question

ChristophDambacher-4896 avatar image
0 Votes"
ChristophDambacher-4896 asked ·

Using a system assigned managed identity to connect to Azure AD

Hi,

I have a PowerShell script that runs on an AzureVM and uses the system assigned managed identity of the VM to connect to Azure using the cmdlet Add-AzAccount -identity to provision resources.
Is it also possible to call the Connect-AzureAD cmdlet using the system assigned managed identity?
Currently we have the following code but this brings up the AAD authentication form and prompts to select an account for sign-in.

 Add-AzAccount -identity # | Out-Null
 $currentAzureContext = Get-AzContext
 $tenantId = $currentAzureContext.Tenant.Id
 $accountId = $currentAzureContext.Account.Id
 Connect-AzureAD -TenantId $tenantId -AccountId $accountId

Best regards and thanks

Christoph

azure-active-directoryazure-virtual-machines
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

soumi-MSFT avatar image
1 Vote"
soumi-MSFT answered ·

@ChristophDambacher-4896, You wont be able to connect to AzureAD using the connect-AzureAD and System Managed Identity. The reason behind that being when you enable MSI be it System Managed Identity or User Managed Identity, in both cases, there is a Service Principal object that gets created, but the password for that Service Principal is never exposed as we find in a normal Service Principal. But to login to Azure AD, using Service Prinicipal we have to use the following cmdlet:
Connect-AzAccount -ServicePrincipal -Credential $psCredentials -Tenant $tenantId, which requires the credentials for that service principal which we dont have in case of MSI. Hence we cannot login to AzureAD PS module as using MSI.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

· 2 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks very much.

So just to ensure, is this planned in the future that the logon with a MSI to Azure AD via PowerShell is possible?

0 Votes 0 · ·
soumi-MSFT avatar image soumi-MSFT ChristophDambacher-4896 ·

@ChristophDambacher-4896, Not sure on this yet, if something is planned. But I would suggest you to drop a post here.


The product feedbacks or a feature requests are usually posted here and the Product Team closely monitors this space and acts upon accordingly.


1 Vote 1 · ·