Azure PowerShell (Az) is a set of modules that allow you to manage Microsoft Azure from the PowerShell command line. These modules are used to create and configure cloud services and manage virtual machines, networks, web applications, and other Azure resources.
In this article, we will show how to install Azure PowerShell on Windows and connect to your tenant using different authentication methods.
Table of Contents
Prerequisites
The Azure PowerShell module is compatible with Windows PowerShell and PowerShell Core. Each flavor has a different set of requirements.
For Windows PowerShell
- A computer with Windows PowerShell 5.1.
- The .NET Framework 4.7.2 or later must be installed.
- The latest PowerShellGet must be installed. The newest version, as of this writing, is 2.2.5.
For PowerShell 7
- A computer with the latest version of PowerShell installed. As of this writing, the latest PowerShell version is v7.3.6.
Note. Check how to get the Windows version using PowerShell.
Prepare the PowerShell Environment
Note. Microsoft recommends PowerShell v7 or higher for use with the Azure PowerShell module on all platforms, including Windows, Linux, and macOS.
Set the PowerShell Execution Policy
Before you install (or uninstall) any modules, your PowerShell execution policy must be set to RemoteSigned (recommended) or lesser restrictions.
Related post. Managing Script Execution Policy using PowerShell Set-ExecutionPolicy.
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
Set PowerShell Gallery as a Trusted Installation Source
Azure PowerShell is published in PowerShell Gallery, and PowerShell does not trust it as a source. To make PowerShell trust the PowerShell Gallery as a module installation source, run this command.
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
Update PowerShellGet
When you install the latest PowerShell version, it also comes with the latest PowerShellGet module. As of this writing, the newest version is 2.2.5.
But if you’re stuck with Windows PowerShell 5.1, the out-of-the-box PowerShellGet version is 1.0.0.1.
To update it, run the following command in Windows PowerShell as admin.
Install-Module PowerShellGet -Scope AllUsers -Force
When prompted to install the NuGet provider, press Y and Enter.
Finally, confirm that PowerShellGet has been installed.
Get-Module PowerShellGet -ListAvailable
As you can see below, the latest version is installed alongside the old one. You don’t need to uninstall the 1.0.0.1 version because PowerShell will use the latest by default.
Uninstall the AzureRM Module
The AzureRM module is the old module used to manage Azure resources in PowerShell. It has been deprecated since December 2018. If it was previously installed, you must first uninstall it.
First, check if AzureRM is installed.
Get-Module AzureRM -ListAvailable
If AzureRM is installed, run this command to uninstall it from the computer.
Uninstall-Module -Name AzureRm -AllVersions
Install Azure PowerShell on Windows
Once everything is prepared and the requirements are in place, you can continue to install Azure PowerShell.
Depending on whether you want to install Azure PowerShell to your profile or all users, run the appropriate command.
# Install Azure PowerShell to the current user ($HOME\Documents\PowerShell\Modules)
# - Does not require elevation
Install-Module -Name Az -AllowClobber
# Install Azure PowerShell to all users ($env:ProgramFiles\PowerShell\Modules)
# - Requires elevation (Run as admin)
Install-Module -Name Az -AllowClobber -Scope AllUsers
Wait while PowerShell installs the Az module and dependent packages.
Once installed, run the following command to confirm.
Get-InstalledModule -Name Az
Connect to the Azure PowerShell with MFA-Enabled User Accounts
If your administrator account is MFA-Enabled, you can interactively log authenticate via the web browser by running the Connect-AzAccount without parameters.
Connect-AzAccount
Log in using your credentials and complete the MFA challenge.
Connect to the Azure PowerShell with Stored Credentials (Non-MFA User)
For users with MFA turned off, they can store their credentials ahead and pass them to the Connect-AzAccount cmdlet like so.
$credential = Get-Credential
Connect-AzAccount -Credential $credential
Connect to the Azure PowerShell Specific Azure Tenant and Subscription
You can specify which tenant and subscription to connect to when authenticating. This method is beneficial if you’re a delegated CSP or a guest administrator in another tenant.
You must know the tenant and subscription ID to use this authentication method.
For example, this tenant has two subscriptions, as shown below.
To connect to the specific tenant and subscription, run the following command.
Connect-AzAccount -Tenant 'xxxx-xxxx-xxxx-xxxx' -Subscription 'yyyy-yyyy-yyyy-yyyy'
This command will show the Azure login page. Sign in with your credentials.
Connect to the Azure PowerShell using a Service Principal Credential
If you’ve created a service principal with a password (secret) and assigned one or more Azure roles, you can use it to connect to your Azure tenant.
First, store the service principal’s application ID, secret, and tenant ID.
$appId = 'APPLICATION ID'
$secretKey = 'SECRET TEXT'
$tenantId = 'TENANT ID'
Next, create the credential object using the application ID as the username and the secret as the password.
$credential = [pscredential]::New($appId, (ConvertTo-SecureString $secretKey -AsPlainText -Force))
Finally, connect to Azure PowerShell using the service principal authentication. The -ServicePrincipal switch indicates that the credential to use is of a service principal account.
Connect-AzAccount -ServicePrincipal -Credential $credential -Tenant $tenantId
Connect to the Azure PowerShell using a Service Principal Certificate
Option 1: Using a PFX Certificate File
This method imports a password-protected file into the PowerShell session and uses it for authentication.
$azSpParams = @{
servicePrincipal = $true
certificatePath = "PATH TO PFX FILE HERE"
certificatePassword = (ConvertTo-SecureString -String 'PFX PASSWORD' -AsPlainText -Force)
applicationId = 'APPLICATION ID'
tenantId = 'TENANT ID'
}
Connect-AzAccount @azSpParams
Option 2: Using the Certificate from the Certificate Store
This method assumes the certificate is stored in your certificate store, and you know the certificate thumbprint.
$azSpParams = @{
servicePrincipal = $true
certificateThumbprint = 'THUMBPRINT'
applicationId = 'APPLICATION ID'
tenantId = 'TENANT ID'
}
Connect-AzAccount @azSpParams
Conclusion
This guide has provided a comprehensive walkthrough of the installation process and various authentication methods, ensuring you are well-equipped to take control of your Azure environment through PowerShell.
You’ve gained insights into various scenarios, from meeting prerequisites to configuring your PowerShell environment, updating modules, and securely connecting with different authentication mechanisms. Following the steps outlined here, you can confidently deploy, manage, and optimize your Azure resources using familiar PowerShell commands.
