The new Az module – Connecting to Azure

The new Az module – Connecting to Azure

With the introduction of the new Az PowerShell module, the merger of the Azure.* and AzureRM.* modules, comes a new way of connecting to Azure.

When we get a list of the available commands to do something with an AzAccount, you’ll end up with the following:

As you can see, there are now Connect-/Disconnect-AzAccount and Login-/Logout-AzAccount cmdlets. So if you want to connect to Azure and use PowerShell cmdlets to manage your environment, which one do you use?

If you use either Connect-AzAccount or Login-AzAccount, you’ll end up with the following message:

For this, one would require user interaction. Would that not negate the whole concept of automation?

One of our customers contacted me with the request if we could automate this. His idea was that we would write something that could read the url and code, utilize a browser and through that automate the login.

Although I love billing customers, I don’t like to bill them unnecessarily. I decided to educate them instead:

The solution is already available

The solution is simply by using the cmdlet the way it is intended to be used. For an interactive environment, you can simply go to that website and fill in the code. When you require the cmdlet to be used in an automated process / script, you can use the cmdlets’ parameters to tweak its behavior so that it works in automation

If you look at help of the cmdlets, you’ll notice that it has quite a few parameters that you can use. Amongst those is the -Credential parameter:

Big fat note:
This approach doesn’t work with Microsoft accounts or accounts that have two-factor authentication enabled.

But what if you’re using an account with Multi Factor Authentication?

Well, let me introduce you to Service Principals and Managed Identities.
Service principals are non-interactive Azure accounts. Like other user accounts, their permissions are managed with Azure Active Directory. By granting a service principal only the permissions it needs, your automation scripts stay secure.

If you want to know how you can create Azure Service Pricipals, take a look here.

Next to the Service Principal, the Connect-AzAccount cmdlet also requires you to provide its application ID, sign-in credentials, and the tenant ID associate with it:

Manage identities are a subset of Service Principals, and have therefor the same constraints.
They are assigned to resources that run in Azure. You can use them for sign-in, and acquire an app-only access token to access other resources. Managed identities are only available on resources running in an Azure cloud.