I have a multi-tenant AzureAD app that calls a number of PowerShell scripts under the context of the logged in user of my webapp.
Is it possible to pass either the AccessToken or IDToken to the PowerShell script and have it create a session with Connect-AzureAD commandlet?
I see a credentials overload, and perhaps there might be a way to use (or convert) a token into something usable with this parameter?
PS C:\Users> get-help connect-azuread -examples
NAME
Connect-AzureAD
SYNOPSIS
Connects with an authenticated account to use Active Directory cmdlet requests.
Example 1: Connect a PowerShell session to a tenant
PS C:\> Connect-AzureAD -Confirm
This command connects the current PowerShell session to an Azure Active Directory tenant. The command prompts you
for a username and password for the tenant you want to connect to. The Confirm parameter prompts you for
confirmation.
If multi-factor authentication is enabled for your credentials, you must log in using the interactive option or
use service principal authentication.
Example 2: Connect a session using a variable
PS C:\> $Credential = Get-Credential
PS C:\> Connect-AzureAD -Credential $Credential
The first command gets the user credentials, and then stores them in the $Credential variable.
The second command connects the current PowerShell session using the credentials in $Credential.
This account authenticates with Azure Active Directory using organizational ID credentials. You cannot use
multi-factor authentication or Microsoft account credentials to run Azure Active Directory cmdlets with this
account.
Example 3: Connect a session as a service principal
# Login to Azure AD PowerShell With Admin Account
Connect-AzureAD
# Create the self signed cert
$currentDate = Get-Date
$endDate = $currentDate.AddYears(1)
$notAfter = $endDate.AddYears(1)
$pwd = "<password>"
$thumb = (New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName com.foo.bar -KeyExportPolicy
Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $notAfter).Thumbprint
$pwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText
Export-PfxCertificate -cert "cert:\localmachine\my\$thumb" -FilePath c:\temp\examplecert.pfx -Password $pwd
# Load the certificate
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("C:\temp\examplecert.pfx", $pwd)
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
# Create the Azure Active Directory Application
$application = New-AzureADApplication -DisplayName "test123" -IdentifierUris "https://test123"
New-AzureADApplicationKeyCredential -ObjectId $application.ObjectId -CustomKeyIdentifier "Test123" -StartDate
$currentDate -EndDate $endDate -Type AsymmetricX509Cert -Usage Verify -Value $keyValue
# Create the Service Principal and connect it to the Application
$sp=New-AzureADServicePrincipal -AppId $application.AppId
# Give the Service Principal Reader access to the current tenant (Get-AzureADDirectoryRole)
Add-AzureADDirectoryRoleMember -ObjectId 5997d714-c3b5-4d5b-9973-ec2f38fd49d5 -RefObjectId $sp.ObjectId
# Get Tenant Detail
$tenant=Get-AzureADTenantDetail
# Now you can login to Azure PowerShell with your Service Principal and Certificate
Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb
This command authenticates the user to Azure Active Directory as a service principal.
Here is a simple example:
Connect-AzureAD
-TenantId {Tenant ID}
-AadAccessToken {AAD Graph Access Token}
-MsAccessToken {Microsoft Graph Access Token}
-AccountId {Your UPN}
Please note that if you must provide AadAccessToke because you are connecting to AAD module.
MsAccessToken is optional. But if you need to use some cmds which require Microsoft Graph permission, you should provide MsAccessToken. An example is Get-AzureADPolicy.
Only access token can be used here. Id token is not supported.