Refactored - Top Rated Cloud Training

View Original

Connecting to Azure

*If you're just joining us, this post is part of a series on Getting Started with PowerShell. If you'd like to catch up (or skip ahead), click on the appropriate post below.

Getting Started with PowerShell
Windows PowerShell, PowerShell Core and PowerShell: Huh?
Installing PowerShell and Visual Studio Code
Running PowerShell Commands and Getting Help
Working with the PowerShell Pipeline
Writing your First PowerShell Script
Understanding Loops in PowerShell
Using PowerShell Modules

You've got some PowerShell skills, an Azure subscription and a mad hankering to automate some boring stuff. You're in luck. For this article in our Getting Started with PowerShell series, we're going to take the skills you've learned so far and actually do something useful with them; authenticate to Azure.

Authenticating to Azure with PowerShell is the first step you must do before much of anything can happen. Just like with the Azure portal, you must first provide some kind of credentials.

Assuming you already have the Az module installed and a PowerShell console up, let's get started understanding how Azure authentication works in PowerShell and how to do it.

What Cmdlet do I Use?

If you've searched online for "how to connect to Azure with PowerShell", you've probably come across blog articles and forum posts that demonstrate connecting with seemingly three different cmdlets.

  • Login-AzAccount

  • Add-AzAccount

  • Connect-AzAccount

Don't fret. You don't have to memorize all three commands. Actually, you just need one - Connect-AzAccount. This is the actual cmdlet. Both Login-AzAccount and Add-AzAccount are both PowerShell aliases. All three commands are actually just one.

When in doubt, just use Connect-AzAccount.

Authenticating with Connect-AzAccount

There are lots of ways to authenticate to Azure using Connect-AzAccount. How you choose to do so depends on the context in which your PowerShell script is running.

There are currently five ways to authenticate to Azure with PowerShell:

In this article, you're going to learn the top two most common methods - interactively using a username/password and using a service principal.

Connecting Interactively

If you're managing Azure vs. automating Azure, you're probably going to be connecting interactively using a username and password. Managing Azure resources via the command-line lends itself to more of an interactive approach vs. automating actions with scripts.

Connecting to Azure interactively is the simplest way as it does not require any extra set up in Azure. To authenticate, you simply need a Microsoft or Azure AD account.

Assuming you're using PowerShell (Core), you will receive a message like below asking you to visit a web page and enter a code.

Navigate to the URL in the message and provide the account you'd like to authenticate with.

Once authenticated, head back to the PowerShell console. You should now have access to begin typing commands again.

If you have more than one Azure subscription or tenant, be sure to use the Tenant and Subscription parameters with Connect-AzAccount. If not, you may authenticate to an unexpected subscription or tenant.

You should now be connected to Azure. To verify, run Get-AzContext. This command reads the current Azure context saved on your local system and returns the subscription you're currently connected to.

Connecting with a Service Principal

If you need to connect to Azure in a script or other automation routine, the last thing you want is the script stopping and telling you to go to a webpage. The connection needs to be seamless and require no human intervention. You need to connect with a service principal.

A service principal is common object in Azure that represents an identity. The service principal is a tightly-controlled entity that allows admins to lock down access in a much more controlled fashion than a user account.

The concept of a service principal and how to create one is out of the scope for this article. If you need help creating a service principal, you'll find an excellent resource in this Microsoft doc how-to article.

Once you have an Azure AD application and service principal created, you can then use the ServicePrincipal and Credential parameters to connect with Connect-AzAccount.

The PSCredential, in this instance, will not hold a username and password. In this case, the username will be the service principal's associated application ID and the password will be the service principal secret.

You'll first need the Azure AD application ID. You can find that by providing the name of the application to the Get-AzApplication cmdlet. You'll need the ApplicationId.

Get-AzADApplication -DisplayName 'your_app_name'

Next, you'll need the service principal secret. If you don't currently have yours, you'll have to create a new one in the Azure portal or via some other means like the Azure CLI or PowerShell.

When you have both the application ID and service principal secret, then create a PSCredential object providing the username (application ID) and password (secret).

$credential = Get-Credential
If you'd like to create a PSCredential object without typing in the username and password, learn how here.

Finally, pass the credential to the Credential parameter and use the ServicePrincipal parameter to tell Connect-AzAccount that you're providing a service principal and not a Microsoft account.

Connect-AzAccount -Credential $credential -ServicePrincipal

Summary

Once you have all of the necessary information from Azure, you can use the Connect-AzAccount cmdlet to connect to Azure. You can connect to Azure with PowerShell a few different ways. How you choose to do so depends on the context the connection is happening in.

If you'd like to manage Azure resources interactively via the command-line, authenticating interactively is the easiest method. But if you're connecting to Azure in an automated PowerShell script, consider creating an Azure service principal and connecting that way.