'az account get-access-token' equivalent in Azure PowerShell

[TylerLeonhardt]

Right now the Azure Functions CLI relies on Azure PowerShell in order to get an access token to interact with the Azure API:

https://github.com/Azure/azure-functions-core-tools/blob/60ea24fd4408ea876882324a9505c2d43bb37726/src/Azure.Functions.Cli/Actions/AzureActions/BaseAzureAction.cs#L72-L96

I opened an issue on them to change it but they consider it by design because of how complicated it is to get an access token.

Apparently there was an attempt to get this to work in Azure PowerShell as well but unfortunately, there was no way to retrieve the access token needed.

in Azure CLI, it's simple. All you do it:

az account get-access-token

I noticed that on the context object that comes back from Get-AzContext there is a property called Account which has an AccessToken property that is not set:

PS > (Get-AzContext).Account


Id                    : xxxxxxxx
Type                  : User
Tenants               : {xxxxxxxxxxxxxxxxxxx}
AccessToken           :
Credential            :
TenantMap             : {}
CertificateThumbprint :
ExtendedProperties    : {[Subscriptions, xxxxxxxxxxxx]
                        , [Tenants, xxxxxxxxxx]}



PS > (Get-AzContext).Account.AccessToken
PS >

Can this AccessToken property be set so that a user doesn't have to rely on Azure CLI to get it?

I also tried this:

$context = Get-AzContext; $context.TokenCache.ReadItems() | ? TenantId -eq $context.TenantId | % { $_.AccessToken }

but noticed that all of my tokens in the TokenCache were already expired.

[markcowl]

@TylerLeonhardt Thanks for the report. It is actually intentional that we don't expose tokems, for a few reasons:

• They are secret
• They can expire, and while there are refresh tokens, it can be difficult to use one to obtain a new access token from a refresh token
• They are an implementation detail that users shouldn't have to worry about

There are a few options to use instead:

• Use PowerShell's TokenCache with ADAL calls to authenticate a request
• MSI Auth

If you can tell us a bit more about how you are using the token, there ay be additional options

[TylerLeonhardt]

The problem I am facing was that the Azure Functions CLI (func not a part of Azure CLI or Azure PowerShell) relied on the Azure CLI to obtain an access token. See related issue here:
Azure/azure-functions-core-tools#840

I don't agree that they should be relying on Azure CLI but I'm going with it... and am trying to get the same token via Az.Profile so I can rely on that if Azure CLI isn't available.

I attempted and eventually succeeded in a way to obtain an access token via Az.Profile... but with a fair bit of effort. See the PR here to the func CLI:
Azure/azure-functions-core-tools#873

Specifically the code is:

$currentAzureContext = Get-AzContext
$azureRmProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile;
$profileClient = New-Object Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient($azureRmProfile);
$profileClient.AcquireAccessToken($currentAzureContext.Subscription.TenantId).AccessToken;

[markcowl]

Seems like this is fixed, although I still don't understand the underlying scenario. Please reopen if there is a continuing issue.

[TylerLeonhardt]

I don't think I'd consider it fixed.

Is my snippet of code something I can rely on for the future?

The underlying scenario

Some context - the func CLI aka Azure Functions Core Tools is the data plane interface with Azure Functions. It allows you to work with Azure Functions locally AND publish them to Azure.

In order to publish to Azure, it needs an access token so that it can make the necessary API calls to Azure.

Their reasoning (as described in the issue linked) is that there are a multitude of different ways to log in to Azure (with multiple environments) and the func CLI didn't want to handle authentication when the Azure CLI already does a great job at doing so.

So they relied on the Azure CLI command:

az account get-access-token

To get the token to interact with the Azure API.

I wanted them to conditionally use Azure PowerShell for users of the func CLI that only use Azure PowerShell, but getting the access token from Azure PowerShell was more than trivial (see code above).

[TylerLeonhardt]

Cc dev of Functions team, @ahmelsayed

[brandonh-msft]

Underlying scenario for me is trying to hit the Kusto REST API which requires a token created against the .kusto.windows.net resource URI. The default tokens coming thru off AzContext don't work.

tokens using get-access-token --resource 'https://.....kusto.windows.net' work, while there's no way to specify the resource in our current PS offerings when asking for access tokens.

[samarths-msft]

Exact same issue, except the resource in my case is https://apps.azureiotcentral.com. az account get-access-token --resource works, but I'm hoping for a PS equivalent.