1

I need to run New-AzureADServiceAppRoleAssignment from a Powershell script in a release pipeline.

The prerequisite to this is Connect-AzureAD, which by default, prompts for authentication. I've looked over StackOverflow for every permutation of this question that I can find, and none of the solutions mentioned work.

The Azure Powershell task exists logged in, that just happens. What do I have to do to use that logged in context to also connect in the AzureAD module?

Tom W
  • 5,108
  • 4
  • 30
  • 52
  • What's preventing you from running `Connect-AzureAD` from within your script? – Daniel Mann Apr 28 '20 at 20:14
  • I stated in the question - it prompts for authentication. A release pipeline task can't acknowledge that prompt, so the release hangs until timing out. – Tom W Apr 28 '20 at 21:12

1 Answers1

1

How do I run Connect-AzureAD from a DevOps release pipeline?

That because Connect-AzureAD by default will prompt you for login and password in pop up window.

Inside Azure DevOps Connect-AzureAD by default stacks waiting for authentication.

We could try to use the -Credential option of Connect-AzureAD:

$SecurePassword = ConvertTo-SecureString $AdminPassword -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential ($AdminUserEmailAddress, $SecurePassword)
Connect-AzureAD -Credential $Credential

And we need to create Service Principal in your Azure AD with permissions to access to Microsoft Graph and generate a secret key. After, you can use Application ID and Key of your service principal as login and password for $Credential.

We could store the credential in secret variable.

You could check this and this thread for some more details.

Hope this helps.

Leo Liu
  • 71,098
  • 10
  • 114
  • 135
  • 1
    The DevOps pipeline is already running under a service principal. How do I just use that? – Tom W Apr 29 '20 at 08:00
  • If you are already running under a service principal, you could try to use it by this way: https://stackoverflow.com/questions/60185213/automate-connect-azuread-using-powershell-in-azure-devops/60186948#60186948 – Leo Liu Apr 29 '20 at 09:55
  • The answer linked in the comment runs without error, but I'm now having trouble assigning the appropriate permission to the service principal to be able to run the cmdlet. However, from the point of view of the original question, this answer works. – Tom W May 11 '20 at 19:23
  • @TomW did you ever discover what permissions you need? In my case the Connect-AzureAD fails with an object reference error. It seems I am missing some permissions, but I cannot find what permission I'm missing – PaulVrugt Feb 09 '21 at 14:31
  • @PaulVrugt if I remember rightly it was something the script was doing with the token that wasn't authorised, rather than the process of connecting. My aim was to use the token already acquired by DevOps **instead of** running `Connect-AzureAD`. So I can't help there, sorry. – Tom W Feb 09 '21 at 17:46
  • 1
    Connect-AzureAD is not available in Azure Release pipeline, now what to do? – Ashish-BeJovial Jun 03 '21 at 14:31