Combining Az Cli and Azure Powershell Az modules in a DevOps Pipeline

Something that always frustrates me is the when you need to combine Azure Powershell Az modules and Azure Cli in a single script and then use it in an Azure DevOps Pipeline. I always forget this and when googling there doesnt seem to be any straightforward article which just says how to do this that I can find, so this is here for my notes and if someone has a better way to do this please comment im sure there must be a better way. The problem is:

1. Do I use the Azure Cli task
2. Do I use the Azure Powershell task

Either way you seem to have a problem.

Azure Cli Task Errors:

• if you dont install the Powershell Az modules = The term 'Get-AzResourceGroup' is not recognized as the name of a cmdlet
• Run Connect-AzAccount to login.

Azure Powershell Task Errors:

• Please run 'az login' to setup account.

To demonstrate the issue you can use the below 2 commands in whichever task you want:

az group list

Get-AzResourceGroup

We basically want a task to run both commands without a problem.

The way I have decided to do this until I find a better solution is as follows:

Task 1

In the first task I will use the Azure Cli task which you may have seen elsewhere in the playbook articles to promote the variables from the Azure Service Principal Connection from DevOps to Azure as pipeline variables that I can use in a custom script. This is a technique I also used in the Terraform articles I did.

The key thing in this task is the tick box in the options which allow you to access the service principal. I am not sure you can do this in the Powershell one (happy to be corrected if I am wrong). In this task I use the latest preview version and specify Powershell theb run the command below:

Write-Host "##vso[task.setvariable variable=ARM_CLIENT_ID]$($env:servicePrincipalId)"

Write-Host "##vso[task.setvariable variable=ARM_CLIENT_SECRET]$($env:servicePrincipalKey)"

Write-Host "##vso[task.setvariable variable=ARM_TENANT_ID]$($env:tenantId)"

This will promote the principal as variables in the pipeline.

Task 2

In this task I will do the actual script I want to do the work. I will use the Azure Powershell task in the latest version. I will then at the start of my script I will access the variables and do an Az Login

$username = "$(ARM_CLIENT_ID)"
$password = "$(ARM_CLIENT_SECRET)"
$tenantId = "$(ARM_TENANT_ID)"
 
az login --service-principal --username  $username --password $password --tenant $tenantId

I can now use both Az powershell cmdlets and Az Cli commands side by side without any issues. This task will automatically have signed me into Azure in the pipeline from the service principal to setup Powershell for me and I just needed to az login and I can use Azure Cli with the same service principal which is used in both task 1 and 2.

Task Definitions

The Yaml for the tasks is below if you need the full details:

Task 1:

steps:
- task: AzureCLI@2
  displayName: 'Azure CLI - Promote Service Principal'
  inputs:
    azureSubscription: 'My Sub'
    scriptType: ps
    scriptLocation: inlineScript
    inlineScript: |
     
     Write-Host "##vso[task.setvariable variable=ARM_CLIENT_ID]$($env:servicePrincipalId)"
     
     Write-Host "##vso[task.setvariable variable=ARM_CLIENT_SECRET]$($env:servicePrincipalKey)"
     
     Write-Host "##vso[task.setvariable variable=ARM_TENANT_ID]$($env:tenantId)"
    addSpnToEnvironment: true

Task 2:

steps:
- task: AzurePowerShell@5
  displayName: Test
  inputs:
    azureSubscription: 'My Sub'
    ScriptType: InlineScript
    Inline: |
     
     $username = "$(ARM_CLIENT_ID)"
     $password = "$(ARM_CLIENT_SECRET)"
     $tenantId = "$(ARM_TENANT_ID)"
     
      
     az login --service-principal --username  $username --password $password --tenant $tenantId
     
     az group list
     
     Get-AzResourceGroup
    azurePowerShellVersion: LatestVersion