azure-powershell
azure-powershell copied to clipboard
Azure
Is there a way that Connect-AzAccount take Certificate object in memory to do the authentication?
Description
Currently only find Connect-AzAccount accept thumbprint as parameter to do the client cert authentication, which implies use need to add to the certificate to the cert store before calling Connect-AzAccount. Looking for a option that Connect-AzAccount take certificate object in memory to do the authentication without the need to add it to the cert store.
Steps to reproduce
$kvcert= Get-AzKeyVaultCertificate -vaultName $KeyVaultName -name $SPNID
$certificate = $kvcert.Certificate
$thumbprint=$certificate.Thumbprint
$store = Get-Item "Cert:\Currentuser\My"
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$store.add($certificate)
store.close()
Connect-AzAccount -CertificateThumbprint $thumbprint -ApplicationId $SPNID -Tenant $TenantID -ServicePrincipal -Environment $AzureEnvironmentName
Environment data
Name Value
---- -----
PSVersion 6.2.0
PSEdition Core
GitCommitId 6.2.0
OS Microsoft Windows 10.0.18894
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Module versions
Directory: C:\Users\yawang\Documents\PowerShell\Modules
ModuleType Version Name PSEdition ExportedCommands
---------- ------- ---- --------- ----------------
Script 1.8.0 Az Core,Desk
Script 1.5.1 Az.Accounts Core,Desk {Disable-AzDataCollection, Disable-AzContextAutosa…
Script 1.0.1 Az.Aks Core,Desk {Get-AzAks, New-AzAks, Remove-AzAks, Import-AzAksC…
Script 1.1.0 Az.AnalysisServices Core,Desk {Resume-AzAnalysisServicesServer, Suspend-AzAnalys…
Script 1.0.0 Az.ApiManagement Core,Desk {Add-AzApiManagementRegion, Get-AzApiManagementSso…
Script 1.0.0 Az.ApplicationInsights Core,Desk {Get-AzApplicationInsights, New-AzApplicationInsig…
Script 1.2.1 Az.Automation Core,Desk {Get-AzAutomationHybridWorkerGroup, Remove-AzAutom…
Script 1.1.0 Az.Batch Core,Desk {Remove-AzBatchAccount, Get-AzBatchAccount, Get-Az…
Script 1.0.0 Az.Billing Core,Desk {Get-AzBillingInvoice, Get-AzBillingPeriod, Get-Az…
Script 1.2.0 Az.Cdn Core,Desk {Get-AzCdnProfile, Get-AzCdnProfileSsoUrl, New-AzC…
Script 1.1.0 Az.CognitiveServices Core,Desk {Get-AzCognitiveServicesAccount, Get-AzCognitiveSe…
Script 1.8.0 Az.Compute Core,Desk {Remove-AzAvailabilitySet, Get-AzAvailabilitySet, …
Script 1.0.1 Az.ContainerInstance Core,Desk {New-AzContainerGroup, Get-AzContainerGroup, Remov…
Script 1.0.1 Az.ContainerRegistry Core,Desk {New-AzContainerRegistry, Get-AzContainerRegistry,…
Script 1.1.1 Az.DataFactory Core,Desk {Set-AzDataFactoryV2, Update-AzDataFactoryV2, Get-…
Script 1.0.0 Az.DataLakeAnalytics Core,Desk {Get-AzDataLakeAnalyticsDataSource, New-AzDataLake…
Script 1.2.0 Az.DataLakeStore Core,Desk {Get-AzDataLakeStoreTrustedIdProvider, Remove-AzDa…
Script 1.0.0 Az.DevTestLabs Core,Desk {Get-AzDtlAllowedVMSizesPolicy, Get-AzDtlAutoShutd…
