All product names, logos, and brands used in this post are property of their respective owners.
As of late, I’ve been spending time in Azure Automation intending to reclaim parts of my day from recurring (sometimes mundane) tasks. The allure for me is PowerShell RunBooks. Since I am a “PowerSheller” already, the learning curve is minimal.
In this post, I will describe the process and best practices for importing and using the Duo-PSModule PowerShell module in Azure Automation. Matt Egan created the Duo PS module. It is a robust Power Shell wrapper for the Duo Admin API. I am a big fan of this module and have used it previously - see this post.
Importing the Duo-PSModule
Adding the Duo PowerShell module to an Azure Automation account is not as easy as downloading the zipped version from GitHub and uploading it into Azure Automation.
The error message resulting from doing so is:
Error importing the module Duo-PSModule-master. Import failed with the following error: Orchestrator.Shared.AsyncModuleImport.ModuleImportException: Cannot import the module of name Duo-PSModule-master, as the module structure was invalid.
This is an easy fix - the module files (Duo.psm1 and Duo.psd1) must be at the root of the zip file, and the name of the zip file must match the name of the module. I created a new zip file called Duo.zip and added the module files from the GitHub zip archive to the root accordingly:
In the case of the Duo-PSModule, that is not enough. The module (specifically Duo.psd1) has several references to the “Duo_org.ps1” file, which by design, does not exist in the GitHub repository (or downloaded zip file). As a result, importing the correctly structured zip file into an Azure Automation account will fail as follows:
Error importing the module Duo. Import failed with the following error: Orchestrator.Shared.AsyncModuleImport.ModuleImportException: While importing the module, an error occurred while processing the module content. Internal error message: The member 'ScriptsToProcess' in the module manifest is not valid: Cannot find path 'C:\Users\Client\Temp\XXXXXXXXXX\Duo\Duo_org.ps1' because it does not exist.. Verify that a valid value is specified for this field in the 'C:\Users\Client\Temp\XXXXXXXXXX\Duo\Duo.psd1' file.
Luckily, this is another easy fix. For me, the path of least resistance was adding a blank Duo_org.ps1 file to my Duo.zip archive. With the Duo-PSModule installed locally, Duo_org.ps1 provides authentication parameters (Duo integration key, secret key, API hostname, etc.). In Azure Automation, there is a better way (more on that later). The final contents of Duo.zip should reflect the following:
At this point, the module can be successfully added (imported) into an Azure Automation account:
Another option (instead of adding a blank Duo_org.ps1 file)
If you prefer not to include a blank Duo_org.ps1, you can also update the source code of Duo.psd1, removing references to Duo_org.ps1 here, here, and here.
Creating the Duo Admin API application and granting permissions
For the Duo-PSModule to connect and interact with a Duo implementation, the Duo Admin API must be exposed by creating a new Application of type “Admin API” in the Duo Console. Select Applications -> Protect an Application -> Type “Admin API” and click Protect. Take note of the Integration key, Secret key, and API hostname - these are needed later to configure the Duo-PSModule in Azure Automation.
Before saving the application, check the boxes for Grant read resource and Grant write resource (or whatever permissions your use case requires):
Duo authentication settings for Duo-PSModule in Azure Automation
As noted, Duo_org.ps1 usually holds the Duo Admin API connection and authentication information (created above). See Installation, specifically …Create a file called Duo_org.ps1…
In Azure Automation, I opted to use encrypted variables instead and simply constructed the required $DuoOrgs hashtable inline in my Runbook(s) that use the Duo-PSModule and Duo API. More specifically, I created 4 encrypted Automation Variables in my Automation Account as follows:
Once done, I used the following code in my RunBook to handle authentication for the Duo-PSModule:
Using Duo-PSModule in Azure Automation
After importing and setting up authentication for the Duo PowerShell module, using it in a RunBook is easy (crude example to synchronize all Duo users from a linked directory):
I must first reiterate my gratitude and respect for Matt Egan and the Duo-PSModule. This module (coupled with Azure Automation) creates numerous opportunities for automating Duo processes, including but not limited to:
- Scheduled Duo report generation and distribution (users, devices, authentications, etc.)
- Automatic Duo enrollment reminder notifications
- Scheduling more frequent (i.e. hourly vs. daily) Duo directory sync cycles
- Nearly code-less Duo device management processes with M365 Forms and/or Power Automate front ends
I hope this helps another Duo administrator free up part of their day as well!