commands

^

New-DbaAzAccessToken

Author Chrissy LeMaire (@cl), netnerds.net
Availability Windows, Linux, macOS

 

Want to see the source code for this command? Check out New-DbaAzAccessToken on GitHub.
Want to see the Bill Of Health for this command? Check out New-DbaAzAccessToken.

Synopsis

Simplifies the generation of Azure oauth2 tokens.

Description

Generates an oauth2 access token. Currently supports Managed Identities, Service Principals and IRenewableToken.

Want to know more about Access Tokens? This page explains it well: https://dzone.com/articles/using-managed-identity-to-securely-access-azure-re

Syntax

New-DbaAzAccessToken
    [-Type] <String>
    [[-Subtype] <String>]
    [[-Config] <Object>]
    [[-Credential] <PSCredential>]
    [[-Tenant] <String>]
    [[-Thumbprint] <String>]
    [[-Store] <String>]
    [-EnableException]
    [<CommonParameters>]

 

Examples

 

Example: 1
PS C:\> New-DbaAzAccessToken -Type ManagedIdentity

Returns a plain-text token for Managed Identities for SQL Azure Db.

Example: 2
PS C:\> $token = New-DbaAzAccessToken -Type ManagedIdentity -Subtype AzureSqlDb
PS C:\> $server = Connect-DbaInstance -SqlInstance myserver.database.windows.net -Database mydb -AccessToken $token -DisableException

Generates a token then uses it to connect to Azure SQL DB then connects to an Azure SQL Db

Example: 3
PS C:\> $token = New-DbaAzAccessToken -Type ServicePrincipal -Tenant whatup.onmicrosoft.com -Credential ee590f55-9b2b-55d4-8bca-38ab123db670
PS C:\> $server = Connect-DbaInstance -SqlInstance myserver.database.windows.net -Database mydb -AccessToken $token -DisableException
PS C:\> Invoke-DbaQuery -SqlInstance $server -Query "select 1 as test"

Generates a token then uses it to connect to Azure SQL DB then connects to an Azure SQL Db.
Once the connection is made, it is used to perform a test query.

Required Parameters

-Type

The type of request:
ManagedIdentity
ServicePrincipal
RenewableServicePrincipal

Alias
Required True
Pipeline false
Default Value
Accepted Values ManagedIdentity,ServicePrincipal,RenewableServicePrincipal

Optional Parameters

-Subtype

The subtype. Options include:
AzureSqlDb (default)
ResourceManager
DataLake
EventHubs
KeyVault
ResourceManager
ServiceBus
Storage
Read more here: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql

Alias
Required False
Pipeline false
Default Value AzureSqlDb
Accepted Values AzureSqlDb,ResourceManager,DataLake,EventHubs,KeyVault,ResourceManager,ServiceBus,Storage
-Config

The hashtable or json configuration.

Alias
Required False
Pipeline false
Default Value
-Credential

When using the ServicePrincipal type, a Credential is required. The username is the App ID and Password is the App Password
https://docs.microsoft.com/en-us/azure/active-directory/user-help/multi-factor-authentication-end-user-app-passwords

Alias
Required False
Pipeline false
Default Value
-Tenant

When using the ServicePrincipal or RenewableServicePrincipal types, a tenant name or ID is required. This field works with both.

Alias
Required False
Pipeline false
Default Value (Get-DbatoolsConfigValue -FullName 'azure.tenantid')
-Thumbprint

Thumbprint for connections to Azure MSI

Alias
Required False
Pipeline false
Default Value (Get-DbatoolsConfigValue -FullName 'azure.certificate.thumbprint')
-Store

Store where the Azure MSI certificate is stored

Alias
Required False
Pipeline false
Default Value (Get-DbatoolsConfigValue -FullName 'azure.certificate.store')
Accepted Values CurrentUser,LocalMachine
-EnableException

By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.

Alias
Required False
Pipeline false
Default Value False