Connect to Azure AD from Powershell without prompt - what are my options?

%3CLINGO-SUB%20id%3D%22%5C%26quot%3Blingo-sub-3064153%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3EConnect%20to%20Azure%20AD%20from%20Powershell%20without%20prompt%20-%20what%20are%20my%20options%3F%26lt%3B%5C%2Flingo-sub%26gt%3B%3CLINGO-BODY%20id%3D%22%5C%26quot%3Blingo-body-3064153%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3E%3CP%3EHi%20there%2C%3CBR%20%2F%3EI%20want%20to%20schedule%20some%20script%20in%20PowerShell%20and%20i%20would%20need%20to%20login%20into%20Azure%20AD%20first.%3CBR%20%2F%3EIs%20it%20possible%20to%20login%20to%20Azure%20AD%20without%20a%20prompt%20as%20the%20script%20needs%20to%20be%20automates%2Fscheduled%3CBR%20%2F%3ECan%20I%20use%20app%20registration%20with%20client%20ID%20and%20Clients%20secret%20with%20powershell.%3CBR%20%2F%3EI%20also%20have%20a%20dedicated%20account%20which%20doesn't%20have%20MFA.%3CBR%20%2F%3E%3CBR%20%2F%3EAny%20resources%20would%20be%20appreciated%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%26lt%3B%5C%2FP%26gt%3B%26lt%3B%5C%2Flingo-body%26gt%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3C%2FLINGO-SUB%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3064958%22%20slang%3D%22de-DE%22%3ESubject%3A%20Connect%20to%20Azure%20AD%20from%20Powershell%20without%20prompt%20-%20what%20are%20my%20options%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3064958%22%20slang%3D%22de-DE%22%3EYou%20can%20just%20pass%20your%20username%2Fpassword%20to%20Connect-AzAccount.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3065079%22%20slang%3D%22en-US%22%3ERe%3A%20Connect%20to%20Azure%20AD%20from%20Powershell%20without%20prompt%20-%20what%20are%20my%20options%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3065079%22%20slang%3D%22en-US%22%3EYes%20you%20can%20use%20SPN%20or%20certificates%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fazure%2Fauthenticate-azureps%3Fview%3Dazps-7.1.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fazure%2Fauthenticate-azureps%3Fview%3Dazps-7.1.0%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3065136%22%20slang%3D%22en-US%22%3ERe%3A%20Connect%20to%20Azure%20AD%20from%20Powershell%20without%20prompt%20-%20what%20are%20my%20options%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3065136%22%20slang%3D%22en-US%22%3EIf%20you%20want%20to%20automate%20tasks%20against%20Azure%20AD%2C%20you%20should%20be%20leveraging%20Microsoft%20Graph%20instead.%20There's%20a%20PowerShell%20SDK%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fpowershell%2Finstallation%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fpowershell%2Finstallation%3C%2FA%3E).%20It%20supports%20authenticating%20with%20an%20SPN%2C%20but%20I%20would%20recommend%20using%20a%20Managed%20Identity%2C%20if%20possible.%3C%2FLINGO-BODY%3E
Frequent Contributor

Hi there,
I want to schedule some script in PowerShell and i would need to login into Azure AD first.
Is it possible to login to Azure AD without a prompt as the script needs to be automates/scheduled
Can I use app registration with client ID and Clients secret with powershell.
I also have a dedicated account which doesn't have MFA.

Any resources would be appreciated

Thanks

7 Replies
You can just pass your username/password to Connect-AzAccount.
If you want to automate tasks against Azure AD, you should be leveraging Microsoft Graph instead. There's a PowerShell SDK (https://docs.microsoft.com/en-us/graph/powershell/installation). It supports authenticating with an SPN, but I would recommend using a Managed Identity, if possible.
Thanks Tringler . Can you please give me an example. I'm using Connect-AzureAD
Thanks hspinto for your response.
I have a dedicated acct that password doesn't expire and no MFA. Will this work?
What is Managed Identity and how can i achieve this?

@Patrick Rote 

 

A user principal with a never expiring password and no MFA is the worst you can do for the security of your solution. Use, at least, a service principal - they're meant for non-attended automation.

 

The AzureAD module you are trying to use (Connect-AzureAD) is deprecating and is replaced by the MS Graph SDK I mentioned above. If you want to log into Azure AD with a service principal and MS Graph, you can simply use this:

 

Connect-MgGraph -TenantId "your tenant id" -AppId "service principal app id" -CertificateThumbprint "cert thumbprint"

 

Of course, you must grant to the service principal the required roles/permissions in your Azure AD tenant.

 

If the execution context of your automation allows for it, i.e., it runs from Azure Automation or from an Azure/Arc machine, you can leverage Managed Identities, which are a special type of service principal for which Azure manages the credentials for you. You don't need to use certificates nor passwords.  More details here: Managed identities for Azure resources | Microsoft Docs

Hi @Patrick Rote 

 

# Save User Credentials
# New-StoredCredential -Target MyAccount -Username <Username> -Password <Password>

# User Authentication
$ua = Get-StoredCredential -Target MyAccount
$credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $ua.UserName,$ua.Password

# Login to your Azure Account
Connect-AzAccount -Tenant '<TenantID>' -Credential $credential

 

Still working until now.