Azure AD PowerShell Modern Auth
Hello,
Microsoft is killing basic authentication, Exchange Online won’t be able to use it this summer (that changed), other services should follow. Let’s be proactive and start using it for AzureAD also.
One of the benefits of using modern authentication unattended, it’s that you do not need to store a password to connect with it. You just use a certificate, securely stored in the personal store of the service account.
Schedule tasks management is way more easy with this approach.
I wrote previous article about this process for other services:
The process for AzureAD is very similar, as you can see:
Register an AzureAD application
Create the certificate that will hold the keys
$DisplayName = "AzureADAutomation PowerShell Client Credentials"
$NotAfter = $(Get-Date).AddYears(2)
$cert = New-SelfSignedCertificate -CertStoreLocation cert:\currentuser\my -DnsName AzureADAutomation.microsoft.com -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $NotAfter -FriendlyName $DisplayName
#Export .cer file
Export-Certificate -Cert "cert:\currentuser\my\$($cert.Thumbprint)" -FilePath "c:\temp\$DisplayName.cer"
#Export .pfx file
Export-PfxCertificate -Cert "cert:\currentuser\my\$($cert.Thumbprint)" -FilePath "c:\temp\$DisplayName.pfx" -Password ("123+aze" | ConvertTo-SecureString -Force -AsPlainText)
Install AzureAD Module
Now, your AzureAD application is ready, you can use it connect to AzureAD witch Connect-AzureAD. You will need to install the module if you don’t already have it
Find-Module AzureAD | Install-Module -Scope CurrentUserAzure AD PowerShell Modern Auth
Then you can connect:
$ClientID = '640eece4-d7f7-4f36-af04-73657752eb82'
$TenantID = 'a15187b2-ee02-43a3-91ec-134dcc716852'
$CertificateThmbprint = Get-ChildItem -Path cert:\currentuser\my | Where-Object -FilterScript {$_.Issuer -eq 'CN=AzureADAutomation.microsoft.com'} | Select-Object -ExpandProperty Thumbprint
Connect-AzureAD -CertificateThumbprint $CertificateThmbprint -ApplicationId $ClientID -TenantId $TenantID You can find both GUID on the “Overview” blade of your AzureAD application.
Depending on what you want to perform with your application, you need to give it some permission. You can add your application to AzureAD groups that will grant the required permissions.