Script 1.0.0 Az.Dns Core,Desk {Get-AzDnsRecordSet, New-AzDnsRecordConfig, Remove…
Script 1.1.1 Az.EventGrid Core,Desk {New-AzEventGridTopic, Get-AzEventGridTopic, Set-A…
Script 1.1.0 Az.EventHub Core,Desk {New-AzEventHubNamespace, Get-AzEventHubNamespace,…
Script 1.1.0 Az.HDInsight Core,Desk {Get-AzHDInsightJob, New-AzHDInsightSqoopJobDefini…
Script 1.1.0 Az.IotHub Core,Desk {Add-AzIotHubKey, Get-AzIotHubEventHubConsumerGrou…
Script 1.2.0 Az.KeyVault Core,Desk {Add-AzKeyVaultCertificate, Update-AzKeyVaultCerti…
Script 1.2.1 Az.LogicApp Core,Desk {Get-AzIntegrationAccountAgreement, Get-AzIntegrat…
Script 1.1.0 Az.MachineLearning Core,Desk {Move-AzMlCommitmentAssociation, Get-AzMlCommitmen…
Script 1.0.0 Az.MarketplaceOrdering Core,Desk {Get-AzMarketplaceTerms, Set-AzMarketplaceTerms}
Script 1.1.0 Az.Media Core,Desk {Sync-AzMediaServiceStorageKey, Set-AzMediaService…
Script 1.1.0 Az.Monitor Core,Desk {Get-AzMetricDefinition, Get-AzMetric, Remove-AzLo…
Script 1.7.0 Az.Network Core,Desk {Add-AzApplicationGatewayAuthenticationCertificate…
Script 1.1.0 Az.NotificationHubs Core,Desk {Get-AzNotificationHub, Get-AzNotificationHubAutho…
Script 1.2.0 Az.OperationalInsights Core,Desk {New-AzOperationalInsightsAzureActivityLogDataSour…
Script 1.0.0 Az.PolicyInsights Core,Desk {Get-AzPolicyEvent, Get-AzPolicyState, Get-AzPolic…
Script 1.1.0 Az.PowerBIEmbedded Core,Desk {Remove-AzPowerBIWorkspaceCollection, Get-AzPowerB…
Script 1.3.0 Az.RecoveryServices Core,Desk {Get-AzRecoveryServicesBackupProperty, Get-AzRecov…
Script 1.1.0 Az.RedisCache Core,Desk {Remove-AzRedisCachePatchSchedule, New-AzRedisCach…
Script 1.0.0 Az.Relay Core,Desk {New-AzRelayNamespace, Get-AzRelayNamespace, Set-A…
Script 1.3.1 Az.Resources Core,Desk {Get-AzProviderOperation, Remove-AzRoleAssignment,…
Script 1.0.0 Az.ServiceBus Core,Desk {New-AzServiceBusNamespace, Get-AzServiceBusNamesp…
Script 1.0.1 Az.ServiceFabric Core,Desk {Add-AzServiceFabricApplicationCertificate, Add-Az…
Script 1.0.2 Az.SignalR Core,Desk {New-AzSignalR, Get-AzSignalR, Get-AzSignalRKey, N…
Script 1.9.0 Az.Sql Core,Desk {Get-AzSqlDatabaseTransparentDataEncryption, Get-A…
Script 1.2.0 Az.Storage Core,Desk {Get-AzStorageAccount, Get-AzStorageAccountKey, Ne…
Script 1.0.0 Az.StreamAnalytics Core,Desk {Get-AzStreamAnalyticsFunction, Get-AzStreamAnalyt…
Script 1.0.1 Az.TrafficManager Core,Desk {Add-AzTrafficManagerCustomHeaderToEndpoint, Remov…
Script 1.2.0 Az.Websites Core,Desk {Get-AzAppServicePlan, Set-AzAppServicePlan, New-A…
Manifest 2.0.2 AzTable Desk {Add-AzTableRow, Get-AzTableRow, Get-AzTableRowAll…
Directory: C:\program files\powershell\6\Modules
ModuleType Version Name PSEdition ExportedCommands
---------- ------- ---- --------- ----------------
Manifest 6.1.0.0 CimCmdlets Core {Get-CimAssociatedInstance, Get-CimClass, Get-CimI…
Manifest 1.2.2.0 Microsoft.PowerShell.Archive Desk {Compress-Archive, Expand-Archive}
Manifest 6.1.0.0 Microsoft.PowerShell.Diagnostics Core {Get-WinEvent, New-WinEvent}
