The Login-AzureRmAccount PowerShell command allows you to login to your Azure account from PowerShell. However, it brings up a prompt and you have to manually type in your credentials. Obviously this is fine for development or things you are doing for one time administration. But in order to have fully automated scripts, this is one of the first pieces in the puzzle, especially when you are likely to be running these on a build server and you don’t want an account that is tied to an acual person.

Creating a service principal

You certainly don’t want to have your personal signin credentials in the script. You need a service account that has just enough permissions to run the scripts that are being run.

This is accomplished with service principal which is an instance of an application on your Active Directory which you grant access to resourcess.

1. Login to your Azure account with:
  Login-AzureRmAccount
2. Then we need to create an Active Directory application.
$displayName = "App Display Name"
$homePage = "http://YourApplicationHomePage"
$identifierUris = "http://YourApplicationUri"
$password = "APasswordHere"
$app = New-AzureRmADApplication –DisplayName $displayName –HomePage $homePage –IdentifierUris $identifierUris  –Password $password
3. Create the Service Principal

Now we need to create a service principal for that application which needs to access resources. This takes the applicationId of the application we created above.

New-AzureRmADServicePrincipal –ApplicationId $app.ApplicationId
4. Grant the Service Principal roles

You can view a list of the default roles here: https://azure.microsoft.com/en-gb/documentation/articles/role-based-access-built-in-roles/

New-AzureRmRoleAssignment –RoleDefinitionName Contributor –ServicePrincipalName $app.ApplicationId

Authenticating using a service principal

1. Create a PSCredential object
$username = "YourUserName"
$pass = ConvertTo-SecureString "YourPassword" -AsPlainText –Force
$cred = New-Object -TypeName pscredential –ArgumentList $username, $pass
2. Get the TenantId from your subscription
$tenant = (Get-AzureRmSubscription).TenantId

Login with the credential object

Login-AzureRmAccount -Credential $cred -ServicePrincipal –TenantId $tenant

Save Token to login later

You can save the profile as a token and login with that token later. This however does expire, and typically lasts around 12 hours.

Save-AzureRmProfile -Path c:\AzureLoginToken.json

Next time you want to login, just load the Profile

Select-AzureRmProfile -Path c:\AzureLoginToken.json

Authenticating using a service principal and certificate

This will look mostly familiar to the above, except we first must generate the certificate that we are going to use and then create the AD Application with that certificate.

1. Login to Azure
Login-AzureRmAccount
2. Create certificate
$cert = New-SelfSignedCertificate -CertStoreLocation "cert:\CurrentUser\My" -Subject "CN=exampleapp" -KeySpec KeyExchange
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
3. Create AD Application
$azureAdApplication = New-AzureRmADApplication -DisplayName "exampleapp" -HomePage "https://www.contoso.org" -IdentifierUris "https://www.contoso.org/example" -KeyValue $keyValue -KeyType AsymmetricX509Cert -EndDate $cert.NotAfter -StartDate $cert.NotBefore      
4. Create Service Principal
New-AzureRmADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId
5. Assign roles to Service Principal
New-AzureRmRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $azureAdApplication.ApplicationId.Guid

Create Login script for certificate

1. Get Application Id
$applicationId = $azureAdApplication.ApplicationId
# Alternatively
# $applicationId = (Get-AzureRmADApplication -IdentifierUri "https://www.yourappURL.com").ApplicationId
2. Get thumbprint of the certificate
$thumbprint = $cert.Thumbprint
# Alternatively
# $thumbprint = (Get-ChildItem -Path cert:\CurrentUser\My\* -DnsName exampleapp).Thumbprint
3. Get the tenant
$tenantId = (Get-AzureRmSubscription).TenantId
4. Save file called login.ps1

This script is the login script that you will use, it contains the thumbprint, applicationId and tenantId needed to login as the newly created Service Principal.

$loginCommand = "Add-AzureRmAccount -ServicePrincipal -CertificateThumbprint $thumbprint -ApplicationId $applicationId -TenantId $tenantId"
Add-Content 'c:\login.ps1' $loginCommand

Wrap up

Hopefully that has given you a few options and taken you through how to login non-interactively into Azure.

Script examples are on GitHub here.

Comments

About

Founded in 2009, Odity is a software consultancy based in the United Kingdom.

Social Links

Our Bunker

United Kingdom.