Azure: Automating Login For PowerShell Scripts using Service Principal
Introduction
PowerShell is an important weapon in the arsenal of an administrator to maintain control over the systems they are responsible. PowerShell provides a nice way of automating a lot of things thus saving the time and effort of an administrator. In case of Automating Azure related Administrator task, Microsoft has provided Microsoft Azure PowerShell Module which can be used to write scripts. The module is great and provides a lot of functionalities related to various aspects and offerings of Azure.
Problem Statement
When PowerShell script is written for automation of Azure support task, it is mandatory to sign onto the azure first and then execute the rest of the cmdlets related to the actual operation. This login needs to be done manually by entering the user id and password of the Azure account.
The command used for the same is
Login-AzureRmAccount
Once the command is encountered, the PowerShell script will open up a pop window where the administrator needs to enter the user id and password for the Azure account. Refer to the screenshot below.
As obvious it is, it poses a big problem with automating the Azure Support task using PowerShell. Following article discusses the use of service principal to automate this login process thereby removing the manual intervention.
Automating Login Process
After the installation of the Azure PowerShell Module, the administrator needs to perform a one-time activity to set up a security principal on the machine from which they are going to schedule the Azure PowerShell scripts. Following are the steps that need to be done so that they can automate the process.
- Log On to the Azure Account
- Create an AD application which will be used to log on to the azure
- Create a service principal mapping to the application created above.
- Assign a role to the application user so that they have the proper access level to perform the necessary tasks.
For the above steps, the following commands need to be run from a PowerShell ISE or PowerShell Command Prompt.
Login-AzureRmAccount
$azureAdApplication = New-AzureRmADApplication -DisplayName "AzureAutomationApp" -HomePage "https://www.myapp.org/ Jump " -IdentifierUris "https://www.myApp.org/azureAutomationApp Jump " -Password '<Password Goes Here>'
New-AzureRmADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId
New-AzureRmRoleAssignment -ServicePrincipalName $azureAdApplication.ApplicationId.Guid -RoleDefinitionName Contributor
Once these commands are run, the following output is obtained.
As highlighted in a Red rectangle, the ApplicationId along with the provided password above will be used to log on to the Azure Environment through the PowerShell script from here forward.
To save the password as an encrypted string, the following command needs to be used from the PowerShell ISE or PowerShell Console.
read-host -assecurestring | convertfrom-securestring | out-file <SomePhysicalPath>\cred.txt
Once the command is invoked, it will pop up a dialog box, where the password which was provided earlier needs to be entered.
Tenant Id is also required to automate the login process for the script. In addition to this, the Administrator needs to have the domain name of the Azure Directory. It can be found in the Azure portal. Refer the red box in the following screenshot.
This activity needs to be done only once.
Invoking Automatic Login
Once the service principle is created, the Login-AzureRmAccount can be automated as shown below.
#application id should be noted as shown in above screen whot while setting up the ad application
#domain name is to be obtainmed as highlighted in the above screenshot
$userId = "applicationId@azuredomain.onmicrosoft.com"
$password = get-content -Path "Path where the password is stored in cred.txt" | ConvertTo-SecureString
#Set the powershell credential object
$cred = New-Object -TypeName System.Management.Automation.PSCredential($userId ,$password)
#log On To Azure Account
Login-AzureRmAccount -Credential $cred -TenantId "Noted Tenant ID"
# After this other cmdlets can be executed as required.
Conclusion
Service principal can be used to set up the Automatic azure account login, thus helping in setting up the PowerShell scripts monitoring Azure environments.
See Also
To learn in detail about the commands used in this script. Visit the following links.