Manifest 6.1.0.0 Microsoft.PowerShell.Host Core {Start-Transcript, Stop-Transcript}
Manifest 6.1.0.0 Microsoft.PowerShell.Management Core {Add-Content, Clear-Content, Clear-ItemProperty, J…
Manifest 6.1.0.0 Microsoft.PowerShell.Security Core {Get-Acl, Set-Acl, Get-PfxCertificate, Get-Credent…
Manifest 6.1.0.0 Microsoft.PowerShell.Utility Core {Export-Alias, Get-Alias, Import-Alias, New-Alias…}
Manifest 6.1.0.0 Microsoft.WSMan.Management Core {Disable-WSManCredSSP, Enable-WSManCredSSP, Get-WS…
Script 1.3.1 PackageManagement Desk {Find-Package, Get-Package, Get-PackageProvider, G…
Script 2.1.2 PowerShellGet Desk {Find-Command, Find-DSCResource, Find-Module, Find…
Script 0.0 PSDesiredStateConfiguration Desk {Generate-VersionInfo, IsHiddenResource, ImportCim…
Script 6.1.0.0 PSDiagnostics Core {Disable-PSTrace, Disable-PSWSManCombinedTrace, Di…
Script 2.0.0 PSReadLine Desk {Get-PSReadLineKeyHandler, Set-PSReadLineKeyHandle…
Binary 1.1.2 ThreadJob Desk Start-ThreadJob
Directory: C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules
ModuleType Version Name PSEdition ExportedCommands
---------- ------- ---- --------- ----------------
Manifest 1.0.0.0 AppBackgroundTask Core,Desk {Disable-AppBackgroundTaskDiagnosticLog, Enable-Ap…
Manifest 2.0.1.0 Appx Core,Desk {Add-AppxPackage, Get-AppxPackage, Get-AppxPackage…
Script 1.0.0.0 AssignedAccess Core,Desk {Clear-AssignedAccess, Get-AssignedAccess, Set-Ass…
Manifest 1.0.0.0 BitLocker Core,Desk {Unlock-BitLocker, Suspend-BitLocker, Resume-BitLo…
Manifest 1.0.0.0 BranchCache Core,Desk {Add-BCDataCacheExtension, Clear-BCCache, Disable-…
Manifest 1.0 Defender Core,Desk {Get-MpPreference, Set-MpPreference, Add-MpPrefere…
Manifest 1.0.2.0 DeliveryOptimization Core,Desk {Delete-DeliveryOptimizationCache, Get-DeliveryOpt…
Manifest 1.0.0.0 DirectAccessClientComponents Core,Desk {Disable-DAManualEntryPointSelection, Enable-DAMan…
Script 3.0 Dism Core,Desk {Add-AppxProvisionedPackage, Add-WindowsDriver, Ad…
Manifest 1.0.0.0 DnsClient Core,Desk {Resolve-DnsName, Clear-DnsClientCache, Get-DnsCli…
Manifest 1.0.0.0 EventTracingManagement Core,Desk {Start-EtwTraceSession, New-EtwTraceSession, Get-E…
Manifest 2.0.0.0 International Core,Desk {Get-WinDefaultInputMethodOverride, Set-WinDefault…
Manifest 3.0.0.0 Microsoft.PowerShell.Diagnostics Core,Desk {Get-WinEvent, Get-Counter, Import-Counter, Export…
Manifest 1.0.0.0 Microsoft.PowerShell.LocalAccounts Core,Desk {Add-LocalGroupMember, Disable-LocalUser, Enable-L…
Manifest 3.1.0.0 Microsoft.PowerShell.Management Core,Desk {Add-Content, Clear-Content, Clear-ItemProperty, J…
Manifest 1.0 MMAgent Core,Desk {Disable-MMAgent, Enable-MMAgent, Set-MMAgent, Get…
Manifest 2.0.0.0 NetAdapter Core,Desk {Disable-NetAdapter, Disable-NetAdapterBinding, Di…
Manifest 1.0.0.0 NetConnection Core,Desk {Get-NetConnectionProfile, Set-NetConnectionProfil…
