Skip to main content
HashnodeDo it PowerShell way :)Do it PowerShell way :)

Command Palette

Search for a command to run...

How to authenticate to Azure from DevOps Pipeline PowerShell task

Published
2 min read
O
Ondrej Sebela

I work as System Administrator for more than 15 years now and I love to make my life easier by automating work & personal stuff via PowerShell (even silly things like food recipes list generation).

Part of seriesAzure

We have a repository where Azure Automation Runbooks are stored and we wanted to automatically publish every new version automatically into the Azure Automation Resource account. Azure Pipeline was an obvious solution. Still, it took me some time to figure out, how to authenticate to an Azure Resource from Pipeline PowerShell task (not the same thing as Azure PowerShell task!). The solution to this problem was mentioned at https://bzzzt.io/post/2021-02/2021-02-28-powershell-login-az so kudos to that author!

Btw I couldn't use Azure Automation built-in Source Code feature because all our accounts use MFA, so PAT cannot be used for authentication. Also, I couldn't use the Azure PowerShell pipeline task (which is authenticated to Azure by default), because I needed access to committed repository files so I could upload them to our Runbook.

Solution

The solution to the problem "how to authenticate to Azure from Pipeline PowerShell task" is to leverage the possibility to export credentials used in the Azure PowerShell task, so they can be used later in the following tasks. Working solution can then look like a DevOps Pipeline with 3 tasks:

  • Azure CLI task for Connecting to Azure and exporting credentials for later use
  • Powershell task for Connecting to Azure using exported credentials and getting an authentication token for Graph
  • Azure CLI task for Disconnecting from Azure

Prerequisites

Before we begin we have to create a Service Connection (the account that will be used to make a connection to Azure Resources) image.png For my use case, I use Azure Resource Manager image.png

Connecting to Azure and exporting credentials for later use

In the picture below you can see that we are creating Azure CLI task that will run shell code for exporting credentials and tenantID variables that we will use later in following PowerShell task for connecting to Azure. image.png For this, to work you have to enable Access service principal details in script

Connecting to Azure using exported credentials and getting an authentication token for Graph

Now when we have credentials for making connection to Azure we will use them.

image.png

This is where the magic happens. We use variables defined in the first task for making a connection to Azure.

"Installing Az.Accounts module"
Install-Module Az.Accounts -Force

"Connecting to Azure"
$credential = New-Object System.Management.Automation.PSCredential ("${env:SPID}", (ConvertTo-SecureString ${env:SPKEY} -AsPlainText -Force))
Connect-AzAccount -Credential $Credential -Tenant ${env:TID} -ServicePrincipal

Disconnecting from Azure

In last task we just disconnect our Azure connection. image.png

#powershell#azure#devops

Comments

Join the discussion

No comments yet. Be the first to comment.

Azure

Part 20 of 24
Up next

How to use Managed Identity to connect to Azure, Exchange, Graph, Intune,... in Azure Automation Runbook

Updated 6.6.2024 Managed Identity is definitely a better option for authentication in Azure Automation Runbooks than the RunAs account because it doesn't require certificate/secret renewal. Therefore it is maintenance-free. However, it took me a whi...

More from this blog

D

Do it PowerShell way :)

78 posts

With over 15 years of experience as a system administrator, I have a passion for automating workflows using PowerShell. I believe in sharing my creations with the community. Why not, right? :)