me an error.
Do you know where I can get the
$ aadClientID and the $ aadClientSecret? from the azure portal or from the powershell?
For the ARM portal, can i use the same script that you have on the website because I see that this post was uploaded in 2016, I do not know if you will have any update from this.
I await your response and thanks for your help.
$ aadClientID and the $ aadClientSecret are the Service Principle that has access to Vault.