Manifest 1.0.0.0 NetEventPacketCapture Core,Desk {New-NetEventSession, Remove-NetEventSession, Get-…
Manifest 2.0.0.0 NetLbfo Core,Desk {Add-NetLbfoTeamMember, Add-NetLbfoTeamNic, Get-Ne…
Manifest 1.0.0.0 NetNat Core,Desk {Get-NetNat, Get-NetNatExternalAddress, Get-NetNat…
Manifest 2.0.0.0 NetQos Core,Desk {Get-NetQosPolicy, Set-NetQosPolicy, Remove-NetQos…
Manifest 2.0.0.0 NetSecurity Core,Desk {Get-DAPolicyChange, New-NetIPsecAuthProposal, New…
Manifest 1.0.0.0 NetSwitchTeam Core,Desk {New-NetSwitchTeam, Remove-NetSwitchTeam, Get-NetS…
Manifest 1.0.0.0 NetTCPIP Core,Desk {Get-NetIPAddress, Get-NetIPInterface, Get-NetIPv4…
Manifest 1.0.0.0 NetworkConnectivityStatus Core,Desk {Get-DAConnectionStatus, Get-NCSIPolicyConfigurati…
Manifest 1.0.0.0 NetworkSwitchManager Core,Desk {Disable-NetworkSwitchEthernetPort, Enable-Network…
Manifest 1.0.0.0 NetworkTransition Core,Desk {Add-NetIPHttpsCertBinding, Disable-NetDnsTransiti…
Manifest 1.0.0.0 PcsvDevice Core,Desk {Get-PcsvDevice, Start-PcsvDevice, Stop-PcsvDevice…
Manifest 1.0.0.0 PnpDevice Core,Desk {Get-PnpDevice, Get-PnpDeviceProperty, Enable-PnpD…
Manifest 1.1 PrintManagement Core,Desk {Add-Printer, Add-PrinterDriver, Add-PrinterPort, …
Binary 1.0.11 ProcessMitigations Core,Desk {Get-ProcessMitigation, Set-ProcessMitigation, Con…
Manifest 1.0.0.0 ScheduledTasks Core,Desk {Get-ScheduledTask, Set-ScheduledTask, Register-Sc…
Manifest 2.0.0.0 SecureBoot Core,Desk {Confirm-SecureBootUEFI, Set-SecureBootUEFI, Get-S…
Manifest 2.0.0.0 SmbShare Core,Desk {Get-SmbShare, Remove-SmbShare, Set-SmbShare, Bloc…
Manifest 2.0.0.0 SmbWitness Core,Desk {Get-SmbWitnessClient, Move-SmbWitnessClient, gsmb…
Manifest 1.0.0.0 StartLayout Core,Desk {Export-StartLayout, Import-StartLayout, Export-St…
Manifest 2.0.0.0 Storage Core,Desk {Add-InitiatorIdToMaskingSet, Add-PartitionAccessP…
Manifest 1.0.0.0 TroubleshootingPack Core,Desk {Get-TroubleshootingPack, Invoke-TroubleshootingPa…
Manifest 2.0.0.0 TrustedPlatformModule Core,Desk {Get-Tpm, Initialize-Tpm, Clear-Tpm, Unblock-Tpm…}
Binary 2.1.639.0 UEV Core,Desk
Manifest 2.0.0.0 VpnClient Core,Desk {Add-VpnConnection, Set-VpnConnection, Remove-VpnC…
Manifest 1.0.0.0 Wdac Core,Desk {Get-OdbcDriver, Set-OdbcDriver, Get-OdbcDsn, Add-…
Manifest 2.0.0.0 Whea Core,Desk {Get-WheaMemoryPolicy, Set-WheaMemoryPolicy}
Manifest 1.0.0.0 WindowsDeveloperLicense Core,Desk {Get-WindowsDeveloperLicense, Unregister-WindowsDe…
Script 1.0 WindowsErrorReporting Core,Desk {Enable-WindowsErrorReporting, Disable-WindowsErro…
Manifest 1.0.0.0 WindowsSearch Core,Desk {Get-WindowsSearchSetting, Set-WindowsSearchSettin…
Manifest 1.0.0.0 WindowsUpdate Core,Desk Get-WindowsUpdateLog
Manifest 1.0.0.2 WindowsUpdateProvider Core,Desk {Get-WUAVersion, Get-WULastInstallationDate, Get-W…
@bingbing8 Would you prefer being able to use a X509Certifciate2 object, a base64-encoded byte stream (like a pem file), profide a sertificate file, or soemthign else?
