Connect-AzureAD

Connects with an authenticated account to use Active Directory cmdlet requests.

Syntax

Connect-AzureAD -AadAccessToken <String> -AccountId <String> [-AzureEnvironmentName <EnvironmentName>]
 [-InformationAction <ActionPreference>] [-InformationVariable <String>] [-LogLevel <LogLevel>]
 [-MsAccessToken <String>] [-TenantId <String>] [-Confirm] [-WhatIf] [<CommonParameters>]
Connect-AzureAD -ApplicationId <String> [-AzureEnvironmentName <EnvironmentName>]
 -CertificateThumbprint <String> [-InformationAction <ActionPreference>] [-InformationVariable <String>]
 [-LogLevel <LogLevel>] -TenantId <String> [-Confirm] [-WhatIf] [<CommonParameters>]
Connect-AzureAD [-AzureEnvironmentName <EnvironmentName>] [-Credential <PSCredential>]
 [-InformationAction <ActionPreference>] [-InformationVariable <String>] [-LogLevel <LogLevel>]
 [-TenantId <String>] [-Confirm] [-WhatIf] [<CommonParameters>]

Description

The Connect-AzureAD cmdlet connects an authenticated account to use for Azure Active Directory cmdlet requests.

You can use this authenticated account only with Azure Active Directory cmdlets.

Examples

Example 1: Connect a PowerShell session to a tenant

PS C:\> Connect-AzureAD -Confirm

This command connects the current PowerShell session to an Azure Active Directory tenant. The command prompts you for a username and password for the tenant you want to connect to. The Confirm parameter prompts you for confirmation.

If multi-factor authentication is enabled for your credentials, you must log in using the interactive option or use service principal authentication.

Example 2: Connect a session using a variable

PS C:\> $Credential = Get-Credential
PS C:\> Connect-AzureAD -Credential $Credential

The first command gets the user credentials, and then stores them in the $Credential variable.

The second command connects the current PowerShell session using the credentials in $Credential.

This account authenticates with Azure Active Directory using organizational ID credentials. You cannot use multi-factor authentication or Microsoft account credentials to run Azure Active Directory cmdlets with this account.

Example 3: Connect a session as a service principal

# Login to Azure AD PowerShell With Admin Account
Connect-AzureAD 

# Create the self signed cert
$currentDate = Get-Date
$endDate = $currentDate.AddYears(1)
$notAfter = $endDate.AddYears(1)
$pwd = ""
$thumb = (New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName com.foo.bar -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $notAfter).Thumbprint
$pwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText
Export-PfxCertificate -cert "cert:\localmachine\my\$thumb" -FilePath c:\temp\examplecert.pfx -Password $pwd

# Load the certificate
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("C:\temp\examplecert.pfx", $pwd)
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())


# Create the Azure Active Directory Application
$application = New-AzureADApplication -DisplayName "test123" -IdentifierUris "https://test123"
New-AzureADApplicationKeyCredential -ObjectId $application.ObjectId -CustomKeyIdentifier "Test123" -StartDate $currentDate -EndDate $endDate -Type AsymmetricX509Cert -Usage Verify -Value $keyValue

# Create the Service Principal and connect it to the Application
$sp=New-AzureADServicePrincipal -AppId $application.AppId

# Give the Service Principal Reader access to the current tenant (Get-AzureADDirectoryRole)
Add-AzureADDirectoryRoleMember -ObjectId 5997d714-c3b5-4d5b-9973-ec2f38fd49d5 -RefObjectId $sp.ObjectId

# Get Tenant Detail
$tenant=Get-AzureADTenantDetail
# Now you can login to Azure PowerShell with your Service Principal and Certificate
Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId  $sp.AppId -CertificateThumbprint $thumb

This command authenticates the user to Azure Active Directory as a service principal.

Parameters

-AadAccessToken

Specifies a Azure Active Directory Graph access token.

Type:String
Required:True
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-AccountId

Specifies the ID of an account. You must specify the UPN of the user when authenticating with a user access token.

Type:String
Required:True
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ApplicationId

Specifies the application ID of the service principal.

Type:String
Required:True
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-AzureEnvironmentName

Specifies the name of the Azure environment. The acceptable values for this parameter are:

- AzureCloud

  • AzureChinaCloud
  • AzureUSGovernment
  • AzureGermanyCloud

    The default value is AzureCloud.

Type:EnvironmentName
Required:False
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-CertificateThumbprint

Specifies the certificate thumbprint of a digital public key X.509 certificate of a user account that has permission to perform this action.

Type:String
Required:True
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Credential

Specifies a PSCredential object. For more information about the PSCredential object, type Get-Help Get-Credential.

The PSCredential object provides the user ID and password for organizational ID credentials.

Type:PSCredential
Required:False
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-InformationAction

Specifies how this cmdlet responds to an information event. The acceptable values for this parameter are:

- Continue

  • Ignore
  • Inquire
  • SilentlyContinue
  • Stop
  • Suspend

Type:ActionPreference
Aliases:infa
Required:False
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-InformationVariable

Specifies a variable in which to store an information event message.

Type:String
Aliases:iv
Required:False
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-LogLevel

Specifies the log level. The accdeptable values for this parameter are:

- Info

  • Error
  • Warning
  • None

    The default value is Info.

Type:LogLevel
Required:False
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-MsAccessToken

Specifies a Microsoft Graph access token.

Type:String
Required:False
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-TenantId

Specifies the ID of a tenant.

If you do not specify this parameter, the account is authenticated with the home tenant.

You must specify the TenantId parameter to authenticate as a service principal or when using Microsoft account.

Type:String
Aliases:Domain
Required:False
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Required:False
Position:Named
Default value:False
Accept pipeline input:False
Accept wildcard characters:False
-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Required:False
Position:Named
Default value:False
Accept pipeline input:False
Accept wildcard characters:False