Connect-AzureAD using PSCredential

Nusrat Jahan Shaikh 1 Reputation point
2021-02-17T08:29:53.967+00:00

I am trying to Add user into AAD group using Automation Service -Runbook Powershell.

I have created a Credentials Username : XYZ pwd:ABC

and then trying below Powershell script, but getting below error.

Powershell script:
$aadAdminCred = Get-AutomationPSCredential -Name 'PSCredUser'
Connect-AzureAD -TenantId "xxxx" -Credential $aadAdminCred

Error:

  • Connect-AzureAD -TenantId "xxxx" -Cr ...
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • CategoryInfo : AuthenticationError: (:) [Connect-AzureAD], AggregateException
  • FullyQualifiedErrorId : Connect-AzureAD,Microsoft.Open.Azure.AD.CommonLibrary.ConnectAzureAD

Connect-AzureAD : parsing_wstrust_response_failed: Parsing WS-Trust response failed
At line:9 char:1

  • Connect-AzureAD -TenantId "xxxx" -Cr ...
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • CategoryInfo : AuthenticationError: (:) [Connect-AzureAD], AdalException
  • FullyQualifiedErrorId : Connect-AzureAD,Microsoft.Open.Azure.AD.CommonLibrary.ConnectAzureAD
Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,240 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,526 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. tbgangav-MSFT 10,416 Reputation points
    2021-02-22T05:29:23.97+00:00

    Hi @Nusrat Jahan Shaikh ,

    I have tried to reproduce the error (parsing_wstrust_response_failed: Parsing WS-Trust response failed) but was not able to see any such error.
    If you are trying to authenticate to the tenant using ADFS credentials from an Azure Automation runbook then AFAIK it is not supported.
    Azure Automation Run As Account is a great way to authenticate securely with certificates and a service principal name without needing to store a username and password in a credential object. So, we could use this same Azure Automation Run As Account to log in to your Azure AD tenant for the possibility to run Azure AD PowerShell commands. Below is a sample runbook to connect to Azure AD tenant and get users.

    #Login to Azure AD PowerShell With Admin Account  
    $connectionName="AzureRunAsConnection"  
    $servicePrincipalConnection=Get-AutomationConnection -Name $connectionName           
    #Now you can login to Azure PowerShell with your Service Principal and Certificate  
    Connect-AzureAD -TenantId $servicePrincipalConnection.TenantId -ApplicationId $servicePrincipalConnection.ApplicationId -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint  
    Get-AzureADUser | Select ObjectType, UserPrincipalName  
    Disconnect-AzureAD  
    

    70449-image.png

    Make sure the Azure Automation Run As Account (App) has sufficient permissions i.e., in this case

    1. add User.Read.All API permission (Azure portal -> Azure AD -> API permissions -> Microsoft Graph -> Application permissions -> User.Read.All ) and
    2. assign the directory readers role (Azure portal -> Azure AD -> roles and Administrator -> Directory Readers role -> assign this role) to it.

    70450-image.png

    70465-image.png

    Similarly you may have to add Group.Read.All app permission, etc. if you want to read AD group information as well, etc.

    On the other hand, if you want us to troubleshoot or deep dive regarding "parsing_wstrust_response_failed: Parsing WS-Trust response failed" error then to fast-track resolution of your issue, please send mail to AzCommunity@microsoft.com include your subscriptioin ID and a link to this thread (for context) and my team will work with you via our technical support channel. Please include "Attn:Krishna" in the subject line so we can engage asap. Alternatively, you can raise a technical support request if you have a support plan.

    Sources of above response:
    Use Azure AD to authenticate to Azure
    Manage Office 365 services
    Using the Azure Run As Account in Azure Automation to Connect to Azure AD with a Service Principal
    Using a Service Principal to connect to a directory in PowerShell
    Connect Azure Automation Runbook script with service principal for AzureAD
    Authorization_RequestDenied

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.