Automate Connect-AzureAD using powershell in Azure Devops

Question

I am unable to automate Connect-AzureAD powershell command.

In order to get user objectID, I need to automate the operation Connect-AzureAD and for that i used this code:

Connect-AzureAD -TenantId $tenantId  -Verbose
$userObjectID = $(Get-AzureADUser -Filter "UserPrincipalName eq '$Owner'").ObjectId

The operation stuck at the Connect-AzureAD. how to resolve this?

Answer 1

I found the solution and test it.

I'm running this task in an Azure Devops pipeline; this tasks is called "Azure PowerShell script" executed with the latest installed version.

Install-Module -Name "AzureAD" -Force
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$graphToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.microsoft.com").AccessToken
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken
Write-Output "Hi I'm $($context.Account.Id)"
Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id -MsAccessToken $graphToken

Answer 2

@Makram's answer is good for the AzureRM module.

With the Az powershell module, there is now an easier way:

$context = Get-AzContext
$aadToken = Get-AzAccessToken -ResourceTypeName AadGraph
Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id

Answer 3

Connect-AzureAD by default will prompt you for login and password in pop up window.

Inside Azure DevOps Connect-AzureAD by default stacks waiting for input from user and pipeline never finishes, as user cannot input anything.

You need to use :

Connect-AzureAD -Credential $Credential -TenantId $tenantId  -Verbose

Where $Credential is PSCredential object.

Ideally, you need to create Service Principal in your Azure AD with permissions to access to Microsoft Graph and generate a secret key. After, you can use Application ID and Key of your service principal as login and password for $Credential .

In Azure DevOps do not forget to use secret variables or Variables group linked with KeyVault to protect your Key.

Answer 4

If there is someone else out there that has a similar issue to me in that using Makram's approach does not quite work in a Azure DevOps pipeline then you could try this: (it is a slight tweak on what Makram does)

Note that the initial parameters were already available to us (grabbed from KeyVault) and we are using a Tenant with no subscriptions purely for AAD user management and this first bit could be avoided if you are using the AzureCLI task.

az login --service-principal --username $servicePrincipalID --password $servicePrincipalPassword --tenant $aadTenantID --allow-no-subscriptions

#Get AAD token from previous Az login.
$aadToken = az account get-access-token --resource-type aad-graph | ConvertFrom-Json

#Get Graph token using previous Az login
$graphToken = az account get-access-token --resource-type ms-graph | ConvertFrom-Json

#Now connect
Connect-AzureAD -AadAccessToken $aadToken.accessToken -AccountId $userServicePrincipalID -TenantId $UserAadTenantID -MsAccessToken $graphToken.accessToken