What's the difference between New-AzureRmResourceGroupDeployment and New-AzDiskEncryptionSets when creating the DiskEncryptionSet?

Jingjing Xiao 1 Reputation point Microsoft Employee
2022-08-31T10:45:06.58+00:00

I'm trying to create DiskEncryptionSet resource in TDS and then fetch the managed identity with power shell script.

There are two ways could achieve this. The first is using New-AzDiskEncryptionSet and Get-AzServicePrincipal commands with Az Power Shell library. But TDS installs the AzureRm Power Shell by default and upgrade the library even to the lowest version, still existing a dependency conflict. Hence, we have to choose the AzureRm Power Shell, by using New-AzureRmResourceGroupDeployment and Get-AzureRmServicePrincipal. Creating the DES resource is successful, but when I fetch the managed identity information with Get-AzureRmServicePrincipal, I got 403 error (Note: we have Application.ReadWrite.OwnerBy permission for our application and it's weird we use our application service principal to connect the Azure and create the resource, but our application not the owner of the managed identity of DES).

So, what's difference between the two ways of creating the DES? Why could we fetch the managed identity info when creating DES with New-AzDiskEncryptionSet but not with New-AzureRmResourceGroupDeployment? Does there exist a solution to create DES resource with AzureRm Power Shell?

Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
174 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,700 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JimmySalian-2011 42,106 Reputation points
    2022-08-31T10:54:22.357+00:00

    Hi Jingjing,

    The New-AzResourceGroupDeployment cmdlet adds a deployment to an existing resource group. This includes the resources that the deployment requires. An Azure resource is a user-managed Azure entity, such as a database server, database, website, virtual machine, or Storage account.

    The New-AzDiskEncryptionSetConfig creates a configurable disk encryption set object.

    Can you check some examples of the scripts over here and outputs to DES.

    new-azdiskencryptionsetconfig

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.