Script Authentication

%3CLINGO-SUB%20id%3D%22lingo-sub-1439769%22%20slang%3D%22en-US%22%3EScript%20Authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1439769%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20numerous%20scripts%2Fbits%20of%20code%20I'd%20like%20to%20run%20against%20AzureAD.%20How%20can%20I%20authenticate%20from%20a%20script%3F%20Obviously%20if%20using%20the%20powershell%20cmdlets%20I%20can%20supply%20a%20username%20password%20but%20then%20that%20user%20needs%20to%20be%20excluded%20from%20MFA%2C%20risky%20sign%20ins%20etc.%20Is%20this%20the%20general%20recommended%20approach%20or%20can%20I%20use%20certs%20or%20the%20like%20or%20an%20app%20registration%3F%20What%20pattern%20should%20I%20be%20using%3F%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1439769%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1440012%22%20slang%3D%22en-US%22%3ERe%3A%20Script%20Authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1440012%22%20slang%3D%22en-US%22%3EHi%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20should%20indeed%20look%20into%20utilizing%20app%20registrations.%3CBR%20%2F%3EFor%20app%20registrations%20you%20have%20two%20ways%3A%3CBR%20%2F%3E-%20Application%20access%3CBR%20%2F%3E-Delegated%20access%3CBR%20%2F%3E%3CBR%20%2F%3EDelegated%20access%20is%20when%20a%20user%20sign%20into%20the%20application%2C%20application%20access%20is%20where%20the%20script%20runs%20in%20the%20background%20(daemon%20task)%3CBR%20%2F%3E%3CBR%20%2F%3EApplication%20authentication%20can%20be%20done%20through%20a%20certificate%20or%20a%20client%20secret%20as%20you%20mentioned.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20recommend%20looking%20into%20this%20blog%20series%2C%20it's%20a%20really%20detailed%20one%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Fgraph%2Fblogs%2F30daysmsgraph-day-9-azure-ad-applications-on-v2-endpoint%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Fgraph%2Fblogs%2F30daysmsgraph-day-9-azure-ad-applications-on-v2-endpoint%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E
Contributor

I have numerous scripts/bits of code I'd like to run against AzureAD. How can I authenticate from a script? Obviously if using the powershell cmdlets I can supply a username password but then that user needs to be excluded from MFA, risky sign ins etc. Is this the general recommended approach or can I use certs or the like or an app registration? What pattern should I be using??

1 Reply
Hi

You should indeed look into utilizing app registrations.
For app registrations you have two ways:
- Application access
-Delegated access

Delegated access is when a user sign into the application, application access is where the script runs in the background (daemon task)

Application authentication can be done through a certificate or a client secret as you mentioned.

I recommend looking into this blog series, it's a really detailed one
https://developer.microsoft.com/en-us/graph/blogs/30daysmsgraph-day-9-azure-ad-applications-on-v2-en...