Store Credentials in PowerShell

Posted by ITomation

Store Credentials in PowerShell


From time to time, we have to perform actions in a PowerShell script for which the user account executing the script does not have sufficient privileges. We usually get around this by performing those specific actions using a different user’s credentials in our script. For example, we have an on-premises AD user account executing a script that performs a bunch of on-prem Active Directory tasks. Say we want to integrate into this script other cloud actions in Azure for example on cloud mailboxes to which our on-prem user account does not have sufficient access. In this scenario we can store credentials in PowerShell for our cloud admin user account that has sufficient cloud privileges.


Saving the password


First, we need to save the cloud user’s encrypted password in a file. To do this, we launch a PowerShell session as the user account that will be executing the script and on the same server/workstation that the script will run on. It is very important that we run it as the executing user of the script and on the same server/workstation or else the call the retrieve the password at script run-time will not work.


Step 1 – Run PowerShell as different user


Store Credentials in PowerShell 1 - RunAsDifferentUser


Step 2 – Enter the credentials of the user account executing the script


Store Credentials in PowerShell 2-EnterCredentials

Once we have our PowerShell session open, we can proceed to save the encrypted password to a file.


Step 3 – Save encrypted password to a file


Read-Host -AsSecureString | ConvertFrom-SecureString | Out-File c:\CloudCred


Note: after running the above command, you will type in the cloud account’s password and then hit enter again, at which point the file will be created.


Store Credentials in PowerShell 3 - SavePasswordToFile



Retrieving the password


We are now ready to utilize the encrypted password file in our script.


Step 4 – Get the password file contents


$MyPassword = Get-Content C:\CloudCred | ConvertTo-SecureString


Step 5 – Create PSCredential object for cloud user


$MyCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "CloudUser",$MyPassword


Now that we have PSCredential object (i.e $MyCredential), we can utilize it for, say, connecting to the Azure MSOL Service. Ofcourse, as our cloud user.  Here is an example…


$MySession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $MyCredential -Authentication Basic –AllowRedirection
Import-PSSession $session -AllowClobber
Connect-MsolService -Credential $MyCredential


For more info on Secure Strings see

Leave a Reply

Your email address will not be published. Required fields are marked *