Connect-AzAccount with Managed Service Identity

Matt McNabb · ‎Oct 04 2019

I'm running PowerShell in the context of an Azure Web App that has a System Managed Service Identity configured. Currently, I can access the Key Vault by doing this:

$MsiHeader = @{'Secret' = $env:MSI_SECRET}
$VaultResource = "<a href="https://vault.azure.net" target="_blank">https://vault.azure.net</a>"
$ApiVersion = "2017-09-01"
$VaultUri = "{0}?resource={1}&api-version={2}" -f $env:MSI_Endpoint, $VaultResource, $ApiVersion
$VaultHeader = @{ Authorization = "Bearer $($VaultAuth.access_token)" }
$Secret = Invoke-RestMethod "<a href="https://MyVault.vault.azure.net/secrets/testsecret?api-version=7.0" target="_blank">https://MyVault.vault.azure.net/secrets/testsecret?api-version=7.0</a>" -Headers $VaultHeader

This works just fine for accessing the vault, but is it possible to use the MSI to connect to Azure resources using the Az PowerShell module? If so, how can this be done? I can't quite seem to figure out how to do this properly. I've tried hacking at it like this:

$MsiHostName,$MsiPort = $env:MSI_ENDPOINT -replace 'http://' -replace '/MSI/token/' -split ':'
$null = Connect-AzAccount -ManagedServiceHostName $MsiHostName -ManagedServicePort $MsiPort -ManagedServiceSecret $env:MSI_SECRET

But this doesn't seem to work and I can't find any examples of this on the web. Any help with this is much appreciated!

Pwd9000 · ‎Nov 16 2019

You should be able to just do:
$null = Connect-AzAccount -Identity

Given the Web App has been assigned a system assigned managed identity, is part of the right RBAC role and the identity is assigned in IAM to the resources you are interacting with.

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Connect-AzAccount with Managed Service Identity

Connect-AzAccount with Managed Service Identity

Re: Connect-AzAccount with Managed Service Identity