How prevent "Pick an Account" interactive workflow when using Connect-AzAccount

0
votes

Short version: Is there any "pre" pick method in the script, to utilize it in the scenario when authentication is already remembered in previous interactions, and only the "pick" functionality should be done?

Context

I have multiple MS Accounts for each one there are one or more subscription. I use PowerShell 7 scripts (Az Module) to automate repeated tasks. Some scripts use one account, others scripts use other account, and I use the all scripts in daily bases. Although Az module remembers which was last account in Connect-AzAccount, unfortunately, in the ad-hoc next script, there is a need to use an other account.

I use Connect-AzAccount in the scripts which pops up the browser dialog. In the browser I can pick the appropriate account, from the multiple offered accounts, what were remembered in the previous logins.

The credentials for the accounts are remembered (btw, I have no idea where, because those credentials are definitely do not show up in the Credential Manager) Anyway, the point is that I do not have to (re)authenticate myself which is fine.

Question

Because the role of interaction this scenario is only to pick an account (and not the authentication itself) I would like to do it without user interaction. I've examined the available switches of Connect-AzAccount neither seems to be work, (-AccountId or -TenandId, etc) for different reasons

I would not like to use other credential mechanism, I mean I would like to utilize those credentials what are exist and allows this workflow, but blocks the automation with the "Pick an Account" browser interaction.

1
azurepowershellauthentication

1 Answers

1
votes

Short Answer :

The Connect-AzAccount don't have internal mechanism to achieve that.

Long Answer :

However, you could simulate the login flow at the powershell.

When You run Connect-AzAccount

Internally, there is a browser session opened with the below URL.

https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?scope=https://management.core.windows.net//.default openid profile offline_access&response_type=code&client_id=1950a258-227b-4e31-a9cf-717495945fc2&redirect_uri=http://localhost:8400/&x-client-SKU=MSAL.Desktop&x-client-Ver=4.21.0.0&x-client-CPU=x64&x-client-OS=Microsoft Windows NT 10.0.19042.0&prompt=select_account

If you closely look, prompt = select_account

You could directly hit the below URL with powershell

https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?scope=https://management.core.windows.net//.default openid profile offline_access&response_type=code&client_id=1950a258-227b-4e31-a9cf-717495945fc2&redirect_uri=http://localhost:8400/&x-client-SKU=MSAL.Desktop&x-client-Ver=4.21.0.0&x-client-CPU=x64&x-client-OS=Microsoft Windows NT 10.0.19042.0&login_hint=<[email protected]>

You could use the below IE Automation Object from shell to achieve it.

$ie = new-object -com "InternetExplorer.Application"
$ie.navigate("google.co.in")
$ie.navigate("<The above url>")
$ie.visible = $true

This will indirectly give you the code - you will have perform the authentication against the required tenant.

https://login.microsoftonline.com/organizations/oauth2/v2.0/token

With required parameters in the POST body

client_id=1950a258-227b-4e31-a9cf-717495945fc2&client_info=1&scope=https://management.core.windows.net//.default offline_access openid profile&grant_type=authorization_code&code=
<Code>

you could do invoke-webrequest

You will be able to get the access token as a response that you have obtained from here

With the Access token - You will be able to do the connect-azaccount -Accesstoken <TOKEN>

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

Note :

The credentials are remembered by the IE when you login the first time.