Automate login for Azure PowerShell

Introduction

To automate logging into an Azure tenancy for PowerShell scripts, you would need to utilize a service account that doesn't have Multi-factor Authentication (MFA) enabled; we all know there are weaknesses to this but there are ways to mitigate the risks, including:

• Conditional Access Policies in Azure Active Directory (AAD) and exclude a particular service account
• Named locations to avoid false-positive alerting by specifying trusted IP addresses of your organization
• Limit the account's access to the required role by either using an existing role or creating a custom RBAC role
• Limit the scope of access to the specific resource(s) within Azure

Plain Text

A lazy and insecure way is to leave the account's password in plain text; while this is fine for testing, it is certainly not secure or acceptable for production use as a rogue user could use these credentials for malicious activity. An example below demonstrates this insecure approach:

$AccountName ="bla@bla.onmicrosoft.com"
$Password = ConvertTo-SecureString "bla" -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential($AccountName, $Password)
Connect-AzAccount -Credential $Credential
...

Even limiting access this script at the file system level isn't good enough as you can potentially take ownership of the script file and expose the credentials. To mask the password, you have a couple of options; you can use a cmdlet called Save-AzContext or create a Secure Password. Let's discuss both options in detail.

Save-AzContext

This cmdlet falls under the Az Module which captures the current credentials of an existing logged in session. The advantage of this option is it can mask the credentials, both user name and password, it works with PowerShell for Windows and PowerShell Core for Unix-like OS', but can only be used for signing into Azure. 
Once you have signed in with the service account that doesn't have MFA, run the following the command to save the credentials:

Save-AzContext -Path .\MyServiceAccount.json

Before your automated script runs, it will need to import the credentials captured earlier:

Import-AzContext -Path .\MyServiceAccount.json
...

Secure Password

This option can be used for both Active Directory and Azure AD accounts as Secure Password's only work from the computer in which the secure password was created on; attempting to run this script on another system will fail.
The downside is the user name is still in plain text. It is still recommended to limit the level of access which the service account only requires and locking down access to the script file at the file system level. To secure the credentials, execute the following in PowerShell:

Read-Host "Enter Password" -AsSecureString |  ConvertFrom-SecureString | Out-File .\password.txt

With the password secured, the automated script can call the password.txt file as a variable for the password:

$AccountName ="bla@bla.onmicrosoft.com"
$Password = Get-Content ".\password.txt" | ConvertTo-SecureString 
$Credential = New-Object System.Management.Automation.PSCredential($AccountName, $Password)
Connect-AzAccount -Credential $Credential
...

A similar example I wrote up was using the same method to automate configuration backups for network appliances by signing in as the root user and triggering a configuration backup.