Connect-AzAccount doesn't take -AuthScope with -AccessToken

[prateekprshr-nith]

Description

• We use Connect-AzAccount in an environment, where we only have an access token.
• User can't login interactively and no credentials are available. Thus, we can' use -Credential as well.
• But we have to use data plane cmdlets of Az.Attestation, which requires us to use -AuthScope Attestation with Connect-AzAccount. Here is how our cmdlet looks like Connect-AzAccount -AuthScope Attestation -AccessToken <token> -<other common arguments>.
• But above invocation doesn't work since -AccessToken and -AuthScope can't be used together in same parameter set.
• This poses a blocker for us since we only have an access token for connecting to Azure.

Our questions:

• Why are -AccessToken and -AuthScope mutually exclusive?
• What is our alternative? We can' use interactive authentication or -Credential as well.

Issue script & Debug output

Not providing due to sensitive nature of logs. Let me know if they are absolutely needed.

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.25398.469
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.25398.469
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Module versions

2.13.1     Az.Accounts
 6.11.2     Az.Resources
 2.0.0      Az.Attestation

Error output

Parameter set cannot be resolved using the specified named parameters. One or more parameters issued cannot be used together or an insufficient number of parameters were provided.

[isra-fel]

Hi @prateekprshr-nith
Ultimately we recommend signing in using service principals / managed identities for best the security, but to answer your questions:

• The reason why AuthScope and AccessToken are mutually exclusive is that they serve different purposes. AuthScope specifies scopes other than ARM (azure resource manager) that you want to explicitly authenticate with. Natually you need credentials to authenticate. AcessToken is designed to work-around authentication by simply setting the access token into Azure PowerShell. Note that the token of management plane (ARM) and data plane are different. So the cmdlet would have looked like Connect-AzAccount -AccessToken <ARM token> -AttestationAccessToken <attestation token>.
• let me discuss with team to understand if there's workaround
• let me also loop in Attestation team

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @anilba06.

[isra-fel]

Currently the only workaround is to send the request via "Invoke-WebRequest". You can configure the header to include the attestation token for authentication. But the downside is that it's a general purpose cmdlet so it'll be messy to process the input/output.

Are you sure there's absolutely no other way to authenticate except for using raw tokens?

[prateekprshr-nith]

@isra-fel, thank you for your response. And you are right. Our execution environment is pretty constrained, and we only have access to raw tokens. However, we do have ability to get a token for ARM scope and Attestation scope as well. Is Connect-AzAccount -AccessToken <ARM token> -AttestationAccessToken <attestation token> a possibility?

And also, let us say that we do Connect-AzAccount -AccessToken <ARM Token> and then invoke the data plane cmdlets Set-AzAttestationPolicy. Do the data plane cmdlets not have the ability to request for data plane scope tokens? I reason I say that is because when I do simply Connect-AzAccount with interactive authentication and without any AuthScope, the cmdlet Set-AzAttestationPolicy still ends up requesting for an Attestation token. Why is this behavior not present with if Connect-AzAccount -AccessToken <ARM token> is used?

[isra-fel]

Is Connect-AzAccount -AccessToken -AttestationAccessToken a possibility?

Yes, and that is what we need to work with Attestation team to support. ( @anilba06 )

Do the data plane cmdlets not have the ability to request for data plane scope tokens?

They do, but only if you sign in with actual credentials. When authenticating Az.Accounts will not only retrieve an access token but also a refresh token. The refresh token will be used to redeem another access token for attestation automatically.
However signing in with -AccessToken skipped authentication therefore these won't be any refresh token to redeem access token for attestation.

[prateekprshr-nith]

I see, thank you @isra-fel

1. Also, is it by design to not request for a refresh token with -AccessToken? Just trying to understand.
2. From my experience with Connect-AzAccount, I see that it will only succeed if the -AccessToken is for ARM. In that sense, can this token be not used to obtain a refresh token? Sorry for the simplification, if it is actually more complex.