Home

Connect-AzureAD with login credentials

%3CLINGO-SUB%20id%3D%22lingo-sub-145012%22%20slang%3D%22en-US%22%3EConnect-AzureAD%20with%20login%20credentials%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-145012%22%20slang%3D%22en-US%22%3E%3CP%3EHey%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eis%20it%20posible%20to%20use%20by%20%3CSPAN%3EConnect-AzureAD%3C%2FSPAN%3E%20the%20credentials%20from%20the%20Login%20user%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWithout%20open%20the%20window%20to%20fill%20in%20username%20and%20Password.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%0A%3CP%3EStefan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-145012%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-191867%22%20slang%3D%22en-US%22%3ERe%3A%20Connect-AzureAD%20with%20login%20credentials%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-191867%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20your%20answers.%3C%2FP%3E%3CP%3EI%20like%20to%20run%20scheduled%20Powershell%20scripts%20to%20do%20to%20administrative%20tasks%20on%20the%20azure%20AD.%20But%20I%20don%E2%80%99t%20want%20to%20write%20the%20credentials%20into%20the%20script.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMaybe%20I%20must%20look%20at%20azure%20function%20in%20combination%20with%20azure%20key%20valut.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3EStefan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-191432%22%20slang%3D%22en-US%22%3ERe%3A%20Connect-AzureAD%20with%20login%20credentials%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-191432%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20clarifying%20that%20the%20feature%20is%20unavailable.%20I%20have%20to%20point%20out%20however%20that%20your%20comment%20%22This%20is%20intended%20behaviour%20%3CEM%3Efor%20security%20reasons%3C%2FEM%3E%22%20is%20unlikely%20to%20be%20accurate.%20In%20an%20Azure%20AD%20environment%2C%20the%26nbsp%3Buser%20logged%20in%20to%20the%20Windows%2010%20device%20is%20signed%20in%20across%20a%20range%20of%20Microsoft%20applications%20and%20services.%20For%20example%20Outlook%2C%20SharePoint%20Online%20etc.%20Further%2C%20in%20an%20on-premises%20AD%20environment%20any%20commands%20run%20from%20a%20Powershell%20Window%20will%20execute%20as%20the%20currently%20signed%20in%20user%20(the%20behaviour%20that%20we%20would%20like%20to%20be%20able%20to%20replicate%20when%20using%20powershell%20to%20control%20Azure%20AD).%20Therefore%2C%20Microsoft%20have%20clearly%20accepted%20that%20the%20user%20does%20not%20need%20to%20re-authenticate%20once%20they%20have%20logged%20in%20to%20a%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20problem%20with%20being%20unable%20to%20run%20Connect-AzureAD%20as%20the%20current%20logged%20on%20user%20is%20that%20an%20admin%20cannot%20run%20a%20login%20or%20scheduled%20powershell%20script%20that%2C%20for%20example%2C%20checks%20that%20the%20current%20user%20is%20a%20member%20of%20a%20group%20in%20Azure%20AD%20and%20then%20apply%20settings%20accordingly.%20If%20anyone%20has%20a%20work%20around%20for%20this%20that%20does%20not%20include%20storing%20credentials%20in%20a%20Powershell%20script%20I%20would%20be%20very%20interested.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-190805%22%20slang%3D%22en-US%22%3ERe%3A%20Connect-AzureAD%20with%20login%20credentials%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-190805%22%20slang%3D%22en-US%22%3E%3CP%3ENo%2C%20credentials%20are%20required%20in%20either%20the%26nbsp%3B%3CSPAN%3EConnect-AzureAD%20command%20or%20via%20the%20login%20window.%20This%20is%20the%20intended%20behavior%20for%20security%20reasons.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-190798%22%20slang%3D%22en-US%22%3ERe%3A%20Connect-AzureAD%20with%20login%20credentials%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-190798%22%20slang%3D%22en-US%22%3E%3CP%3EI%20believe%20what%20the%20OP%20meant%20was%20to%20automatically%20sign%20in%20with%20the%20current%20user%20credentials%2C%20not%20use%20any%20stored%20credentials.%20But%20I%20might%20be%20wrong%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-190751%22%20slang%3D%22en-US%22%3ERe%3A%20Connect-AzureAD%20with%20login%20credentials%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-190751%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20it%20is%20possible%20to%20use%20the%20cmdlet%20Connect-AzureAD%20with%20stored%20credentials.%3C%2FP%3E%3CP%3ENote%20that%20this%20is%20only%20possible%20with%20accounts%20not%20protected%20with%20MFA.%3C%2FP%3E%3CP%3EMy%20script%20which%20is%20available%20on%20TechNet%20Gallery%20utilises%20this%20-%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgallery.technet.microsoft.com%2FOffice-365-and-Azure-e36eabeb%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgallery.technet.microsoft.com%2FOffice-365-and-Azure-e36eabeb%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20connects%20to%20all%20Azure%20and%20Office%20365%20services%2C%20including%20-%20Exchange%20Online%20-%20Azure%20AD%20v1.0%20-%20Azure%20AD%20v2.0%20-%20SharePoint%20Online%20-%20Skype%20for%20Business%20Online%20-%20Exchange%20Online%20Protection%20-%20Security%20and%20Compliance%20Center%20-%20Azure%20Resource%20Manager%20-%20Azure%20Rights%20Manager%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-145957%22%20slang%3D%22en-US%22%3ERe%3A%20Connect-AzureAD%20with%20login%20credentials%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-145957%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20possible%20afaik.%20You%20should%20be%20able%20to%20skip%20some%20steps%20in%20federated%20scenarios%20or%20when%20using%20PTA.%20Or%20you%20can%20simply%20use%20the%20-Credentials%20parameter%20and%20pass%20the%20username%2Fpassword%20-%20there%20are%20many%20examples%20available%20online%20how%20you%20can%20securely%20store%2Freuse%20creds.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-901718%22%20slang%3D%22en-US%22%3ERe%3A%20Connect-AzureAD%20with%20login%20credentials%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-901718%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F24406%22%20target%3D%22_blank%22%3E%40Stefan%20Kie%C3%9Fig%3C%2FA%3EConnect%20to%20AzureAD%20as%20current%20user%3A%3CBR%20%2F%3E%3CFONT%3E%24UPN%20%3D%20whoami%20%2Fupn%3CBR%20%2F%3EConnect-AzureAD%20-AccountId%20%24UPN%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3ENB%3A%20This%20works%20for%20AzureAD%20Joined%20accounts%20without%20requiring%20a%20password%20in%20the%20script.%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Hey,

