Connect-AzureAD with login credentials

%3CLINGO-SUB%20id%3D%22lingo-sub-191867%22%20slang%3D%22en-US%22%3ERe%3A%20Connect-AzureAD%20with%20login%20credentials%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-191867%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20your%20answers.%3C%2FP%3E%3CP%3EI%20like%20to%20run%20scheduled%20Powershell%20scripts%20to%20do%20to%20administrative%20tasks%20on%20the%20azure%20AD.%20But%20I%20don%E2%80%99t%20want%20to%20write%20the%20credentials%20into%20the%20script.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMaybe%20I%20must%20look%20at%20azure%20function%20in%20combination%20with%20azure%20key%20valut.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3EStefan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-191432%22%20slang%3D%22en-US%22%3ERe%3A%20Connect-AzureAD%20with%20login%20credentials%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-191432%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20clarifying%20that%20the%20feature%20is%20unavailable.%20I%20have%20to%20point%20out%20however%20that%20your%20comment%20%22This%20is%20intended%20behaviour%20%3CEM%3Efor%20security%20reasons%3C%2FEM%3E%22%20is%20unlikely%20to%20be%20accurate.%20In%20an%20Azure%20AD%20environment%2C%20the%26nbsp%3Buser%20logged%20in%20to%20the%20Windows%2010%20device%20is%20signed%20in%20across%20a%20range%20of%20Microsoft%20applications%20and%20services.%20For%20example%20Outlook%2C%20SharePoint%20Online%20etc.%20Further%2C%20in%20an%20on-premises%20AD%20environment%20any%20commands%20run%20from%20a%20Powershell%20Window%20will%20execute%20as%20the%20currently%20signed%20in%20user%20(the%20behaviour%20that%20we%20would%20like%20to%20be%20able%20to%20replicate%20when%20using%20powershell%20to%20control%20Azure%20AD).%20Therefore%2C%20Microsoft%20have%20clearly%20accepted%20that%20the%20user%20does%20not%20need%20to%20re-authenticate%20once%20they%20have%20logged%20in%20to%20a%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20problem%20with%20being%20unable%20to%20run%20Connect-AzureAD%20as%20the%20current%20logged%20on%20user%20is%20that%20an%20admin%20cannot%20run%20a%20login%20or%20scheduled%20powershell%20script%20that%2C%20for%20example%2C%20checks%20that%20the%20current%20user%20is%20a%20member%20of%20a%20group%20in%20Azure%20AD%20and%20then%20apply%20settings%20accordingly.%20If%20anyone%20has%20a%20work%20around%20for%20this%20that%20does%20not%20include%20storing%20credentials%20in%20a%20Powershell%20script%20I%20would%20be%20very%20interested.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-190805%22%20slang%3D%22en-US%22%3ERe%3A%20Connect-AzureAD%20with%20login%20credentials%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-190805%22%20slang%3D%22en-US%22%3E%3CP%3ENo%2C%20credentials%20are%20required%20in%20either%20the%26nbsp%3B%3CSPAN%3EConnect-AzureAD%20command%20or%20via%20the%20login%20window.%20This%20is%20the%20intended%20behavior%20for%20security%20reasons.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-190798%22%20slang%3D%22en-US%22%3ERe%3A%20Connect-AzureAD%20with%20login%20credentials%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-190798%22%20slang%3D%22en-US%22%3E%3CP%3EI%20believe%20what%20the%20OP%20meant%20was%20to%20automatically%20sign%20in%20with%20the%20current%20user%20credentials%2C%20not%20use%20any%20stored%20credentials.%20But%20I%20might%20be%20wrong%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-190751%22%20slang%3D%22en-US%22%3ERe%3A%20Connect-AzureAD%20with%20login%20credentials%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-190751%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20it%20is%20possible%20to%20use%20the%20cmdlet%20Connect-AzureAD%20with%20stored%20credentials.%3C%2FP%3E%3CP%3ENote%20that%20this%20is%20only%20possible%20with%20accounts%20not%20protected%20with%20MFA.%3C%2FP%3E%3CP%3EMy%20script%20which%20is%20available%20on%20TechNet%20Gallery%20utilises%20this%20-%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgallery.technet.microsoft.com%2FOffice-365-and-Azure-e36eabeb%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgallery.technet.microsoft.com%2FOffice-365-and-Azure-e36eabeb%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20connects%20to%20all%20Azure%20and%20Office%20365%20services%2C%20including%20-%20Exchange%20Online%20-%20Azure%20AD%20v1.0%20-%20Azure%20AD%20v2.0%20-%20SharePoint%20Online%20-%20Skype%20for%20Business%20Online%20-%20Exchange%20Online%20Protection%20-%20Security%20and%20Compliance%20Center%20-%20Azure%20Resource%20Manager%20-%20Azure%20Rights%20Manager%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-145957%22%20slang%3D%22en-US%22%3ERe%3A%20Connect-AzureAD%20with%20login%20credentials%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-145957%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20possible%20afaik.%20You%20should%20be%20able%20to%20skip%20some%20steps%20in%20federated%20scenarios%20or%20when%20using%20PTA.%20Or%20you%20can%20simply%20use%20the%20-Credentials%20parameter%20and%20pass%20the%20username%2Fpassword%20-%20there%20are%20many%20examples%20available%20online%20how%20you%20can%20securely%20store%2Freuse%20creds.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-901718%22%20slang%3D%22en-US%22%3ERe%3A%20Connect-AzureAD%20with%20login%20credentials%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-901718%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F24406%22%20target%3D%22_blank%22%3E%40Stefan%20Kie%C3%9Fig%3C%2FA%3EConnect%20to%20AzureAD%20as%20current%20user%3A%3CBR%20%2F%3E%3CFONT%3E%24UPN%20%3D%20whoami%20%2Fupn%3CBR%20%2F%3EConnect-AzureAD%20-AccountId%20%24UPN%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3ENB%3A%20This%20works%20for%20AzureAD%20Joined%20accounts%20without%20requiring%20a%20password%20in%20the%20script.%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-145012%22%20slang%3D%22en-US%22%3EConnect-AzureAD%20with%20login%20credentials%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-145012%22%20slang%3D%22en-US%22%3E%3CP%3EHey%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eis%20it%20posible%20to%20use%20by%20%3CSPAN%3EConnect-AzureAD%3C%2FSPAN%3E%20the%20credentials%20from%20the%20Login%20user%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWithout%20open%20the%20window%20to%20fill%20in%20username%20and%20Password.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%0A%3CP%3EStefan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-145012%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Regular Contributor

