Calling the connect cmdlets in a script

0
votes

I am trying to write some powershell script that has to combine both Az cmdlets and AzureRM to accomplish some of the stuff I want to do.

What truly happens though when I call all in the same script: Connect-AzAccount Connect-AzureAD Connect-AzureRMAccount

Initially, I make a call to Get-Credential and save that in a variable. Then I use those credentials to populate -Credential in the Connect-AzAccount

Then because of Multi-Factor Authentication, I have to then make a call to Connect-AzureAD, which prompts a popup that allows the user to enter Email, Password and Code from MFA text to phone.

Later in the script, there are some cmdlets that are in the RM version, and so I call Connect-AzureRMAccount with the previous Credentials from above.

$credentials = Get-Credential
$azureCredentials = New-Object System.Management.Automation.PSCredential ($credentials.UserName, $credentials.Password)   

Connect-AzAccount -Credential $azureCredentials -Tenant $tenantID -SubscriptionId $subscriptionID

Connect-AzureAD -Tenant $tenantID

Connect-AzureRMAccount -Credential $azureCredentials -Tenant $tenantID -SubscriptionId $subscriptionID

What is actually happening in terms of Authentication during this entire script where several different Connect cmdlets are called.

Due to some reason, there is a specific cmdlet $AppRegistration = New-AzureADApplication -DisplayName $appName -HomePage $AppURI -IdentifierUris $AppURI -ReplyUrls $AppURI -PasswordCredentials $psadCredential

where I get an error in Powershell telling me that I need to call Connect-AzureAD again, even though it was already called once during the script. Does it time out with the MFA?

How can I avoid having to get the user to sign in several times after running the script?

1
azurepowershellvisual-studio-codeazure-active-directory
My comment is not helpful. But I want to say that I feel your pain. MFA makes automation in Azure a giant pain.AdminOfThings
Create a service principal with certificate authentication, grant it rights to the resources you want, and use that to connect. This avoids the user having to login at all. Or is this supposed to be subscription agnostic?TheMadTechnician
If my reply is helpful, please mark it as the answer(on the left of my reply, there is an option to mark), thanks.Joy Wang-MSFT

1 Answers

0
votes

I don't think this is a correct option, if you want to avoid MFA, the workaround is to create a service principal(AD App), grant the permissions for it, then you can login with the service principal without MFA.

You could follow the steps below.

1.Create an Azure Active Directory application, then Upload a certificate and Get values for signing in.

2.Navigate to the Azure Active Directory in the portal -> Roles and administrators -> click Application administrator -> Add assignment -> search by your AD App name(service principal name) -> select it -> Select.

Note: In your case, you want to use the command New-AzureADApplication, so you need to give the Application administrator directory role to your AD App(service principal), if you want to do other things need more permissions, you may need to give a role like Global administrator, it depends on you.

3.Then you could use the command below to login with Az module and AzureAD module.

Connect-AzAccount -CertificateThumbprint "F1D9FE13A8FBxxxx1C8B07D1666" -ApplicationId "aa60b5df-xxxxxx8ae8e0cc2e4" -Tenant "bb58915cxxxxxxb97ed6c65" -ServicePrincipal

Connect-AzureAD -CertificateThumbprint "F1D9FE13A8FBxxxx1C8B07D1666" -ApplicationId "aa60b5df-xxxxxx8ae8e0cc2e4" -Tenant "bb58915cxxxxxxb97ed6c65" 

New-AzureADApplication -DisplayName "newapp"  -IdentifierUris "http://mynewapp11.contoso.com"

enter image description here enter image description here