Microsoft Azure Virtual Machines: Reset Forgotten Admin Passwords with Windows PowerShell

  • Article

UPDATES:

  • June 26, 2014 - Updated the PowerShell code in the article below for the latest Azure PowerShell module version.

Our IT Pro team has been traveling across the US delivering hands-on IT Camp events on Microsoft Azure and Hybrid Cloud scenarios. At these events, IT Pros frequently ask us about resetting passwords on Microsoft Azure virtual machines …

If we forget the Admin password for a provisioned Azure VM, is there an easy way to reset it?

Reset local Admin credentials in the Cloud!

Yes!  With the help of the latest Microsoft Azure PowerShell Module (version 0.7.4 and later), there’s an easy way to do just that!

In this article, we’ll step through the process of using the Microsoft Azure PowerShell Module to reset forgotten credentials for the built-in local Admin user account on Microsoft Azure virtual machines.

Resetting Admin Passwords on Microsoft Azure VM’s

You can follow these steps to reset the existing built-in local Admin credentials on Microsoft Azure virtual machines using Windows PowerShell and the Microsoft Azure PowerShell Module.  Note that this process will also ensure that Remote Desktop is enabled within the Microsoft Azure VM.

  1. Activate a FREE Microsoft Azure Subscription ( if you don’t yet have an active subscription ).
     

  2. Provision a new Virtual Machine using one of the Windows Server platform images.
     
    You’ll need to ensure that you install the VM Agent as part of the VM provisioning process. The remaining steps in this article leverage an extension to this VM Agent that is used to reset the built-in local Admin credentials and ensure that Remote Desktop is enabled inside the VM. 
     
    When provisioning the VM, you can install the VM Agent by checking the Install VM Agent checkbox on the last page of the Create a Virtual Machine wizard in the Azure Management Portal. This checkbox is checked by default.
     
    Click to enlarge ...
    Provisioning a VM on the Azure Management Portal with the VM Agent installed
     
    The VM Agent is also installed by default when provisioning a new Microsoft Azure virtual machine via Windows PowerShell using the New-AzureVM and New-AzureQuickVM cmdlets.
     
    Today, the VM Agent supports four extensions for customizing the configuration of the operating system and applications running inside a provisioned VM:
     
    - BGInfo - for inserting desktop background information with server name, address, etc.
     
    - VM Access - for enabling Remote Desktop and resetting built-in local Admin credentials.
     
    - Puppet Enterprise Agent - for connecting to a Puppet Master server to receive configuration.
     
    - Chef - for connecting to a Chef server to receive configuration.
     
    When your new virtual machine is reported to be in a Running state, please continue with the next step.
     

  3. Download the latest Microsoft Azure PowerShell Module
     
    You’ll need to have version 0.7.4 or later of this PowerShell Module installed to use the steps in this article.  If you previously installed the Microsoft Azure PowerShell Module, you can confirm the installed version of this module by using the following PowerShell cmdlet:
     
    Get-Module Azure

    You’ll want to install this module into a PowerShell 3.0 or PowerShell 4.0 environment.  Note that after installing this module, you may need to restart your PC for the remaining PowerShell snippets to work.
     

  4. Launch the Windows PowerShell ISE and run the following PowerShell cmdlets to connect to your Microsoft Azure account.

    Set-ExecutionPolicy RemoteSigned

    Import-Module Azure

    Add-AzureAccount     

    When prompted to sign-in, enter the username and password that you used when activating your Microsoft Azure subscription.
     

  5. In the Windows PowerShell ISE window, run the following PowerShell cmdlet to confirm the name of your Microsoft Azure subscriptions (if you have more than one subscription).

    Get-AzureSubscription | Format-Table –Property SubscriptionName
     
    You’ll be specifying the name of your selected subscription in the next step.
     

  6. In the Windows PowerShell ISE window, run the following PowerShell cmdlets to select your Microsoft Azure subscription (if you have more than one subscription).

    $subscription = “ENTER YOUR SUBSCRIPTION NAME HERE”

    Select-AzureSubscription –Default $subscription
     

  7. In the Windows PowerShell ISE window, run the following snippet to prompt for the credentials to which you’d like to reset the existing built-in local Admin user account inside the virtual machine.

    $adminCredentials = Get-Credential -Message "Enter new Admin credentials"

    If the existing built-in local Admin username is input, the snippet below will reset that account to use the specified password.  If a new username is input, the snippet below will also rename the existing built-in local Admin account to match the specified username.
     
    The password that is input when prompted above must meet password complexity requirements of at least 3 of the following: 1 UPPER case letter, 1 lower case letter, 1 number and/or 1 symbol.  Note that if the password does not meet complexity requirements, the snippet below will still succeed - the password complexity requirements are not checked until after the VM restarts and the VM Agent is leveraged to apply the new password.
     

  8. In the Windows PowerShell ISE window, run the snippet below to reset the built-in local Admin credentials for the selected Azure virtual machines.

    (Get-AzureVM) |
    Where-Object -Property Status -EQ "ReadyRole" |
    Select-Object -Property Name, ServiceName |
    Out-GridView -Title "Select a VM …" -PassThru |
    ForEach-Object {
    $VM = Get-AzureVM -Name $_.Name -ServiceName $_.ServiceName
    If ($VM.VM.ProvisionGuestAgent) {
    Set-AzureVMAccessExtension -VM $VM `
    -UserName $adminCredentials.UserName `
    -Password $adminCredentials.GetNetworkCredential().Password `
    -ReferenceName "VMAccessAgent" |
    Update-AzureVM
    Restart-AzureVM -ServiceName $VM.ServiceName -Name $VM.Name
    } else {
    Write-Output "$($VM.Name): VM Agent Not Installed"
    }
    }

    Let’s look at each line from the snippet above in a bit more detail …

    First, Get-AzureVM is used to enumerate the existing VM’s that are provisioned in the selected Microsoft Azure subscription. We can only reset the built-in local Admin credentials on Running VM’s, so we pass this output to a Where-Object filter to return just the list of VM’s that are currently in a ReadyRole state.

    We pipe this filtered list of running VM’s to the Out-GridView cmdlet. This cmdlet prompts to select the VM’s for which the built-in local Admin credentials should be reset.

    Finally, the selected VM’s are piped into a ForEach-Object block that resets the built-in local Admin credentials for each selected VM using the Set-AzureVMAccessExtension cmdlet. This block also restarts each selected VM using the Restart-AzureVM cmdlet, so that this change is processed.

What are your cloud scenarios?

Are there particular cloud scenarios in which you have interest? Feel free to leave your comments and feedback below, and we’ll try to write-up as many additional scenarios as possible in the coming weeks. 

  Learn more about Microsoft Azure ...

See you in the Clouds!

- Keith