如何在 Powershell Core 中连接 AzAccount（无提示）？

Question

I did see this q/a: Connect-AzAccount without prompt

But when I tried the accepted answer, I get the following error:

[6/12/2020 12:36:20 AM] ERROR: Connect-AzAccount: Username + Password authentication is not supported in PowerShell Core. Please use device code authentication for interactive log in, or Service Principal authentication for script log in.

So I went to example 3 of the Connect-AzAccount documentation which specifies the "Service Principal" authentication method, so I mix the two because the suggested vanilla Get-Credential triggers another interactive session. So here's the script now:

    $User = "myemail@gmail.com"
    $PWord = ConvertTo-SecureString -String "**********" -AsPlainText -Force
    $tenant = "f*********************************"
    $Credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $User,$PWord
    # $Credential = Get-Credential
    Connect-AzAccount -Credential $Credential -Tenant $tenant -ServicePrincipal

which brings my next error: [6/12/2020 12:45:45 AM] ERROR: Connect-AzAccount: AADSTS700016: Application with identifier 'myemail' was not found in the directory 'f*********************************'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. [6/12/2020 12:45:45 AM] ERROR: Connect-AzAccount: AADSTS700016: Application with identifier 'myemail' was not found in the directory 'f*********************************'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

I'm really confused at this point because all I have done at this point in Azure is:

1. Create a new Azure account
2. Provision an Azure API Management instance through the UI (which btw, takes like 20 minutes)
3. Try the above code to connect to Azure inside of a Powershell Azure Function locally.

I think something is wrong with the information I've provided or how I've configured something.

$User is the email I signed up to Azure with.

$PWord is my Azure password

$tenant is the first thing I saw when I opened Azure AD:

What's wrong with how I'm trying to connect to Azure through Powershell Core?

Answer 1

Based on Example 3, it asks for entering your application ID for the username and service principal secret as the password.

So you need to create a service principal at first. And then use its application ID and client secret as the credential.

$User = "{application id}"
$PWord = ConvertTo-SecureString -String "{client secret}" -AsPlainText -Force

Answer 2

I don't like Azure documentation. It gives off a very different vibe from GCP and feels much less beginner friendly.

With that said, they did have some kind of write-up that addresses my issue of creating a service principal and using it to authenticate.

I actually ended up just finding a video (and I never do this) because I wanted to skip past all the technical jargon and just create the darn service principal.

It's not even intuitive - it's like Microsoft could have added a button in AZ AD or IAM that said "Create Service Principal" but no , you have to go to a bunch of other pages that say nothing about service principals. You'll see:

1. In Azure Portal, navigate to the App Registrations page in Azure Active Directory. What an "app registration" has to do with a service principal, I couldn't tell you. I also couldn't tell you what a service principal is, but I'd imagine it has something to do with service accounts.

2. Make a New Registration and give it some sort of name to describe what the scope of this service principal will entail. Like normal service account naming conventions. I don't think the account type matters but I chose Multitenant . Redirect URL has nothing to do with service principals, and honestly makes it all the more confusing. I would never associate service accounts with any kind of redirect url, but here we are.

3. You're going to arrive at a page with Display Name (the name of the service principal you gave it in step 2), Application (client) ID (this is actually your service account username, which is imo non-intuitive), and Object ID (I have no idea what this is but I never needed to use it.

4. Guess what, you have only created 1/3 of your service account. It doesn't even have a password yet. Within your created app registration, there's a Certificates & Secrets page. On that page, you want to add a new client secret. For my description I just put my service principal "display name". I don't think that was necessary because this client secret is within the scope of the app registration, so even if I named it "poop" I could reasonably assume what it was for. Azure will generate a nuanced client secret and display it, but not warn you that this is the only time you will be able to see the key. Copy it. This is, in normal people talk, your service principal password.

5. For the last step, you need to get out of dodge, I mean Azure AD. Navigate to your Subscriptions page and click on your active subcription. For some reason IAM is here, so click on that. At this point, your service principal has a username and password, but no actual permissions - you have to configure that manually too. Click Add -> Add Role Assignment . For role, you should do your research but if it's not serious Contributor is probably a safe bet. It has read/write but it doesn't supersede Owner . Make sure you're assigning access to a service principal, and search for its display name. Save .

With all of that done, Connect-AzAccount finally worked.