Are you trying to manage Azure PowerShell context objects?
This guide will help you.
Azure contexts are PowerShell objects representing your active subscription to run commands against, and the authentication information needed to connect to an Azure cloud. With Azure contexts, Azure PowerShell doesn't need to reauthenticate your account each time you switch subscriptions.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform Azure related queries.
In this context, we shall look into how to manage Azure contexts objects.
More about Azure contexts objects?
Azure PowerShell uses Azure PowerShell context objects to hold subscription and authentication information. If we have more than one subscription, it will let us select the subscription to run Azure PowerShell cmdlets on.
Though they hold subscription and authentication information, they are also used to store sign-in information across multiple PowerShell sessions and run background tasks.
With Azure contexts, Azure PowerShell does not need to reauthenticate the account each time we switch subscriptions.
It consists of:
i. The account to sign in to Azure with Connect-AzAccount.
ii. The active subscription, a service agreement with Microsoft to create and run Azure resources, which are associated with a tenant.
iii. A reference to a token cache, a stored authentication token for accessing an Azure cloud.
Generally, authentication tokens by Azure contexts are the same as other stored tokens that are part of a persistent session.
When we sign in with Connect-AzAccount, it creates at least one Azure context for the default subscription. The object returned by Connect-AzAccount is the default Azure context used for the rest of the PowerShell session.
Get Azure PowerShell context objects
The available Azure contexts retrieve with the Get-AzContext cmdlet. We can list all of the available contexts with -ListAvailable:
Or we can get a context by name:
$context = Get-Context -Name "mycontext"
It may differ from the name of the associated subscription.
The available Azure contexts are not always the available subscriptions. It only represents locally-stored information. We can get the subscriptions with the Get-AzSubscription cmdlet.
Create a new Azure context from subscription information
The Set-AzContext cmdlet is to create new Azure contexts. Hence, set them as the active context.
The cmdlet is to take the output object from Get-AzSubscription as a piped value and configure a new Azure context:
Get-AzSubscription -SubscriptionName ‘MySubscriptionName’ | Set-AzContext -Name ‘MyContextName’
Or give the subscription name or ID and the tenant ID if necessary:
Set-AzContext -Name ‘MyContextName’ -Subscription ‘MySubscriptionName’ -Tenant ‘…….’
If we omit the -Name argument, the subscription’s name and ID will be in use as the context name in the format Subscription Name (subscription-id).
Change the active Azure context
To change the active Azure context we can use both Set-AzContext and Select-AzContext. Set-AzContext creates a new Azure context and switches to use that context as the active one.
Select-AzContext is for use with existing Azure contexts only and works similarly to using Set-AzContext -Context. However, it designs for use with piping:
Set-AzContext -Context $(Get-AzContext -Name “mycontext”) # Set a context with an inline Azure context object
Get-AzContext -Name “mycontext” | Select-AzContext # Set a context with a piped Azure context object
Like many other account and context management commands in Azure PowerShell, Set-AzContext and Select-AzContext support the -Scope argument so that we can control how long the context is active.
-Scope lets us change a single session’s active context without changing the default:
Get-AzContext -Name “mycontext” | Select-AzContext -Scope Process
To avoid switching contexts for a whole PowerShell session, all Azure PowerShell commands can be run against a given context with the -AzContext argument:
$context = Get-AzContext -Name “mycontext”
New-AzVM -Name ExampleVM -AzContext $context
The other main use of contexts with Azure PowerShell cmdlets is to run background commands.
Save Azure contexts across PowerShell sessions
By default, Azure contexts save for use between PowerShell sessions. We change this behavior in the following ways:
i. Sign in using -Scope Process with Connect-AzAccount.
Connect-AzAccount -Scope Process
However, the Azure context returned as part of this sign-in is valid for the current session only. It will not save automatically, regardless of the Azure PowerShell context autosave setting.
i. Disable AzurePowershell’s context autosave with the Disable-AzContextAutosave cmdlet.
ii. Explicitly enable Azure context autosave can enable with the Enable-AzContextAutosave cmdlet. Hence, all of a user’s contexts are in store locally for later PowerShell sessions.
Manually save contexts with Save-AzContext:
Save-AzContext -Path current-context.json # Save the current context
Save-AzContext -Profile $profileObject -Path other-context.json # Save a context object
Import-AzContext -Path other-context.json # Load the context from a file and set it to the current context
Disabling context autosave does not clear any stored context information that was saved. However, use the Clear-AzContext cmdlet to remove stored information.
Each of these commands supports the -Scope parameter, which can take a value of Process to only apply to the currently running process.
For example, we run the below command to ensure that the new contexts don’t save after exiting a PowerShell session:
Disable-AzContextAutosave -Scope Process
$context2 = Set-AzContext -Subscription "sub-id" -Tenant "other-tenant"
In Windows, it stores the context information, and tokens in the $env:USERPROFILE\.Azure directory. Similarly, on other platforms, it is on $HOME/.Azure.
However, sensitive information such as subscription IDs and tenant IDs may still be in stored information.
Remove Azure contexts and stored credentials
To clear Azure contexts and credentials:
1. Sign out of an account with Disconnect-AzAccount.
We can sign out of any account either by account or context:
Disconnect-AzAccount # Disconnect active account
Disconnect-AzAccount -Username “email@example.com” # Disconnect by account name
Disconnect-AzAccount -ContextName “subscription2” # Disconnect by context name
Disconnect-AzAccount -AzureContext $contextObject # Disconnect using context object information
Disconnecting always removes authentication tokens and saved contexts.
2. Use Clear-AzContext.
This cmdlet guarentees to always remove stored contexts and authentication tokens, and will also sign us out.
3. Remove a context with Remove-AzContext:
Remove-AzContext -Name “mycontext” # Remove by name
Get-AzContext -Name “mycontext” | Remove-AzContext # Remove by piping Azure context object
Removing the active context will disconnect us from Azure. So we need to reauthenticate with Connect-AzAccount.