Using a system assigned managed identity to connect to Azure AD

Christoph Dambacher 86

Hi,

I have a PowerShell script that runs on an AzureVM and uses the system assigned managed identity of the VM to connect to Azure using the cmdlet Add-AzAccount -identity to provision resources.
Is it also possible to call the Connect-AzureAD cmdlet using the system assigned managed identity?
Currently we have the following code but this brings up the AAD authentication form and prompts to select an account for sign-in.

Add-AzAccount -identity # | Out-Null
$currentAzureContext = Get-AzContext
$tenantId = $currentAzureContext.Tenant.Id
$accountId = $currentAzureContext.Account.Id
Connect-AzureAD -TenantId $tenantId -AccountId $accountId

Best regards and thanks

Christoph

William Overweg 11 Reputation points

2021-05-11T11:13:41.143+00:00

Try:

Connect-azaccount -identity
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$graphToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.microsoft.com").AccessToken
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken

Write-Output "Hi I'm $($context.Account.Id)"

Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id
Александр Дудкин 1 Reputation point

2021-11-23T14:09:16.007+00:00

Thanks, this works fine with user MI as well.
To use it:
Connect-AzAccount -Identity -AccountId <ClientID>

Great stuff!
Stein, Sidnei 21 Reputation points

2021-12-04T15:16:48.29+00:00

Hello!
I`m trying to clean stale devices on Azure AD with Automation account.
I get the error Code? Authorization_RequestDenied when try to Get-AzureADDevice.
Does the Automation Account need an specific role?
William Overweg 11 Reputation points

2021-12-06T20:57:53.533+00:00

@Stein, Sidnei
You can use e.g. Global Reader or any other role that has the following permission on AAD:
microsoft.directory/devices/allProperties/read

Note that you are using the AAD powershell module, so using Graph App Permissions will not work in most cases. AAD Roles will work though.
Александр Дудкин 1 Reputation point

2021-12-07T17:02:17.81+00:00

Depending on with with permissions you are running Automation ps code - it needs API permissions for managed identity or user AzureAD role if you sign in with user account.
halbot 1 Reputation point

2022-10-04T10:24:24.663+00:00

This code is being copied around the place, but is missing the graph token so won't work with the Graph API. $graphToken was defined but never used.

Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id

should be

Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id -MSAccessToken $graphToken

Accepted answer

soumi-MSFT 11,716 Reputation points Microsoft Employee

2020-06-03T12:11:00.98+00:00

@Christoph Dambacher , You wont be able to connect to AzureAD using the connect-AzureAD and System Managed Identity. The reason behind that being when you enable MSI be it System Managed Identity or User Managed Identity, in both cases, there is a Service Principal object that gets created, but the password for that Service Principal is never exposed as we find in a normal Service Principal. But to login to Azure AD, using Service Prinicipal we have to use the following cmdlet:
Connect-AzAccount -ServicePrincipal -Credential $psCredentials -Tenant $tenantId, which requires the credentials for that service principal which we dont have in case of MSI. Hence we cannot login to AzureAD PS module as using MSI.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.
Please sign in to rate this answer.

1 person found this answer helpful.
Christoph Dambacher 86 Reputation points

2020-06-04T05:56:04.417+00:00

Thanks very much.

So just to ensure, is this planned in the future that the logon with a MSI to Azure AD via PowerShell is possible?

soumi-MSFT 11,716 Reputation points Microsoft Employee

2020-06-04T07:59:14.623+00:00

@Christoph Dambacher , Not sure on this yet, if something is planned. But I would suggest you to drop a post here.

The product feedbacks or a feature requests are usually posted here and the Product Team closely monitors this space and acts upon accordingly.

Александр Дудкин 1 Reputation point

2021-11-23T14:08:33.68+00:00

I believe this is the wrong answer since you try to login with SP not MI
Sign in to comment

Using a system assigned managed identity to connect to Azure AD

0 additional answers