Azure AD login without credentials (unattended)
Unattended login to Azure isn’t that easy, especially if you want to add a PowerShell script to the task scheduler. You will see that Plain Text password do not work, and it doesn’t work with the “CredentialManager” module either. You will get an error message like:
1 | Connect-AzureAD : One or more errors occurred.: Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application. |
The solution is to add a registered app in Azure AD and connect to that app. Here is the PowerShell I used.
Note that running commands below on Server 2012 R2 or before will fail, it doesn’t support options that comes with Windows Server 2016. Stripping those options will fail the Azure AD login. Execute these commands on a Windows 10 or Server 2016 machine and copy the exported certificate to a Windows Server 2012 R2 machine. Also import the certificate in the Personal store of the “CurrentUser” on that specific machine.
First, login with administrator credentials:
1 | Connect-AzureAD |
Now Execute this PowerShell:
1 2 3 4 5 6 7 8 9 10 11 12 | $pwd = "yourpass" $thumb = (New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -subject "unattendedlogin-azuread" -KeyExportPolicy Exportable -NotAfter (Get-Date).AddYears(10) -Type CodeSigningCert -KeySpec Signature).Thumbprint $pwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText $tmppath = Test-Path C:\tmp if ($tmppath -eq $false) {mkdir C:\tmp} Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath C:\tmp\unattendedlogin-azuread.pfx -Password $pwd $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("C:\tmp\unattendedlogin-azuread.pfx", $pwd) $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) $application = New-AzureADApplication -DisplayName "unattendedlogin-azuread" -IdentifierUris "https://unattendedlogin" New-AzureADApplicationKeyCredential -ObjectId $application.ObjectId -CustomKeyIdentifier "unattendedlogin" -Type AsymmetricX509Cert -Usage Verify -Value $keyValue $sp=New-AzureADServicePrincipal -AppId $application.AppId Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "Directory Readers"}).Objectid -RefObjectId $sp.ObjectId |
Now save the thumbprint, tenantID and appID.
1 2 3 | $thumb = "thumbprint" $tenantid = "tenantid" $appid = "appid" |
You can get these values like this (use the same PowerShell session), executing these commands:
1 2 3 4 5 | $thumb $appid = get-azureadapplication | where DisplayName -match "unattendedlogin" $appid.AppId $tenantid = Get-AzureADTenantDetail $tenantid.ObjectId |
Next time login like this:
1 | Connect-AzureAD -TenantId $tenantid -ApplicationId $appid -CertificateThumbprint $thumb |
Oh nice. Just the thing I was looking for. Thank you, very many 🙂
You are welcome!
Hello Erjen,
I have a similar problem running a scheduled PowerShell script on Windows 2008R2 reporting on users and SKUs
$TenantUname = “serviceaccountname@mytenant.onmicrosoft.com”
$TenantPass = cat “.\ServiceAccountPassword.txt” | ConvertTo-SecureString
$TenantCredentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $TenantUname, $TenantPass
Connect-MsolService -Credential $TenantCredentials
The script works when running from logged on user PowerShell session, but fails when running in scheduled job
The error from ‘Connect-MsolService’ is
Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application.
Any help would be greatly appreciated
Best regard
Peter
I have the same issue with Peter Juuls
Appriciate if someone can have a solution.
Hier wordt ik blij van!
Excellent, thanks !
[…] Azure AD login without credentials (unattended) – Erjen … […]
Had to change:
$application = New-AzureADApplication -DisplayName “unattendedlogin-azuread” -IdentifierUris “https://unattendedlogin”
to include a domain that is validated in the tenant you are running this against.
Also had issues with the Thumbprint loading into AzureAD, so added:
Export-Certificate -cert “cert:\CurrentUser\my\$thumb” -FilePath C:\tmp\unattendedlogin-azuread.cer
then manually uploaded certificate to app registration in AzureAD. This gave me the needed certificate thumbnail.
Am now using this to run scripts against AzureAD and Intune, but only from my machine. Much appreciated.