Share via

SMPT Credential via Key Vault

Nandan Hegde 32,416 Reputation points MVP
2020-08-14T11:58:57.053+00:00

Hello,
We are sending email alerts via Azure automation via below code: 

$Cred = Get-AutomationPSCredential -Name $MyCredential 

$Emailcred= Get-AzureKeyVaultSecret -vaultName 'KVname' -name 'SecretName'

Send-MailMessage –From 'xyz.com' –To 'abc.com' –Subject "Test email" –Body "test mail" -BodyAsHtml -SmtpServer smtp.office365.com -Credential $Cred -UseSsl -Port 587

When we use the credential from the Azure automation creds, we are receiving proper email notification.
But as a better security , it is better to have the cred stored in key vault.
So when we replace $Cred with $Emailcred , in SMPT request ; we get the below error: 

Send-MailMessage : Cannot process argument transformation on parameter 'Credential'. userName
At line:55 char:212
+ ... AsHtml -SmtpServer smtp.office365.com -Credential $Emailcred1 -UseSsl ...
+                                                       ~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Send-MailMessage], ParameterBindingArgumentTransformationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Microsoft.PowerShell.Commands.SendMailMessage

So how to retrieve the cred from key vault for proper email notification ?

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,257 questions
0 comments
Accepted answer
  1. tbgangav-MSFT 10,416 Reputation points
    2020-08-14T15:20:44.44+00:00

    Hi @Nandan Hegde ,

    Thanks for reaching out.

    Firstly, as per this Azure document, we recommend sending an email from a runbook with SendGrid.

    However, if you still want to go with Send-MailMessage cmdlet approach then I dont have SMTP server handy to test but you may try to resolve the issue by replacing

    $Emailcred= Get-AzureKeyVaultSecret -vaultName KVname -name SecretName

    with

    $KeyVault = Get-AzKeyVaultSecret -VaultName KVname -Name SecretName
    $KeyVaultSecretString = (Get-AzKeyVaultSecret -VaultName KVname -Name SecretName).SecretValueText
    $User = $KeyVault.Name
    $PWord = ConvertTo-SecureString -String $KeyVaultSecretString -AsPlainText -Force
    $Emailcred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $PWord

    The reason for it is, the type of

    $Emailcred= Get-AzureKeyVaultSecret -vaultName KVname -name SecretName

    is PSKeyVaultSecret. For illustration, please check below screenshot.

    17639-aa-keyvault1.png

    Whereas, Send-MailMessage cmdlets Credential parameter accepts only PSCredential type value.

    So above code that I have provided would fetch your KeyVault secret name and secret value and then store it in PSCredential object that matches to the Send-MailMessage cmdlets Credential parameters accepted type so it would resolve your issue.

    17677-sendmailmessage-credential-parameter-type.png

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.