 

is it posible to use by Connect-AzureAD the credentials from the Login user? 

Without open the window to fill in username and Password.

 

Regards

Stefan

7 Replies

Not possible afaik. You should be able to skip some steps in federated scenarios or when using PTA. Or you can simply use the -Credentials parameter and pass the username/password - there are many examples available online how you can securely store/reuse creds.

Yes, it is possible to use the cmdlet Connect-AzureAD with stored credentials.

Note that this is only possible with accounts not protected with MFA.

My script which is available on TechNet Gallery utilises this - 

https://gallery.technet.microsoft.com/Office-365-and-Azure-e36eabeb

 

It connects to all Azure and Office 365 services, including - Exchange Online - Azure AD v1.0 - Azure AD v2.0 - SharePoint Online - Skype for Business Online - Exchange Online Protection - Security and Compliance Center - Azure Resource Manager - Azure Rights Manager

I believe what the OP meant was to automatically sign in with the current user credentials, not use any stored credentials. But I might be wrong :)

No, credentials are required in either the Connect-AzureAD command or via the login window. This is the intended behavior for security reasons.

Thank you for clarifying that the feature is unavailable. I have to point out however that your comment "This is intended behaviour for security reasons" is unlikely to be accurate. In an Azure AD environment, the user logged in to the Windows 10 device is signed in across a range of Microsoft applications and services. For example Outlook, SharePoint Online etc. Further, in an on-premises AD environment any commands run from a Powershell Window will execute as the currently signed in user (the behaviour that we would like to be able to replicate when using powershell to control Azure AD). Therefore, Microsoft have clearly accepted that the user does not need to re-authenticate once they have logged in to a device.

 

The problem with being unable to run Connect-AzureAD as the current logged on user is that an admin cannot run a login or scheduled powershell script that, for example, checks that the current user is a member of a group in Azure AD and then apply settings accordingly. If anyone has a work around for this that does not include storing credentials in a Powershell script I would be very interested.

Thank you for your answers.

I like to run scheduled Powershell scripts to do to administrative tasks on the azure AD. But I don’t want to write the credentials into the script.

 

Maybe I must look at azure function in combination with azure key valut.

 

Regards

Stefan

@Stefan KießigConnect to AzureAD as current user:
$UPN = whoami /upn
Connect-AzureAD -AccountId $UPN

 

NB: This works for AzureAD Joined accounts without requiring a password in the script.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies