Use the AZ module in a non-interactive environment?

Question

I'm hoping to be able to use the Az module to retrieve a secret from an Azure key vault, for use with a PowerShell script that has been deployed to a server and is run daily by Windows Task Scheduler.

Initially, I needed to follow the oauth (a guess) process:

Connect-AzAccount -Tenant '69a29f45-...'

Which redirects to https://login.microsoftonline.com/..., asking you to choose an account:

eventually, it indicates success:

Authentication complete. You can return to the application. Feel free to close this browser tab.

After this has been completed, the script that retrieves the secret works as expected:

...
$AccessToken = Get-AzKeyVaultSecret -VaultName 'MyVault' -Name 'MySecret' | Select-Object -ExpandProperty SecretValue | ConvertFrom-SecureString -AsPlainText
...

I'm concerned that the token will expire, causing my script to fail.

The SharePoint module (Pnp.PowerShell) can make use of a credential stored in Windows Credential Manager. Can the Az module do so as well?

If not, is there another way to handle this authentication process without interaction?

Hi, any update on this issue? – Joy Wang Nov 12 '20 at 01:17 — Joy Wang, Nov 12 '20 at 01:17

score 2 · Answer 1 · answered Nov 11 '20 at 07:30

Looks we could not use Az module with the Windows Credential Manager, to use Az powershell in a non-interactive way, we always use a service principal, please follow the steps below.

1.Register an application with Azure AD and create a service principal.

2.Get values for signing in and create a new application secret.

3.Then use the commands below.

Note: Don't forget to add the service principal to the Access policies with the secret permission of the keyvault in the portal first.

$azureAplicationId ="<application-id>"
$azureTenantId= "<tenant-id>"
$azurePassword = ConvertTo-SecureString "<client-secret>" -AsPlainText -Force
$psCred = New-Object System.Management.Automation.PSCredential($azureAplicationId , $azurePassword)
Connect-AzAccount -Credential $psCred -TenantId $azureTenantId -ServicePrincipal 
#get the secret
$AccessToken = Get-AzKeyVaultSecret -VaultName 'MyVault' -Name 'MySecret' | Select-Object -ExpandProperty SecretValue | ConvertFrom-SecureString -AsPlainText

score 1 · Answer 2 · answered Nov 10 '20 at 17:55

1

You can logon using a certificate tied to a Service Principal (SP) in your AD tenant. Then you just have to make sure that the SP has access to your key vault as at least a reader.

answered Nov 10 '20 at 17:55

TheMadTechnician

34,906
3
42
56

Use the AZ module in a non-interactive environment?

2 Answers2