top of page

Unattended Login

To schedule a PowerShell script to connect to AzureAD you have to use this special type of account. I found this online and link to the original website is posted to the right.  I got confused so make sure to just skip the 3rd step in the other website. Key item is to make sure you execute the final step and save those values for later use / authentication before you disconnect from AzuerAD session. 

You can use the Widows account in Task Scheduler to execute the PowerShell script, you use this inline login in the script to access AzureAD.

Super Special Note:
If you see yourself getting access denied. Format a  URL and paste it in browser to give permissions to your app. 
I also used this same format for creating an Exchange Online unattended account as well.  Link Here
Note: There is no more Exchange Service Administrator so I changed it to Exchange Administrator 

{tenant-id} = Your Tenant ID for Azure found on the Azure Active Directory Overview Page
{client-id / AppID}= Your ApppID that you created and can be found by going to:
Azure AD \ App Registrations \ All Applications \unattendedlogin-azuread{tenant-id}/adminconsent?client_id={client-id}

#1 Connect to AzureAD

#2 Update URL Below to show your Domain Mine is ""

#3 Command to Execute 
$pwd = "yourpass"
$thumb = (New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -subject "unattendedlogin-azuread" -KeyExportPolicy Exportable -NotAfter (Get-Date).AddYears(10) -Type CodeSigningCert -KeySpec Signature).Thumbprint
$pwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText
$tmppath = Test-Path C:\tmp
if ($tmppath -eq $false) {mkdir C:\tmp}
Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath C:\tmp\unattendedlogin-azuread.pfx -Password $pwd
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("C:\tmp\unattendedlogin-azuread.pfx", $pwd)
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
$application = New-AzureADApplication -DisplayName "unattendedlogin-azuread" -IdentifierUris ""
New-AzureADApplicationKeyCredential -ObjectId $application.ObjectId -CustomKeyIdentifier "unattendedlogin" -Type AsymmetricX509Cert -Usage Verify -Value $keyValue
$sp=New-AzureADServicePrincipal -AppId $application.AppId
Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "Directory Readers"}).Objectid -RefObjectId $sp.ObjectId

#4 Install Cert to personal Cert Store from C:\tmp

#5 Run These to Get and Record All Values 
$appid = get-azureadapplication | where DisplayName -match "unattendedlogin"
$tenantid = Get-AzureADTenantDetail

#6 Once you have these values documented, you can use them in script to connect to AzureAD

using PowerShell script in Task Scheduler. These are examples of mines (edited) you should have

your own values from screen values show in step  5
install-module AzureAD
$AppID = 'b7bbcf98-f84exxxxx27c667105'
$TenantID = '8d151ea2-4xxxe020c04470'
$Thumbprint = 'D5EA77xxxxxxx032AF04E022C71F8'
Connect-AzureAD -TenantId $tenantid -ApplicationId $appid -CertificateThumbprint $Thumbprint

bottom of page