Connect to Azure AD using Microsoft Account with PowerShell

Microsoft Account is considered not an internal account given to Microsoft employee. Microsoft account is associated to external services such as Live Mail, Skype, Xbox or so on. When connecting to Azure AD with Microsoft Account (e.g. LiveID) , you might be get started with Connect-AzureAD  to get the tenant ID. Below screen is what you might get.

You are happy to do more with some cmdlets of Azure AD module, e.g Get-AzureAdUser but you always get error message “Error occured while executing GetUsers” along with the return code “Authenticated_Unauthorized“.

Like anyone, you start searching the similar error on Google and find the answer that you need to specify the tenant ID. You then pass the tenant ID to another Connect-AzureAD  with the command line below

Connect-AzureAD -TenantId "your_tenant_ID_you've_got"

After executing the command line, you get successful output like this

Account          Environment TenantId                             TenantDomain AccountType
-------          ----------- --------                             ------------ ----------- AzureCloud  f8cdef31-a31e-4b4a-93e4-5f571e91255a              User

You again do some cmdlets to get some Azure AD information from your AD subscription. Well, if you still follow above steps, I assure 100% you never reach to the target Azure AD.  Why? In fact, when you use Connect-AzureAD  and type your Microsoft Account, Azure understands by default you try to retrieve the directory where your Microsoft account belongs to. It is not the target Azure AD you need because the user principal name of the required account must be <account>@<tenant_name> instead of the Live ID account you enter when being asked.

If you need to connect to the target Azure AD, you must specify the correct directory ID of your AD subscription, not the Microsoft Account’s directory. The directory ID can be found via Azure Portal or use PowerShell. For those you are lazy, below script does the job.

$tenantID = (Get-AzureRmSubscription -SubscriptionName "Enterprise Subscription").TenantId
Connect-AzureAD -TenantId $tenantID

When executing this script, you are asked to give Azure your credential. Right here Microsoft account can be used. I use SubscriptionName because my account is associated to multiple subscriptions.

This article is just a small tip to help you save time. Once again, if you connect to wrong directory, you will never be authenticated to execute Azure AD cmdlet against that directory.

This entry was posted in Identity & Access Control, Security Automation and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published.