azure-powershell icon indicating copy to clipboard operation
azure-powershell copied to clipboard
verified publisher icon Azure

Does Connect-AzAccount support login without subscription

Open fawohlsc opened this issue 2 years ago • 6 comments

Description

Is there an equivalent to 'az login --allow-no-subscriptions' in Azure PowerShell`s Connect-AzAccount?

Script or Debug output

No response

Environment data

No response

Module versions

No response

Error output

No response

fawohlsc avatar Mar 09 '23 09:03 fawohlsc

Hi @fawohlsc could you share your scenario with us? Do you login to run only the data-plane cmdlets (those doesn't talk to Azure Resource Manager, like Get-AzKeyVaultSecret)?

isra-fel avatar Mar 09 '23 10:03 isra-fel

@isra-fel - Many thanks for the swift response. It's uncommon but useful to run tenant level commands, such as 'az ad'. See this Pull Request and Issue in Azure CLI for additional context.

fawohlsc avatar Mar 09 '23 15:03 fawohlsc

Its also useful in this context: https://github.com/Azure/azure-powershell/issues/10733 If you think about some scenario like a GDAP or DAP Context with a CSP tenant this is nescessary

clitters avatar Apr 17 '23 11:04 clitters

Sorry for the late response. First of all, you can sign in Azure PowerShell with a principal that does not have access to any subscription. And there's no need for extra parameter, simply Connect-AzAccount as you do for a normal account. Our cmdlets are divided into two categories - management plane and data plane. Management plane cmdlets (like New-AzDeployment) are based on Azure Resource Manager, and subscription is mandatory. On the other hand, subscriptions are often not needed for data plane (like Get-AzAdUser), and we never intended to have such restriction. I tested Get-AzKeyVaultSecret and Get-AzAdUser, both worked without sub, but New-AzAdRoleAssignment failed. We will work on making it support the no-sub scenario, but again, our intention it to put no extra restriction to the cmdlet if the API does not require a sub.

isra-fel avatar Jun 07 '23 13:06 isra-fel

My Get-AzConfig ended up with default subscription and I couldn't log in with an account that has no subscription access. I had to do this to remove the default temporarily:

$defaultSubscriptionForLogin = Get-AzConfig -DefaultSubscriptionForLogin
Update-AzConfig -DefaultSubscriptionForLogin ''
Connect-AzAccount
Update-AzConfig -DefaultSubscriptionForLogin $defaultSubscriptionForLogin

mikew3432 avatar Jun 21 '23 00:06 mikew3432

My Get-AzConfig ended up with default subscription and I couldn't log in with an account that has no subscription access. I had to do this to remove the default temporarily:

$defaultSubscriptionForLogin = Get-AzConfig -DefaultSubscriptionForLogin
Update-AzConfig -DefaultSubscriptionForLogin ''
Connect-AzAccount
Update-AzConfig -DefaultSubscriptionForLogin $defaultSubscriptionForLogin

thanks @mikew3432 this is what worked in my situation

My use case was using a service principal to login to azure ad b2c so it could create more service principals

alvaradojl avatar Jun 08 '24 17:06 alvaradojl