Share via

Silently connect to azure as a user in PowerShell using the authenticated account connected to windows

Mathirajan Elumalai 20 Reputation points
2023-07-31T15:28:15.8966667+00:00

In my corporate device, which has Seamless SSO and PHS enabled, when I go to portal.azure.com, I can sign-in directly without entering my credentials.

I want to know if I can replicate this when connecting to azure using Connect-AzAccount cmdlet in Powershell.

When I run this command, the interactive browser window only shows my AAD user account that is authenticated and connected to windows and when I click the profile, I get signed in automatically without a password prompt.

MicrosoftTeams-image (2)

I want to sign-in silently using this profile without having to click my profile in this interactive browser window.
Is there a way to do this?

I know that a service principal can be used to connect to azure silently with a certificate or a client secret, but in my use case I can't use a service principal.

EDIT:

I finally found a way to do it. Using -AccountID parameter with UPN uses the SSO primary refresh token present in the device to authenticate without asking for password. It does flash a white blank browser window for 2 seconds thought which might raise red flags for some uninformed users. I need to find a way to supress that.

Connect-AzAccount -AccountID 'UPN'
Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,366 questions
Windows for business | Windows Server | User experience | PowerShell
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Accepted answer
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator
    2023-08-02T19:13:18.14+00:00

    Hello @Mathirajan Elumalai and thanks for sharing your findings. I will re-post a summary of them and add some notes here so you can accept it and rate it so that others facing a similar issue can easily find a it.

    To perform a truly silent SSO authentication request using The AZ PowerShell module you can pass your UPN as the AccountID parameter while using the Connect-AzAccount command. Eg.

    Connect-AzAccount -AccountID 'UPN'

    Regarding the white blank window, it should take less than a second but it will be always noticeable since opening a web browser is part of the interactive login process.

    Once again thanks for your contribution and let us know if you need anything else.

    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Luis Arias 8,621 Reputation points Volunteer Moderator
    2023-07-31T16:41:49.1766667+00:00

    Hi @Mathirajan Elumalai ,

    I think there is not possible to do somethin like -non interactive in connect-az account however you can use a service principal account if you are looking to automate in either script or pipeline:

    $SecurePassword = ConvertTo-SecureString -String "Password123!" -AsPlainText -Force
$TenantId = 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyy'
$ApplicationId = 'zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzz'
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ApplicationId, $SecuredPassword
Connect-AzAccount -ServicePrincipal -TenantId $TenantId -Credential $Credential

Account                SubscriptionName TenantId                Environment
-------                ---------------- --------                -----------
xxxx-xxxx-xxxx-xxxx    Subscription1    xxxx-xxxx-xxxx-xxxx     AzureCloud

    https://learn.microsoft.com/en-us/powershell/module/az.accounts/connect-azaccount?view=azps-10.1.0

    On the other hand if you just want to avoid this extra click on your workstation can save your context in a file and eachtime that you need to connect can load , with that you can work in azure powershell.

    #First list your context
Get-AzContext -listavailable | fl *
#Choose wich context do you want to keep
Select-AzContext 'Contex-Name'
#Save the context in a file that you can use next time instead of Connect-AzAccount
Save-AzContext -Path E:\tmp\azure-custom-context.json
#You can force a disconnection with: Disconnect-AzAccount

#When you need to use your connection only need to import your context and start to work:
Import-AzContext E:\tmp\azure-custom-context.json

#Test:
Get-AzResourceGroup | Format-Table

    I hope this could help you.

    Cheers,

    Luis

    1 person found this answer helpful.
    0 comments
  2. Scott Head 5 Reputation points
    2023-08-01T04:02:00.4333333+00:00

    I ran into this issue as well when connecting to Azure using a scheduled task. I was able to create what is called a unattended login where you can then login using a tolken instead of a login account. Not 100% sure if this helps you but it seemed like something to share.

    https://www.365.scriptsbyscott.com/azureunattendedlogin

    Also have a link on my website with other helpful info on this.

    Scott Head

    0 comments
  3. Mathirajan Elumalai 20 Reputation points
    2023-08-02T17:04:41.1866667+00:00

    I finally found a way to do it. Using -AccountID parameter with UPN uses the SSO primary refresh token present in the device to authenticate without asking for password. It does flash a white blank browser window for 2 seconds thought which might raise red flags for some uninformed users. I need to find a way to supress that.

    Connect-AzAccount -AccountID 'UPN'
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.