This script will allow you to use DefaultAzureCredential locally with your service fabric cluster. It uses PsExec to login the NETWORK SERVICE Account using the AZ CLI. This caches the token credential for the service account

Configure-ServiceFabricAuth.ps1

<#
.SYNOPSIS
This script will authenticate via Azure CLI and store an auth token in the SYSTEM user profile to enable the Azure.Identity library to authenticate with Azure services.

.DESCRIPTION
The script uses Azure CLI to authenticate and retrieve an authentication token. This token is then stored in the SYSTEM user profile, allowing the Azure.Identity library to use it for authenticating with various Azure services. This is useful for scenarios where services running under the SYSTEM account need to access Azure resources.

.PARAMETER None
This script does not take any parameters.

.EXAMPLE
.\Configure-ServiceFabricAuth.ps1
This example runs the script to authenticate via Azure CLI and store the auth token in the SYSTEM user profile.

#>

param (
    [string]$serviceAccount = "SYSTEM",
    [switch]$useCurrentUser, # Switch to determine whether to use the current user instead of PsExec. Not recommended
    [switch]$Force
)

$user = [Security.Principal.WindowsIdentity]::GetCurrent();
$isAdmin = (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) 

if ($isAdmin) {
    if (Get-Command az -ErrorAction SilentlyContinue) {
        Write-Host "Azure CLI is available."
    }
    else {
        $installAzureCLI = Read-Host "Azure CLI is not installed. Would you like to install it? (Y/N)"
    
        if ($installAzureCLI -eq "Y" -or $installAzureCLI -eq "y") {
            Write-Host "Installing Azure CLI..."
            $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindowsx64 -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi
            Write-Host "Azure CLI installed successfully."
        }
        else {
            Write-Host "Azure CLI installation declined. Exiting..."
            Exit
        }
    }

    $systemCliTokenDirectory = "C:\Windows\System32\config\systemprofile\.azure"

    # Clear existing Azure CLI token
    if (Test-Path $systemCliTokenDirectory) {
        Write-Host "Removing existing Azure CLI token from $systemCliTokenDirectory"
        Remove-Item -Path $systemCliTokenDirectory -Recurse -Force
    }

    if (-Not $useCurrentUser) {
        if (Get-Command psexec -ErrorAction SilentlyContinue) {
            Write-Host "PsExec is available."
        }
        else {
            $installPsExec = Read-Host "PsExec is not installed. Would you like to install it? (Y/N)"
        
            if ($installPsExec -eq "Y" -or $installPsExec -eq "y") {
                Write-Host "Installing Sysinternals.PsTools with winget..."
                winget install Microsoft.SysInternals.PsTools --accept-package-agreements
                Write-Host "SysInternals.PsTools installed successfully."
                $psexecLocation = "$Env:USERPROFILE\AppData\Local\Microsoft\WinGet\Links\"
                Write-Host "PsExec installed to `"$psexecLocation`""
                $installed = $true
            }
            else {
                Write-Host "SysInternals installation declined. Exiting..."
                Exit
            }
        }

        Write-Host "Executing Azure CLI login as $serviceAccount..."
        if($installed){
            & $psexecLocation\psexec.exe -i -nobanner -u "nt authority\$($serviceAccount)" powershell -command az login --use-device-code
        }
        else{
            psexec -i -nobanner -u "nt authority\$($serviceAccount)" powershell -command "az login --use-device-code"
        }
    }
    else {
        Write-Host "Executing Azure CLI login as current user..."
        if (-Not (Test-Path "$env:USERPROFILE\.azure") -or $Force) {

            # If Force is set, clear the existing Azure CLI token if it exists
            if ($Force -and (Test-Path "$env:USERPROFILE\.azure")) {
                Write-Host "Removing existing Azure CLI token from $env:USERPROFILE\.azure"
                Remove-Item -Path "$env:USERPROFILE\.azure" -Recurse -Force
            }
            az login
        }

        $sourceDir = "$env:USERPROFILE\.azure"

        if (Test-Path $sourceDir) {
            Write-Host "Copying Azure CLI token from $sourceDir to $systemCliTokenDirectory"
            Copy-Item -Path $sourceDir -Destination $systemCliTokenDirectory -Recurse -Force
        }
        else {
            Write-Host "Azure CLI token not found. Did you login to Azure CLI?"
            Exit
        }
    }
    Write-Host "Setting permissions for NETWORK SERVICE to access $($systemCliTokenDirectory)"
    
    if (Test-Path $systemCliTokenDirectory) {
        # Set permissions on the parent folder first
        icacls $systemCliTokenDirectory /grant "NETWORK SERVICE:(OI)(CI)F" /T /C /Q

        # Set permissions on the .azure folder
        $icaclsOutput = icacls $systemCliTokenDirectory /grant "NETWORK SERVICE:(OI)(CI)F" /T /C /Q /inheritance:e
        Write-Host "icacls output: $icaclsOutput"
        
        # Verify permissions using PowerShell
        $acl = Get-Acl $systemCliTokenDirectory
        $accessRules = $acl.Access | Where-Object { $_.IdentityReference -eq "NT AUTHORITY\NETWORK SERVICE" -and $_.FileSystemRights -eq "FullControl" -and $_.InheritanceFlags -eq "ContainerInherit, ObjectInherit" }

        if ($accessRules) {
            Write-Host "Permissions for NETWORK SERVICE are correctly set." -ForegroundColor Green
        } else {
            Write-Host "Failed to set permissions for NETWORK SERVICE." -ForegroundColor Red
        }
    } else {
        Write-Host "Directory $systemCliTokenDirectory does not exist." -ForegroundColor Red
    }
}
else {
    Write-Host "You need to run this script as administrator to configure the Azure CLI token for the $serviceAccount account."
    exit
}