question

ChristophDambacher-4896 avatar image
0 Votes"
ChristophDambacher-4896 asked 30529263 commented

Using a system assigned managed identity to connect to Azure AD

Hi,

I have a PowerShell script that runs on an AzureVM and uses the system assigned managed identity of the VM to connect to Azure using the cmdlet Add-AzAccount -identity to provision resources.
Is it also possible to call the Connect-AzureAD cmdlet using the system assigned managed identity?
Currently we have the following code but this brings up the AAD authentication form and prompts to select an account for sign-in.

 Add-AzAccount -identity # | Out-Null
 $currentAzureContext = Get-AzContext
 $tenantId = $currentAzureContext.Tenant.Id
 $accountId = $currentAzureContext.Account.Id
 Connect-AzureAD -TenantId $tenantId -AccountId $accountId

Best regards and thanks

Christoph

azure-active-directoryazure-virtual-machines
· 5
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

WilliamOverweg-1447 avatar image WilliamOverweg-1447 ·

Try:

Connect-azaccount -identity
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$graphToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.microsoft.com").AccessToken
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken

Write-Output "Hi I'm $($context.Account.Id)"


Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id

2 Votes 2 ·
30529263 avatar image 30529263 WilliamOverweg-1447 ·

Thanks, this works fine with user MI as well.
To use it:
Connect-AzAccount -Identity -AccountId <ClientID>

Great stuff!

0 Votes 0 ·
SteinSidnei-1156 avatar image SteinSidnei-1156 WilliamOverweg-1447 ·

Hello!
I`m trying to clean stale devices on Azure AD with Automation account.
I get the error Code? Authorization_RequestDenied when try to Get-AzureADDevice.
Does the Automation Account need an specific role?

0 Votes 0 ·
WilliamOverweg-1447 avatar image WilliamOverweg-1447 SteinSidnei-1156 ·

@SteinSidnei-1156
You can use e.g. Global Reader or any other role that has the following permission on AAD:
microsoft.directory/devices/allProperties/read

Note that you are using the AAD powershell module, so using Graph App Permissions will not work in most cases. AAD Roles will work though.

0 Votes 0 ·
30529263 avatar image 30529263 SteinSidnei-1156 ·

Depending on with with permissions you are running Automation ps code - it needs API permissions for managed identity or user AzureAD role if you sign in with user account.

0 Votes 0 ·

1 Answer

soumi-MSFT avatar image
1 Vote"
soumi-MSFT answered 30529263 commented

@ChristophDambacher-4896, You wont be able to connect to AzureAD using the connect-AzureAD and System Managed Identity. The reason behind that being when you enable MSI be it System Managed Identity or User Managed Identity, in both cases, there is a Service Principal object that gets created, but the password for that Service Principal is never exposed as we find in a normal Service Principal. But to login to Azure AD, using Service Prinicipal we have to use the following cmdlet:
Connect-AzAccount -ServicePrincipal -Credential $psCredentials -Tenant $tenantId, which requires the credentials for that service principal which we dont have in case of MSI. Hence we cannot login to AzureAD PS module as using MSI.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChristophDambacher-4896 avatar image ChristophDambacher-4896 ·

Thanks very much.

So just to ensure, is this planned in the future that the logon with a MSI to Azure AD via PowerShell is possible?

0 Votes 0 ·
soumi-MSFT avatar image soumi-MSFT ChristophDambacher-4896 ·

@ChristophDambacher-4896, Not sure on this yet, if something is planned. But I would suggest you to drop a post here.


The product feedbacks or a feature requests are usually posted here and the Product Team closely monitors this space and acts upon accordingly.


1 Vote 1 ·
30529263 avatar image 30529263 ·

I believe this is the wrong answer since you try to login with SP not MI

0 Votes 0 ·