Automate Connect-AzureAD using powershell in Azure Devops

Asked 12/2, 2020 at 9:37 Answered 11/3 at 10:28

Solved azure powershell automation azure-devops active-directory

I am unable to automate Connect-AzureAD powershell command.

In order to get user objectID, I need to automate the operation Connect-AzureAD and for that i used this code:

Connect-AzureAD -TenantId $tenantId  -Verbose
$userObjectID = $(Get-AzureADUser -Filter "UserPrincipalName eq '$Owner'").ObjectId

The operation stuck at the Connect-AzureAD. how to resolve this?

Remanent answered 12/2, 2020 at 9:37 Comment(0)

I found the solution and test it.

I'm running this task in an Azure Devops pipeline; this tasks is called "Azure PowerShell script" executed with the latest installed version.

Install-Module -Name "AzureAD" -Force
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$graphToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.microsoft.com").AccessToken
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken
Write-Output "Hi I'm $($context.Account.Id)"
Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id -MsAccessToken $graphToken

Remanent answered 12/2, 2020 at 11:6 Comment(6)

Great solution! Just to precise your answer, what you are using to run your script? Azure PowerShell task and Azure Service connection in Azure DevOps? How it represented in pipeline? – Actinon 12/2, 2020 at 12:42

for some azure ad cmdlets to work after the connect call, you need to also add "-MsAccessToken $graphToken" to the Connect-AzureAD call – Oriente 15/4, 2020 at 21:46

Adding the -MSAccessToken $graphToken was required for me to even get the Connect-AzureAD to work. – Sorb 9/2, 2021 at 15:4

Superb! Solution. Your answer helped a lot saved my day. Thank you. – Nave 3/6, 2021 at 14:48

PS C:\Users\azuredevops> $context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext Unable to find type [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]. – Shirker 14/7, 2021 at 8:54

@HarshalVaidya: Are you using "Azure PowerShell" with a valid service connection? Do not use the normal PowerShell script for it. – Barbarity 5/8, 2021 at 8:47

@Makram's answer is good for the AzureRM module.

With the Az powershell module, there is now an easier way:

$context = Get-AzContext
$aadToken = Get-AzAccessToken -ResourceTypeName AadGraph
Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id

Overexpose answered 27/10, 2021 at 6:40 Comment(1)

Just to add that I had to change "Connect-AzureAD -AadAccessToken $aadToken" to $aadToken.Token (maybe an older version of Az module?) – Surmise 11/11, 2022 at 12:7

Connect-AzureAD by default will prompt you for login and password in pop up window.

Inside Azure DevOps Connect-AzureAD by default stacks waiting for input from user and pipeline never finishes, as user cannot input anything.

You need to use :

Connect-AzureAD -Credential $Credential -TenantId $tenantId  -Verbose

Where $Credential is PSCredential object.

Ideally, you need to create Service Principal in your Azure AD with permissions to access to Microsoft Graph and generate a secret key. After, you can use Application ID and Key of your service principal as login and password for $Credential.

In Azure DevOps do not forget to use secret variables or Variables group linked with KeyVault to protect your Key.

Actinon answered 12/2, 2020 at 10:1 Comment(3)

Thank you very much. I found the solution and tested it. – Remanent 12/2, 2020 at 11:7

@Remanent if this solution helped you perhaps it should be marked as the answer? – Roselleroselyn 12/2, 2020 at 11:33

Thank you very much! Yes, it helped me deep dive the problem but i added the code that works as answer. – Remanent 12/2, 2020 at 12:32

If there is someone else out there that has a similar issue to me in that using Makram's approach does not quite work in a Azure DevOps pipeline then you could try this: (it is a slight tweak on what Makram does)

Note that the initial parameters were already available to us (grabbed from KeyVault) and we are using a Tenant with no subscriptions purely for AAD user management and this first bit could be avoided if you are using the AzureCLI task.

az login --service-principal --username $servicePrincipalID --password $servicePrincipalPassword --tenant $aadTenantID --allow-no-subscriptions

#Get AAD token from previous Az login.
$aadToken = az account get-access-token --resource-type aad-graph | ConvertFrom-Json

#Get Graph token using previous Az login
$graphToken = az account get-access-token --resource-type ms-graph | ConvertFrom-Json

#Now connect
Connect-AzureAD -AadAccessToken $aadToken.accessToken -AccountId $userServicePrincipalID -TenantId $UserAadTenantID -MsAccessToken $graphToken.accessToken

Replevin answered 17/3, 2021 at 19:44 Comment(1)

this one is actually working on Azure DevOps pipelines with Azure CLI (az...) – Karmenkarna 9/11, 2022 at 15:52

None of this actually works for me, either returning null or errors:

az : The term 'az' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

OK, problem found; restart the Powershell ISE after installing Azure CLI

Bimolecular answered 11/3 at 10:28 Comment(0)

Recommended topics

Hot tags