Modified script for new AZ module

[Daya-Patil]

Modified script for new AZ module

[punit-bhatt]

Please revert this line change. We don't want to make an extra call during the UI as it increases the load time.
Also, some VMs won't show up. These are the single pass encrypted VMs which are not supported by this script as of today.
So, only 2-pass encrypted VMs should be shown.
And even if you want to see both 1 pass and 2 pass encrypted VMs, I would suggest the following

if (($Item.Extensions -ne $null) -and ($Item.Extensions.Id | % {$_.split('/')[-1].tolower().contains('azurediskencryption')}) -contains $true)

[punit-bhatt]

Am unable to run this script on a fresh powershell window due to the following error

The script 'Copy-Keys-Az.ps1' cannot be run because the following modules that are specified by
the "#requires" statements of the script are missing: Az.

This is most likely due to the #requires statement. By default, such statements run before the script execution and so will run before the Import-Module Az statement.
As per the Microsoft docs

Placing a #Requires statement inside a function does NOT limit its scope. All #Requires statements are always applied globally, and must be met, before the script can execute

This error goes away on explicitly importing the module.

[punit-bhatt]

Just a suggestion as we were planning on adding this change here.
Could you add another check here to prevent Login calls when unnecessary.

$Context = Get-AzContext

if($Context -eq $null)
{
    $SuppressOutput = Login-AzAccount -ErrorAction Stop
}

`

[punit-bhatt]

Could you make this change as well.

[Daya-Patil]

Could you please brief which change

[punit-bhatt]

As per the code, the user is asked to login again and again on subsequent script runs which is not required as the context is still retained.
So, instead of the following code line, which helps login,
$SuppressOutput = connect-AzAccount -ErrorAction Stop
we can check for the context and run the login command only when necessary. This can be done as shown below

$Context = Get-AzContext

if($Context -eq $null)
{
    $SuppressOutput = Login-AzAccount -ErrorAction Stop
}

So, please do the needful.

[punit-bhatt]

Again if the Login changes are made, you could add another check here to prevent a call.

if($Context -eq $null)
{
    $Context = Get-AzContext
}

[punit-bhatt]

The Get-Authentication method is failing with the new AzureAD modules. This is because there is no AcquireToken() method available anymore (Line 543).
You need to replace it with the following method, keeping everything else the same.

### <summary>
### Gets the authentication result to key vaults.
### </summary>
function Get-Authentication
{
    # Vault resources endpoint
    $ArmResource = "https://vault.azure.net"
    # Well known client ID for AzurePowerShell used to authenticate scripts to Azure AD.
    $ClientId = "1950a258-227b-4e31-a9cf-717495945fc2"
    $RedirectUri = "urn:ietf:wg:oauth:2.0:oob"
    $AuthorityUri = "https://login.windows.net/$TenantId"
    $AuthContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" `
        -ArgumentList $AuthorityUri
    $PlatformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" `
        -ArgumentList "Auto", $null
    $AuthResult = $AuthContext.AcquireTokenAsync($ArmResource, $ClientId, $RedirectUri, $PlatformParameters)

    return $AuthResult.Result
}

This uses the method AcquireTokenAsync() which requires an additional parameter - PlatformParameters object.
This has been tested with AzureAD modules - 2.0.1.16 and 2.0.2.16

[punit-bhatt]

I have tested the script for various scenarios and it needed slight modifications to work successfully.
Please update the Get-Authentication method as shown here.
Also, we would like to retain the original script. Since I have gone through the changes, could you add the above change and add this script as a new file, preferably CopyKeys-Az.ps1?