9

I am unable to automate Connect-AzureAD powershell command.

In order to get user objectID, I need to automate the operation Connect-AzureAD and for that i used this code:

Connect-AzureAD -TenantId $tenantId  -Verbose
$userObjectID = $(Get-AzureADUser -Filter "UserPrincipalName eq '$Owner'").ObjectId

The operation stuck at the Connect-AzureAD. how to resolve this?

Improve this question

5 Answers 5

Reset to default
21

I found the solution and test it.

I'm running this task in an Azure Devops pipeline; this tasks is called "Azure PowerShell script" executed with the latest installed version.

Install-Module -Name "AzureAD" -Force
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$graphToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.microsoft.com").AccessToken
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken
Write-Output "Hi I'm $($context.Account.Id)"
Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id -MsAccessToken $graphToken
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Great solution! Just to precise your answer, what you are using to run your script? Azure PowerShell task and Azure Service connection in Azure DevOps? How it represented in pipeline?
for some azure ad cmdlets to work after the connect call, you need to also add "-MsAccessToken $graphToken" to the Connect-AzureAD call
Adding the -MSAccessToken $graphToken was required for me to even get the Connect-AzureAD to work.
Superb! Solution. Your answer helped a lot saved my day. Thank you.
@HarshalVaidya: Are you using "Azure PowerShell" with a valid service connection? Do not use the normal PowerShell script for it.
|
10

@Makram's answer is good for the AzureRM module.

With the Az powershell module, there is now an easier way:

$context = Get-AzContext
$aadToken = Get-AzAccessToken -ResourceTypeName AadGraph
Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id
Improve this answer

1 Comment

Just to add that I had to change "Connect-AzureAD -AadAccessToken $aadToken" to $aadToken.Token (maybe an older version of Az module?)
2

Connect-AzureAD by default will prompt you for login and password in pop up window.

Inside Azure DevOps Connect-AzureAD by default stacks waiting for input from user and pipeline never finishes, as user cannot input anything.

You need to use :

Connect-AzureAD -Credential $Credential -TenantId $tenantId  -Verbose

Where $Credential is PSCredential object.

Ideally, you need to create Service Principal in your Azure AD with permissions to access to Microsoft Graph and generate a secret key. After, you can use Application ID and Key of your service principal as login and password for $Credential.

In Azure DevOps do not forget to use secret variables or Variables group linked with KeyVault to protect your Key.

Improve this answer

3 Comments

Thank you very much. I found the solution and tested it.
@Makram if this solution helped you perhaps it should be marked as the answer?
Thank you very much! Yes, it helped me deep dive the problem but i added the code that works as answer.
2

If there is someone else out there that has a similar issue to me in that using Makram's approach does not quite work in a Azure DevOps pipeline then you could try this: (it is a slight tweak on what Makram does)

Note that the initial parameters were already available to us (grabbed from KeyVault) and we are using a Tenant with no subscriptions purely for AAD user management and this first bit could be avoided if you are using the AzureCLI task.

az login --service-principal --username $servicePrincipalID --password $servicePrincipalPassword --tenant $aadTenantID --allow-no-subscriptions

#Get AAD token from previous Az login.
$aadToken = az account get-access-token --resource-type aad-graph | ConvertFrom-Json

#Get Graph token using previous Az login
$graphToken = az account get-access-token --resource-type ms-graph | ConvertFrom-Json

#Now connect
Connect-AzureAD -AadAccessToken $aadToken.accessToken -AccountId $userServicePrincipalID -TenantId $UserAadTenantID -MsAccessToken $graphToken.accessToken
Improve this answer

1 Comment

this one is actually working on Azure DevOps pipelines with Azure CLI (az...)
0

None of this actually works for me, either returning null or errors:

az : The term 'az' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

OK, problem found; restart the Powershell ISE after installing Azure CLI

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.