@markcowl , I would like a way to use X509Certifciate2 object in memory. This is usage from a powershell function app in consumption plan. Saving to a file require a file path on sandbox and so it is not preferred. Something like:
$kvcert= Get-AzKeyVaultCertificate -vaultName $KeyVaultName -name $SPNID
$certificate = $kvcert.Certificate
Connect-AzAccount -CertificateObject $certificate -ApplicationId $SPNID -Tenant $TenantID -ServicePrincipal -Environment $AzureEnvironmentName
@bingbing8, @markcowl. Great idea! This would also make it easier to connect using certificates stored in AzureAutomation account from Hybrid Runbook Worker machines (as apparently, Connect-AzAccount cannot find a certificate by the thumbprint when executed outside of Azure):
$servicePrincipalConnection = Get-AutomationConnection -Name 'AzureRunAsConnection'
$servicePrincipalCertificate = Get-AutomationCertificate -Name 'AzureRunAsCertificate'
$connectionResult = Connect-AzAccount -Tenant $servicePrincipalConnection.TenantID `
-ApplicationId $servicePrincipalConnection.ApplicationID `
-CertificateObject $servicePrincipalCertificate `
-ServicePrincipal
Any movement on this?
Would love to have child runbooks be able to execute on hybrid workers from certs issued by our internal CA.
I prefer to considering it after we integrate with MSAL. We need to verify if MSAL supports this way.
I would also like to see this, and I've opened a suggestion ticket here:
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/42849189-allow-connect-azaccount-serviceprincipal-to-use
Edit, Updated link: https://feedback.azure.com/d365community/idea/0ee4f121-b325-ec11-b6e6-000d3a4f0789
We are working on subject name and issuer authentication. This feature will be available together.
Ignore this and we need to consider further due to below comment
All authentication approaches used by Azure PowerShell requires to persistent information into disk. For instance, we need to store the value of thumbprint as part of AzureAccount information into AzureRmContext.json. It allows user doesn't need to Connect-AzAccount again and credential can be shared among processes.
I believe this requirement doesn't expect cert is persisted such as encoding cert in base64 and storing it AzureRmContext.json. Please confirm our understanding.
This would be especially useful when using Azure Functions and service principal with certificate stored in Keyvault. The use of certificates is preferable to passwords.
I would really like to see this functionality! Are there any updates on this?
@bingbing8 were you able to find a suitable solution to this problem?
This would be especially useful when using Azure Functions and service principal with certificate stored in Keyvault. The use of certificates is preferable to passwords.
How can script access Keyvault?
We are still waiting someone to explain the whole scenario and how to handle question about cert persistence.
This would be especially useful when using Azure Functions and service principal with certificate stored in Keyvault. The use of certificates is preferable to passwords.
How can script access Keyvault?
You could connect to the Key Vault using managed identity, get the certificate and then need to use this certificate (which is now in memory) to connect to another tenant via Connect-AzAccount. Sadly, this isn't possible with Connect-AzAccount and storing the certificate in local store isn't as secure as using a Key Vault.
We are still waiting someone to explain the whole scenario and how to handle question about cert persistence.
I've explained in my comment above. We need this for multitenant scenarios where we've fetched the certificate from the Key Vault via managed identity and need to connect to other tenants using the certificate object.
Similarly for Azure Automation, a certificate can be loaded into memory from the Azure Automation certificate store as follows:
$Certificate = Get-AutomationCertificate -Name 'CertificateResourceName'
As a result, you get an object of X509Certifciate2 type in the $Certificate variable.
@CallumCrowley , we haven't made the decision yet. The whole end-to-end scenario required client authentication twice. User needs to fetch cert from cloud using different credential and then authenticate again. We are thinking a comprehensive way to support more cases.
FYI @dcaro @Alex-wdy
@dingmeng-xue thanks for the update, this is definitely something that is required for people building multitenant scenarios. Managed identity doesn't support multitenant scenarios, so our only option is to use app registration. Storing the certificate for this app registration in the Azure Key Vault is also something that many clients are going to require their solution providers do and is far more secure. We really don't want to have to do things in a less secure manner and want our certificates stored in the Azure Key Vault.
Think just azure automation, I run a automation job, I store an application certificate in KeyVault. I use the identity of azure automation to pull from my KeyVault, but everything else id like to use an application for authorization so i dont have access on 10 different accounts in different roles specifically to connect-azaccount. Its already in place for connect-exchangeonlinemanagmenet and connect-pnponline. Think another way I'm just testing with azureautomationauthoringtoolkit, I just plain pull from the local store and use the object for quick and dirty testing.
