How to authenticate to Azure from DevOps Pipeline PowerShell task

We have a repository where Azure Automation Runbooks are stored and we wanted to automatically publish every new version automatically into the Azure Automation Resource account. Azure Pipeline was an obvious solution. Still, it took me some time to figure out, how to authenticate to an Azure Resource from Pipeline PowerShell task (not the same thing as Azure PowerShell task!). The solution to this problem was mentioned at bzzzt.io/post/2021-02/2021-02-28-powershell.. so kudos to that author!

Btw I couldn't use Azure Automation built-in Source Code feature because all our accounts use MFA, so PAT cannot be used for authentication. Also, I couldn't use the Azure PowerShell pipeline task (which is authenticated to Azure by default), because I needed access to committed repository files so I could upload them to our Runbook.


Solution

The solution to the problem "how to authenticate to Azure from Pipeline PowerShell task" is to leverage the possibility to export credentials used in the Azure PowerShell task, so they can be used later in the following tasks. Working solution can then look like a DevOps Pipeline with 3 tasks:

  • Azure CLI task for Connecting to Azure and exporting credentials for later use
  • Powershell task for Connecting to Azure using exported credentials and getting an authentication token for Graph
  • Azure CLI task for Disconnecting from Azure

Prerequisites

Before we begin we have to create a Service Connection (the account that will be used to make a connection to Azure Resources) image.png For my use case, I use Azure Resource Manager image.png


Connecting to Azure and exporting credentials for later use

In the picture below you can see that we are creating Azure CLI task that will run shell code for exporting credentials and tenantID variables that we will use later in following PowerShell task for connecting to Azure. image.png For this, to work you have to enable Access service principal details in script


Connecting to Azure using exported credentials and getting an authentication token for Graph

Now when we have credentials for making connection to Azure we will use them.

image.png

This is where the magic happens. We use variables defined in the first task for making a connection to Azure.

"Installing Az.Accounts module"
Install-Module Az.Accounts -Force

"Connecting to Azure"
$credential = New-Object System.Management.Automation.PSCredential ("${env:SPID}", (ConvertTo-SecureString ${env:SPKEY} -AsPlainText -Force))
Connect-AzAccount -Credential $Credential -Tenant ${env:TID} -ServicePrincipal

Disconnecting from Azure

In last task we just disconnect our Azure connection. image.png

Did you find this article valuable?

Support Ondrej Sebela by becoming a sponsor. Any amount is appreciated!