Connect-AzureAD
Connects with an authenticated account to use Active Directory cmdlet requests.
Syntax
Connect-AzureAD
[-AzureEnvironmentName <EnvironmentName>]
[-TenantId <String>]
[-Credential <PSCredential>]
[-AccountId <String>]
[-LogLevel <LogLevel>]
[-LogFilePath <String>]
[-InformationAction <ActionPreference>]
[-InformationVariable <String>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Connect-AzureAD
[-AzureEnvironmentName <EnvironmentName>]
-TenantId <String>
-CertificateThumbprint <String>
-ApplicationId <String>
[-LogLevel <LogLevel>]
[-LogFilePath <String>]
[-InformationAction <ActionPreference>]
[-InformationVariable <String>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Connect-AzureAD
[-AzureEnvironmentName <EnvironmentName>]
[-TenantId <String>]
-AadAccessToken <String>
[-MsAccessToken <String>]
-AccountId <String>
[-LogLevel <LogLevel>]
[-LogFilePath <String>]
[-InformationAction <ActionPreference>]
[-InformationVariable <String>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
The Connect-AzureAD cmdlet connects an authenticated account to use for Azure Active Directory cmdlet requests.
You can use this authenticated account only with Azure Active Directory cmdlets.
Examples
Example 1: Connect a PowerShell session to a tenant
PS C:\> Connect-AzureAD -Confirm
This command connects the current PowerShell session to an Azure Active Directory tenant. The command prompts you for a username and password for the tenant you want to connect to. The Confirm parameter prompts you for confirmation.
If multi-factor authentication is enabled for your credentials, you must log in using the interactive option or use service principal authentication.
Example 2: Connect a session using a variable
PS C:\> $Credential = Get-Credential
PS C:\> Connect-AzureAD -Credential $Credential
The first command gets the user credentials, and then stores them in the $Credential variable.
The second command connects the current PowerShell session using the credentials in $Credential.
This account authenticates with Azure Active Directory using organizational ID credentials. You cannot use multi-factor authentication or Microsoft account credentials to run Azure Active Directory cmdlets with this account.
Example 3: Connect a session as a service principal
# Login to Azure AD PowerShell With Admin Account
Connect-AzureAD
# Create the self signed cert
$currentDate = Get-Date
$endDate = $currentDate.AddYears(1)
$notAfter = $endDate.AddYears(1)
$pwd = "<password>"
$thumb = (New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName com.foo.bar -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $notAfter).Thumbprint
$pwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText
Export-PfxCertificate -cert "cert:\localmachine\my\$thumb" -FilePath c:\temp\examplecert.pfx -Password $pwd
# Load the certificate
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("C:\temp\examplecert.pfx", $pwd)
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
# Create the Azure Active Directory Application
$application = New-AzureADApplication -DisplayName "test123" -IdentifierUris "https://test123"
New-AzureADApplicationKeyCredential -ObjectId $application.ObjectId -CustomKeyIdentifier "Test123" -StartDate $currentDate -EndDate $endDate -Type AsymmetricX509Cert -Usage Verify -Value $keyValue
# Create the Service Principal and connect it to the Application
$sp=New-AzureADServicePrincipal -AppId $application.AppId
# Give the Service Principal Reader access to the current tenant (Get-AzureADDirectoryRole)
Add-AzureADDirectoryRoleMember -ObjectId aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb -RefObjectId $sp.ObjectId
# Get Tenant Detail
$tenant=Get-AzureADTenantDetail
# Now you can login to Azure PowerShell with your Service Principal and Certificate
Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb
This command authenticates the user to Azure Active Directory as a service principal.
Parameters
-AadAccessToken
Specifies an Azure Active Directory Graph access token.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AccountId
Specifies the ID of an account. You must specify the UPN of the user when authenticating with a user access token.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ApplicationId
Specifies the application ID of the service principal.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AzureEnvironmentName
Specifies the name of the Azure environment. The acceptable values for this parameter are:
- AzureCloud
- AzureChinaCloud
- AzureUSGovernment
- AzureGermanyCloud
The default value is AzureCloud.
Type: | EnvironmentName |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-CertificateThumbprint
Specifies the certificate thumbprint of a digital public key X.509 certificate of a user account that has permission to perform this action.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: | SwitchParameter |
Aliases: | cf |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Credential
Specifies a PSCredential object. For more information about the PSCredential object, type Get-Help Get-Credential.
The PSCredential object provides the user ID and password for organizational ID credentials.
Type: | PSCredential |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-InformationAction
Specifies how this cmdlet responds to an information event. The acceptable values for this parameter are:
- Continue
- Ignore
- Inquire
- SilentlyContinue
- Stop
- Suspend
Type: | ActionPreference |
Aliases: | infa |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-InformationVariable
Specifies a variable in which to store an information event message.
Type: | String |
Aliases: | iv |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-LogFilePath
The path where the log file for this PowerShell session is written to. Provide a value here if you need to deviate from the default PowerShell log file location.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-LogLevel
Specifies the log level. The accdeptable values for this parameter are:
- Info
- Error
- Warning
- None
The default value is Info.
Type: | LogLevel |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-MsAccessToken
Specifies a Microsoft Graph access token.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-TenantId
Specifies the ID of a tenant.
If you do not specify this parameter, the account is authenticated with the home tenant.
You must specify the TenantId parameter to authenticate as a service principal or when using Microsoft account.
Type: | String |
Aliases: | Domain, TenantDomain |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: | SwitchParameter |
Aliases: | wi |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |