Tim
Tim Microsoft Cloud Solution Architect

Connection Methods for Azure

Connection Methods for Azure

The different Connection Methods

Warning: Please remember that some Method will not work because of MFA interactions.

Tested: Posh 5 and Posh 7

Table of Contents

  1. Connect-AzAccount
  2. Connect-AzureAD
  3. Connect-MgGraph
  4. RestfullApi (Graph + Azure)

Connect-AzAccount

Connection via UserName + Password

1
2
3
4

$User = "marta.musterfrau@contoso.com"
$PWord = ConvertTo-SecureString -String "v3ry5tr0n9P@sSwOrd" -AsPlainText -Force
$Credentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $PWord
Connect-AzAccount -Credentials $Credentials

Connection via Service Principal + Client Secret

1
2
3
4

$ApplicationId = '00000000-0000-0000-0000-00000000'
$ClientSecret = 'SuperStrongSecret'
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ApplicationId, $ClientSecret
Connect-AzAccount -ServicePrincipal -TenantId $TenantId -Credential $Credential

Connection via Service Principal + Certificate Thumbprint

1
2
3
4

$Thumbprint = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$TenantId = 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyy'
$ApplicationId = '00000000-0000-0000-0000-00000000'
Connect-AzAccount -CertificateThumbprint $Thumbprint -ApplicationId $ApplicationId -Tenant $TenantId -ServicePrincipal

Connect-AzureAD

Connection via UserName + Password

1
2
3
4

$User = "marta.musterfrau@contoso.com"
$PWord = ConvertTo-SecureString -String "v3ry5tr0n9P@sSwOrd" -AsPlainText -Force
$Credentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $PWord
Connect-AzureAD -Credentials $Credentials

Connection via Service Principal + Client Secret

1
2
3
4
5
6
7
8
9
10

$ApplicationId = '00000000-0000-0000-0000-00000000'
$ClientSecret = 'SuperStrongSecret'
$TenantId = 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyy'

$azurePassword = ConvertTo-SecureString $ClientSecret -AsPlainText -Force
$psCred = New-Object System.Management.Automation.PSCredential($ApplicationID , $ClientSecret)
Connect-AzAccount -Credential $psCred -TenantId $TenantId -ServicePrincipal
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken
Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id

Connection via Service Principal + Certificate Thumbprint

1
2
3
4

$Thumbprint = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$TenantId = 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyy'
$ApplicationId = '00000000-0000-0000-0000-00000000'
Connect-AzureAD -CertificateThumbprint $Thumbprint -ApplicationId $ApplicationId -Tenantid $TenantId

Connect-MgGraph

Connection via UserName + Password

Connect-MGGraph didnt provide a programmable way to insert Credentials, its needable to fetch an AccessToken via Connect-AzAccount

1
2
3
4
5
6
7
8
9
10
11
12

$User = "marta.musterfrau@contoso.com"
$PWord = ConvertTo-SecureString -String "v3ry5tr0n9P@sSwOrd" -AsPlainText -Force
$Credentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $PWord
Connect-AzAccount -Credentials $Credentials

$contextForMSGraphToken = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext

$newBearerAccessTokenRequest = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($contextForMSGraphToken.Account, $contextForMSGraphToken.Environment, $contextForMSGraphToken.Tenant.id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, https://graph.microsoft.com)

$AccessToken = $newBearerAccessTokenRequest.AccessToken

Connect-MGGraph -AccessToken $AccessToken

Connection via Service Principal + Client Secret

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

$TenantId = 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyy'
$ApplicationId = '00000000-0000-0000-0000-00000000'
$ClientSecret = 'SuperStrongSecret'

$body =  @{
    Grant_Type    = "client_credentials"
    Scope         = "https://graph.microsoft.com/.default"
    Client_Id     = $ApplicationId
    Client_Secret = $ClientSecret
}
 
$connection = Invoke-RestMethod `
    -Uri https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token `
    -Method POST `
    -Body $body

$token = $connection.access_token
 
Connect-MgGraph -AccessToken $token

Connection via Service Principal + Certificate Thumbprint

1
2
3
4
5

$Thumbprint = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$TenantId = 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyy'
$ApplicationId = '00000000-0000-0000-0000-00000000'
 
Connect-MgGraph -ClientID $ApplicationId -TenantId $TenantId -CertificateThumbprint $Thumbprint

RestfullApi (Graph + Azure)

as an Example connecting to Graph an GET my profile information!

Connection via UserName + Password

1
2
3
4
5
6
7
8
9
10
11
12
13

$Url = 'https://graph.microsoft.com/beta/me'

$User = "marta.musterfrau@contoso.com"
$PWord = ConvertTo-SecureString -String "v3ry5tr0n9P@sSwOrd" -AsPlainText -Force
$Credentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $PWord
Connect-AzAccount -Credentials $Credentials

$contextForMSGraphToken = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext

$newBearerAccessTokenRequest = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($contextForMSGraphToken.Account, $contextForMSGraphToken.Environment, $contextForMSGraphToken.Tenant.id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, https://graph.microsoft.com)

$AccessToken = $newBearerAccessTokenRequest.AccessToken
$meProfile = Invoke-RestMethod -Headers @{Authorization = "Bearer $AccessToken"} -Uri $apiUrl -Method Get

Connection via Service Principal + Client Secret

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

$Url = 'https://graph.microsoft.com/beta/me'

$body =  @{
    Grant_Type    = "client_credentials"
    Scope         = "https://graph.microsoft.com/.default"
    Client_Id     = $ApplicationId
    Client_Secret = $ClientSecret
}
 
$connection = Invoke-RestMethod `
    -Uri https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token `
    -Method POST `
    -Body $body
$AccessToken = $connection.access_token

$meProfile = Invoke-RestMethod -Headers @{Authorization = "Bearer $AccessToken"} -Uri $apiUrl -Method Get

Connection via Service Principal + Certificate Thumbprint

1
2
3
4
5
6
7
8
9
10
11
12
13
14

$Url = 'https://graph.microsoft.com/beta/me'

$Thumbprint = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
$TenantId = 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyy'
$ApplicationId = '00000000-0000-0000-0000-00000000'
Connect-AzAccount -CertificateThumbprint $Thumbprint -ApplicationId $ApplicationId -Tenant $TenantId -ServicePrincipal

$contextForMSGraphToken = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext

$newBearerAccessTokenRequest = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($contextForMSGraphToken.Account, $contextForMSGraphToken.Environment, $contextForMSGraphToken.Tenant.id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, https://graph.microsoft.com)

$AccessToken = $newBearerAccessTokenRequest.AccessToken

$meProfile = Invoke-RestMethod -Headers @{Authorization = "Bearer $AccessToken"} -Uri $apiUrl -Method Get