The other day I was working on building a PowerShell script to provision some Azure resources using the Azure Resource Manager module. I had some difficulty with authenticating my script with my Azure account. The documentation for the PowerShell module was not very clear on the authentication requirements and I only figured it out when I started reading through the documentation for the Azure CLI tools.
Resource Manager Authentication
The Resource Manager API only supports authentication against organizational accounts. This in a nutshell was the source of my problem and the documentation is not really clear on this point. On top of that the API does not provide a clear error. When I would attempt to authenticate in my script, I did not receive any errors after entering my credentials. The errors would appear whenever I tried to do something with Resource Manager API after the login step. This would have a been easiert to resolve if the authentication service would have provided a clear error message when I was using my Microsoft Account credentials.
For better or worse, all of my Azure subscriptions are tied to my Microsoft Account and while I have an organizational account I really did not want to call Azure support to have them move my subscription. The workaround is to create a new account in the Azure AD default directory associated with the Microsoft Account. This account can then be granted co-admin permissions and it also counts as an organizational account.
Create the Organizational User
- In the Azure portal navigate to your default directory
- Click on the Users tab at the top of the screen
- Click on the Add User button
- Fill out the new user form
- Set the Type of User to New user in your organization
- Set Role to User
- Leave the Enable Multi-Factor Authentication box unchecked
- Finish creating the user by clicking the Create button
- Add the new user to a subscription as a co-administrator
- Login using the new account and change the account password
Use the New User in PowerShell
In PowerShell, try authenticating with the Resource Manager API using the Add-AzureRmAccount cmdlet. When the login form appears, use the credentials for the new organizational user. Now that you have logged in with an organizational account you should be able to run the other AzureRm cmdlets without receiving cryptic errors about your credentials being expired or not authorized to perform a particular action.
Along with the ability to access the Resource Manager API, the new organizational user credentials can also be used to create PSCredential objects. These objects can be passed into the Add-AzureRmAccount and Add-AzureAccount cmdlets to pass credentials in non-interactive scripts.