Using AzureAD PowerShell CmdLets on TFS Release Manager

Question

I want to execute some PowerShell scripts on our TFS Release Manager environment that use AzureAD module to provision some Azure AD groups. The scripts are executed using an Azure Powershell Task. I've installed the AzureAD module, so the AzureAD PowerShell CmdLets are recognized.

However, for them to work the scripts first needs to connect to AzureAD using the Connect-AzureAD CmdLet. This CmdLet wants to show a modal dialog for entering credentials, which obviously isn't possible in a Release Manager task. I also cannot supply credentials using command line parameters. I want Connect-AzureAD to somehow use the current user context for the connection. Is this possible?

Answer 1

You could use the -Credential option of Connect-AzureAD.

In your AzureAD task, you can use the following code: ```

$pass=ConvertTo-SecureString $Env:password -AsPlainText -Force
$credential=New-Object PSCredential($Env:login, $pass)
Connect-AzureAD -Credential $credential

``` login and password are stored in a secret variable in the release definition.

Alternatively you might get the password from a previous task in the build definition. I that case, in the script arguments of the task, you pass the password -password "$(password)" and in the ` Script or Script inline you have, this time: ``

 param([string]$password)
 $pass=ConvertTo-SecureString $password -AsPlainText -Force
 $credential = New-Object PSCredential($Env:login, $pass)
 Connect-AzureAD -Credential $credential

``

I get the password from KeyVault with the Azure KeyVault task, but that might not be an option for you if you are on premise.

Answer 2

We've found an answer. It had been setting right in front of us on the official Connect-AzureAD documentation page (example 3).

So we're now authenticating using a SPN and a self-signed certificate. This works just fine.