Secure authentication within PowerShell scripts for Intune MDM
We would like to authenticate to services, like Azure Storage or Azure SQL from an Intune MDM PowerShell script.
However, with PowerShell scripts in Intune MDM the source, including passwords are visible in plain text, for instance when you review the log files in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs.
We would like a secure way to safely authenticate with different services from PowerShell scripts in Intune MDM. For instance by being able to preconfigure one or more Credential- or Variable Assets passed (as parameter?) with the PowerShell script configured.
A credential source provider could be Azure Key Vault or Azure Automation Credential- and Variable Assets.

9 comments
-
Ozzy commented
It would be very nice to use Azure Active Directory RBAC for powershell scripts
regards,
Ozzy -
James Sneed commented
Please put this on your roadmap.
-
Richard Tracy commented
I could definitely use this, but I feel its a difficult feature to implement only because you would then need a shared secret between device and the cloud creds. Unless there was some way to securely store an unretreavable keys on the system (maybe through TPM) manually but mask it as a system variable.
-
Anonymous commented
This is essential! C'mon, make it happen MS!
-
Anonymous commented
Seems to obvious, cmon Microsoft please add this!
-
Anonymous commented
I agree. This would be great.
-
Christian commented
great idea and love the blog @jseerden
-
Matthew Nelson commented
This really needs to be implemented. LAPS is already available on-premise but for intune devices in a cloud only environment, there is really no solution for local admin password control, which is a requirement for SRS devices
-
Anonymous commented
This would be the feature that would crush competitors beneath Microsoft's heel.