3

I don't know why I can't figure this out, this can't be as hard as I'm making it. I'm trying to create a powershell script that will elevate itself using explicit credentials from AzureAD. I create a PSCredential object with:

$ss = ConvertTo-SecureString "p@ssw0rd" -AsPlainText -Force
$cred = New-Object PSCredential -ArgumentList 'username@domain.com', $ss
Start-Process PowerShell -Credential $cred "-NoProfile -ExecutionPolicy Bypass -Command `"cd '$pwd'; & '$PSCommandPath';`""
exit;

When I execute this I get Start-Process : This command cannot be run due to the error: The user name or password is incorrect.

I know the username and password are correct but I am guessing that it has to do with the fact that this is an AzureAD user? Do I have to format the AzureAD username differently? I've tried reformatting it every way I can think of. I've tried using Connect-AzureAD and using Get-AzureADUser to try to see if I could use some property of that to sign in but I'm coming up empty.

Is this even possible?

JustinM
  • 125
  • 1
  • 8

2 Answers2

1

With Start-Process you must specify username in format "DOMAIN\user". I am not sure where from this limitation is coming.

enter image description here

Igor
  • 1,349
  • 12
  • 25
  • This doesn't seem to apply to an AzureAD credential. I've tried both `domain\username` and `domain.com\username` and both still give the same error. This is my first time using AzureAD instead of a local domain so I'm a bit lost with this. When I look at portal.azure.com, it shows that my device is "Azure AD Joined" but in System Properties it's not in a domain there because I guess Azure is handled differently being cloud-based. – JustinM Nov 25 '20 at 16:36
  • 1
    Can you try that workgroup name as domain name in your full username, like "WORKGROUP\username"? – Igor Nov 25 '20 at 20:33
  • That also did not work, unfortunately. I wonder if I have to query for the Azure AD object first? Idk, I'm just going around and manually doing this for now :( Thanks for all of your suggestions! – JustinM Dec 07 '20 at 17:01
0

Is the domain that the azure ad user account you are trying to run the command as accessible to the domain that your machine is connected to? Without more information, I can only speculate that powershell is throwing the error because it does not recognize the user or the domain the user is a member of.

William Higgs
  • 181
  • 8
  • The machine is joined to the same AzureAD domain as the user account that I'm trying to log in with. I've just started this work for a nonprofit that had no IT department previously. They've got offices spread across a large geographical area and they are going remote now also. The computers have no remote access software, no naming conventions, and the end users are not allowed local admin privileges. I want a script that I can run quickly and easily to rename the computer and install the remote access software. From what you're seeing, should an AzureAD username work in my script as written? – JustinM Nov 23 '20 at 16:12
  • To add, when I put Connect-AzureAD at the start of the script and use the same credentials as I have in the script to log in to Azure, I am able to log on and it prints out my user, but then gives me the error when it gets to the part in the script where credentials are supplied. I get: `Account: username@domain.com | Environment: AzureCloud | TenantId: xxx-xxx-xxx-xxx | AccountType: User` – JustinM Nov 23 '20 at 22:47