Connect-AzureRmAccount, there appears to be a lot of different ways to authenticate to an Azure subscription if you’re using PowerShell!
When in Doubt, use Connect-AzureRmAccount
When I first started working with Azure in PowerShell, I was severely confused. I’d find some articles talking about using
Login-AzureRmAccount while others mentioned using
Add-AzureRmAccount but few mentioning
Connect-AzureRmAccount. Which one do I use in what kind of circumstances? What is going on here?!?
I’m here to tell you if you’re struggling with the same problem I was, the solution is a lot easier than you might expect. Although there may seem to be three different commands to authenticate to Azure with PowerShell, in reality, there’s only one. It is
Add-AzureRmAccount are only aliases to the
I’m here to tell you to just use
Connect-AzureRmAccountand you’ll be good as gold. I don’t recommend using aliases, if possible just because it makes things confusing as you can vouch for. With people using different ways to accomplish the same task, it’s hard to figure out what exactly is happening.
Ready to stop reading and start learning about PowerShell, DSC, Windows Server, Sharepoint, IIS and dozens of other categories? If so, check out the hundreds of free technical demo screencasts available on the new, IT career development platform TechSnips.
Feel free to verify me by using
PS C:\> Get-Alias -Name *AzureRmAccount* | Select Name,ReferencedCommand
Authenticating with Login-AzureRmAccount
Just because Login-AzureRmAccount is the most searched term to authenticate to Azure, I will be using it in the rest of this post. However, if you’re building Azure scripts with PowerShell, I always recommend using Connect-AzureRmAccount!
There are lots of ways to authenticate to Azure using
Login-AzureRmAccount. The method to do so depends on what resources you’re authenticating to. For example, there are roughly five different ways to authenticate to Azure.
- Using a service principal
- Using an Azure Managed Service Identity
- As a Cloud Solution Provider (CSP)
- Into a non-public cloud
Signing in Interactively
The most common way people just starting to work with Azure will connect interactively. This means, they will run
Login-AzureRmAccount and will be prompted for credentials.
This method works if you have a Microsoft or organizational Office 365 account and don’t need to automate the task.
Signing in with a Service Principal
You can also use a service principal to authenticate. This along with the managed service identity is the way to go if you need to authenticate in an automated script. However, this requires creating an Azure Active Directory application along with the service principal itself which is a little set up ahead of time. For a full overview of how to get that set up, you can check out this TechSnips video entitled How To Create And Authenticate To Azure With A Service Principal Using PowerShell. It covers all of the steps you need to get one set up.
Authenticating with a service principal will force you to use the
Indicates that this account authenticates by providing service principal credentials.
Specifies a PSCredential object. For more information about the PSCredential object, type Get-Help Get-Credential.
The PSCredential object provides the user ID and password for organizational ID credentials, or the application ID and secret for service principal credentials.
Signing in with a Managed Service Identity
Another way is used managed service identities which, to be honest, I have never done before. I’ve provided a link in this section to get an overview of that. Some of the commands used with
Login-AzureRmAccount when authenticating with managed service identities are
Host name for managed service login
Port number for managed service login
Secret, used for some kinds of managed service login.
Signing in as a Cloud Solution Provider (CSP)
If your company is a Microsoft partner and uses Azure services to directly provide resources to your customers, you may use
Login-AzureRmAccount and use the
TenantId parameter. This is required to specify a different Azure AD tenant.
Signing into a Non-Public Cloud
Finally, although not too common is the ability to authenticate to a non-public cloud like a government or country cloud. These clouds are represented by an Azure environment using the Environment parameter on
Login-AzureRmAccount. If you don’t know the environment name, you can always use the
PS C:\> Get-AzureRmEnvironment | Select Name
As you can see, there are a lot of different ways to authenticate to Azure because Azure is a big service! Using
Connect-AzureRmAccount) with PowerShell, you’ll able to provide all of the necessary parameters Azure needs to interactively or non-interactively process your credentials and allow you to get going!