Hey,

 

is it posible to use by Connect-AzureAD the credentials from the Login user? 

Without open the window to fill in username and Password.

 

Regards

Stefan

7 Replies
Highlighted

Not possible afaik. You should be able to skip some steps in federated scenarios or when using PTA. Or you can simply use the -Credentials parameter and pass the username/password - there are many examples available online how you can securely store/reuse creds.

Highlighted

Yes, it is possible to use the cmdlet Connect-AzureAD with stored credentials.

Note that this is only possible with accounts not protected with MFA.

My script which is available on TechNet Gallery utilises this - 

https://gallery.technet.microsoft.com/Office-365-and-Azure-e36eabeb

 

It connects to all Azure and Office 365 services, including - Exchange Online - Azure AD v1.0 - Azure AD v2.0 - SharePoint Online - Skype for Business Online - Exchange Online Protection - Security and Compliance Center - Azure Resource Manager - Azure Rights Manager

I believe what the OP meant was to automatically sign in with the current user credentials, not use any stored credentials. But I might be wrong :)

Highlighted

No, credentials are required in either the Connect-AzureAD command or via the login window. This is the intended behavior for security reasons.

Highlighted

Thank you for clarifying that the feature is unavailable. I have to point out however that your comment "This is intended behaviour for security reasons" is unlikely to be accurate. In an Azure AD environment, the user logged in to the Windows 10 device is signed in across a range of Microsoft applications and services. For example Outlook, SharePoint Online etc. Further, in an on-premises AD environment any commands run from a Powershell Window will execute as the currently signed in user (the behaviour that we would like to be able to replicate when using powershell to control Azure AD). Therefore, Microsoft have clearly accepted that the user does not need to re-authenticate once they have logged in to a device.

 

The problem with being unable to run Connect-AzureAD as the current logged on user is that an admin cannot run a login or scheduled powershell script that, for example, checks that the current user is a member of a group in Azure AD and then apply settings accordingly. If anyone has a work around for this that does not include storing credentials in a Powershell script I would be very interested.

Highlighted

Thank you for your answers.

I like to run scheduled Powershell scripts to do to administrative tasks on the azure AD. But I don’t want to write the credentials into the script.

 

Maybe I must look at azure function in combination with azure key valut.

 

Regards

Stefan

Highlighted

@Stefan KießigConnect to AzureAD as current user:
$UPN = whoami /upn
Connect-AzureAD -AccountId $UPN

 

NB: This works for AzureAD Joined accounts without requiring a password in the script.