Connect-AzAccount not work with Task Scheduled

vincent manzari 41 Reputation points
2023-04-26T15:33:53.5566667+00:00

Hello all, I have a problem with a script that uses Connect-AzAccount. The script copy from a local folder to a storage blob


[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$TenantId = 'xxx'
$ApplicationId = 'xxx'
$thumbprint = 'xxx'
Connect-AzAccount -CertificateThumbprint $thumbprint -Tenant $TenantId -ApplicationId $ApplicationId 

$subscrp = Get-AzSubscription | Select-AzSubscription

$context = (Get-AzStorageAccount -ResourceGroupName $RGName -AccountName $StorageName).context

$SASToken = New-AzStorageAccountSASToken -Context $context -Service Blob -ResourceType Service,Container,Object -Permission "rlw" -ExpiryTime (Get-Date).AddDays(1) # -ExpiryTime(get-date).AddSeconds(3600)

$storagectx = New-AzStorageContext -StorageAccountName $StorageName -SasToken $SASToken

$files = gci $path
Foreach ($file in $files)
{
    Set-AzStorageBlobContent -File $file.FullName -Container $ContainerName -Context $storagectx |out-null
}
Disconnect-AzAccount

The script works if I run it from powershell or Powershell ISE, but it does not work if I put it in a Scheduled task. For the Task, I use a Managed Service Account. I have tested the sMSA with other script and Task scheduled in the same server and works. I have tested with a "classic" service account (domain account with Local Admin and Run as a batch job rights) but same issue It seems that the issue is to the command Connect-AzAccount. Can you help me please?

Connect-AzAccount
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,913 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,309 questions
{count} votes

6 answers

Sort by: Most helpful
  1. MotoX80 32,736 Reputation points
    2023-05-02T15:11:03.1066667+00:00

    At my former employer we had 2 proxies to connect to the internet. The primary one required user authentication so that the security team could know which users were trying to browse porn sites. The second unpublicized one was for apps that ran on our servers and did not require authentication.

    My notes say that I used to set the proxy like this on our servers.

    NetSH WinHTTP Set Proxy proxy-server="PROXYdirect:80" bypass-list="<local>;.ourADdomain.com;.otherLocalName.net"

    That would allow us to bypass the proxy for local intranet sites.

    Try testing a script like this.

    Invoke-Webrequest http://SomeLocalWebServer  -usebasicparsing
    Invoke-Webrequest http://SomeLocalWebServer.YourActiveDirectoryName.com  -usebasicparsing
    Invoke-Webrequest http://www.microsoft.com  -usebasicparsing   
    

    UseBasicParsing will bypass the IE engine.

    First run that with your admin account to verify that it works. Then create a local testuser account and use runas.exe to launch Powershell.exe as that user. Verify that the script can access the 3 sites with testuser.(Your intranet site needs to support anonymous access.) Then modify the scheduled task to run as the testuser account using the script with the 3 calls.

    Finally change the task to use the MSA account. That should verify network connectivity.

    0 comments No comments