PowerShell - Connecting to Azure Active Directory using Microsoft Account

Question

I have an Azure subscription where the subscription administrator account is a Microsoft Account. I then added another Microsoft Account as a co-administrator. I'm told that when I add a co-administrator, it gets added to my subscription's default AD as a Guest user. What I really want to accomplish is change the user type from Guest to Member. For this, I am advised to use Azure AD PowerShell and this is where I am struggling.

I've already installed related PS Modules (based on this link: https://msdn.microsoft.com/en-us/library/azure/jj151815.aspx).

So here's what I am doing:

First, this is the command I am issuing:

$msolcred = get-credential

I get prompted for entering my credentials which I provide and then I run the following command:

connect-msolservice -credential $msolcred

When I do this, I get the following error:

connect-msolservice : The user name or password is incorrect. Verify your user name, and then type your password again.
At line:1 char:1
+ connect-msolservice -Credential $cred -Verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineException
    + FullyQualifiedErrorId : 0x80048821,Microsoft.Online.Administration.Automation.ConnectMsolService

I even tried putting the username as domainname.onmicrosoft.com\username but still get the same result.

So my questions are:

• Is it even possible to connect to Azure AD via PowerShell using Microsoft Account?
• If it is possible, then how should I specify the username? I have tried both username as well as domainname\username and I got the same error.
• If it is not possible, then what's the alternate solution? Should I just create a user in that AD and put that user in a role that has permission to manage users (as this is what I want to do)?

Any insights regarding this would be highly appreciated.

Answer 1

(Updated 2018-04-23 to clarify how to do this with AzureAD (v2) module.)

The AzureAD (v2) PowerShell module accepts the ‑TenantId parameter in Connect‑AzureAD, which can be either the Guid tenant ID, or any verified domain name in the Azure AD tenant. Doing so will allow you to sign in using an external account (e.g. you personal Microsoft account, or a work or school account from another Azure AD tenant, as long as this account was previously invited into the tenant):

Connect-AzureAD -TenantId "contoso.com"

The MSOnline (v1) module does not have an equivalent parameter, but it does accept ‑AdGraphAccessToken and ‑MsGraphAccessToken, which are access tokens to the Azure AD Graph API (https://graph.windows.net) and the Microsoft Graph API (https://graph.microsoft.com), respectively. Though you can use ADAL (for example) to obtain these access tokens for your specific tenant (which allows you to use external users), it's probably simpler to just create a "local" account to your Azure AD tenant for this.

Signing in to AAD PowerShell with a Microsoft Account is not currently supported. Your approach (make a new user that is "native" to the directory) is the way to go.