2

I'm working on a script that involves jumping between two different user accounts in two different Azure tenants. With the Az powershell module, I can set different auth contexts using:

Connect-AzAccount -ContextName "FirstContext" # interactive auth prompt 1
Connect-AzAccount -ContextName "SecondContext" # interactive auth prompt 2

then jump between them without any additional interactive prompts like this:

Select-AzContext -Name "FirstContext"
# do stuff within the first context
Select-AzContext -Name "SecondContext"
# do stuff within the second context

I need to do something similar (jumping back and forth between auth contexts in the same script) using cmdlets in the AzureAD powershell module now... Does anyone know this may be able to be achieved? Both auth contexts require interactive MFA, which Get-Credential doesn't seem to support.

Thanks!

Benjin
  • 2,264
  • 2
  • 25
  • 50
  • Do you want to circumvent MFA auth or switch auth contexts? How do you plan to jump between the contexts without using their name? Could you store the result of [Connect-AzAccount](https://learn.microsoft.com/en-us/powershell/module/az.accounts/connect-azaccount?view=azps-2.2.0) such as ```$contextOne = Connect-AzAccount -ContextName "FirstContext"```? is there a reason why you are avoiding fixing up the accounts to follow [least priviledge](https://en.wikipedia.org/wiki/Principle_of_least_privilege)? – lloyd Jun 14 '19 at 06:25
  • @lloyd I want to switch auth contexts on-the-fly _for the `AzureAD` module_. I already can for the `Az` module, but they're different modules, so I can't take the auth contexts from `Az` and pass them to `AzureAD`. I'm happy to front-load MFA auth as much as necessary (once per module, per context, so 4x), but I'm looking to avoid re-MFAing within the same PS window when I want to switch between them. – Benjin Jun 14 '19 at 17:03

1 Answers1

1

Currently, Azure AD PowerShell module does not support to select context.

If you just want to avoid interactive MFA again, you can login with a service principal, after doing something you want, disconnect it and change another service principal.

Connect-AzureAD -TenantId "bb58915c-xxxxx5b97ed6c65" -ApplicationId "ec614bcd-d129-4ca4xxxxx19b07" -CertificateThumbprint "F1D9FE13xxxxx8B07D1666"

#do something you want

Disconnect-AzureAD

Besides, this is the Azure AD feedback, you can post it as an idea.

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • Not quite what I'm angling for, since the "something I want to do" has to be done as my user context, not as a service principal. – Benjin Jun 18 '19 at 17:31
  • @Benjin I have answered your question: Azure AD PowerShell module does not support to select context. Using the service principal is my workaround, I think if you grant the permissions for the service principals, they could do most of things instead of your user account. – Joy Wang Jun 19 '19 at 01:02
  • 1
    I can also confirm that this scenario is not supported. Thanks for the answering Joy! – Frank H Jun 20 '19 at 19:37
  • @Benjin The MSFT can also confirm that this scenario is not supported, could you click mark to accept it as the answer? – Joy Wang Jun 21 '19 at 01:54