Share via

Silently connect to azure as a user in PowerShell using the authenticated account connected to windows

Mathirajan Elumalai 20 Reputation points
2023-07-31T15:28:15.8966667+00:00

In my corporate device, which has Seamless SSO and PHS enabled, when I go to portal.azure.com, I can sign-in directly without entering my credentials.

I want to know if I can replicate this when connecting to azure using Connect-AzAccount cmdlet in Powershell.

When I run this command, the interactive browser window only shows my AAD user account that is authenticated and connected to windows and when I click the profile, I get signed in automatically without a password prompt.

MicrosoftTeams-image (2)

I want to sign-in silently using this profile without having to click my profile in this interactive browser window.
Is there a way to do this?

I know that a service principal can be used to connect to azure silently with a certificate or a client secret, but in my use case I can't use a service principal.

EDIT:

I finally found a way to do it. Using -AccountID parameter with UPN uses the SSO primary refresh token present in the device to authenticate without asking for password. It does flash a white blank browser window for 2 seconds thought which might raise red flags for some uninformed users. I need to find a way to supress that.

Connect-AzAccount -AccountID 'UPN'
Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,366 questions
Windows for business Windows Server User experience PowerShell
Microsoft Security Microsoft Entra Microsoft Entra ID
Accepted answer
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,521 Reputation points Moderator
    2023-08-02T19:13:18.14+00:00

    Hello @Mathirajan Elumalai and thanks for sharing your findings. I will re-post a summary of them and add some notes here so you can accept it and rate it so that others facing a similar issue can easily find a it.

    To perform a truly silent SSO authentication request using The AZ PowerShell module you can pass your UPN as the AccountID parameter while using the Connect-AzAccount command. Eg.

    Connect-AzAccount -AccountID 'UPN'

    Regarding the white blank window, it should take less than a second but it will be always noticeable since opening a web browser is part of the interactive login process.

    Once again thanks for your contribution and let us know if you need anything else.

    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Luis Arias 8,621 Reputation points Volunteer Moderator
    2023-07-31T16:41:49.1766667+00:00

    Hi @Mathirajan Elumalai ,

    I think there is not possible to do somethin like -non interactive in connect-az account however you can use a service principal account if you are looking to automate in either script or pipeline:

    $SecurePassword = ConvertTo-SecureString -String "Password123!" -AsPlainText -Force
$TenantId = 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyy'
$ApplicationId = 'zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzz'
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ApplicationId, $SecuredPassword
Connect-AzAccount -ServicePrincipal -TenantId $TenantId -Credential $Credential

Account                SubscriptionName TenantId                Environment
-------                ---------------- --------                -----------
xxxx-xxxx-xxxx-xxxx    Subscription1    xxxx-xxxx-xxxx-xxxx     AzureCloud

    https://learn.microsoft.com/en-us/powershell/module/az.accounts/connect-azaccount?view=azps-10.1.0

    On the other hand if you just want to avoid this extra click on your workstation can save your context in a file and eachtime that you need to connect can load , with that you can work in azure powershell.

    #First list your context
Get-AzContext -listavailable | fl *
#Choose wich context do you want to keep
Select-AzContext 'Contex-Name'
#Save the context in a file that you can use next time instead of Connect-AzAccount
Save-AzContext -Path E:\tmp\azure-custom-context.json
#You can force a disconnection with: Disconnect-AzAccount

#When you need to use your connection only need to import your context and start to work:
Import-AzContext E:\tmp\azure-custom-context.json

#Test:
Get-AzResourceGroup | Format-Table

    I hope this could help you.

    Cheers,

    Luis

    1 person found this answer helpful.
    0 comments
  2. Scott Head 5 Reputation points
    2023-08-01T04:02:00.4333333+00:00

    I ran into this issue as well when connecting to Azure using a scheduled task. I was able to create what is called a unattended login where you can then login using a tolken instead of a login account. Not 100% sure if this helps you but it seemed like something to share.

    https://www.365.scriptsbyscott.com/azureunattendedlogin

    Also have a link on my website with other helpful info on this.

    Scott Head

    0 comments
  3. Mathirajan Elumalai 20 Reputation points
    2023-08-02T17:04:41.1866667+00:00

    I finally found a way to do it. Using -AccountID parameter with UPN uses the SSO primary refresh token present in the device to authenticate without asking for password. It does flash a white blank browser window for 2 seconds thought which might raise red flags for some uninformed users. I need to find a way to supress that.

    Connect-AzAccount -AccountID 'UPN'
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.