Connect-AzureRmAccount silently fails to log in when using -ServicePrincipal flag

[mehmetseckin]

Description

I'm trying to connect to my subscription so that I can create resources and deploy web applications through PowerShell.

I'm using Connect-AzureRmAccount cmdlet with -ServicePrincipal switch and -Credential and -TenantId arguments. The command does not throw an error and says the login was successful, but it does not return any information about the account / subscription / tenant, the command just outputs the following:

Account          : 
SubscriptionName : 
SubscriptionId   : 
TenantId         : 
Environment      : 

The next AzureRM operation fails with an the following message:

Run Connect-AzureRmAccount to login.

Script/Steps for Reproduction

Write-Output "Logging in to AzureRM Account"
$azApplicationId = "<My Application ID>"
$azApplicationKey = "<My Application Key>"
$azSecureApplicationKey = $azApplicationKey | ConvertTo-SecureString -AsPlainText -Force
$azCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $azApplicationId, $azSecureApplicationKey
Connect-AzureRmAccount -Credential $azCredential -TenantId $azTenantId -ServicePrincipal 
Get-AzureRmSubscription

Module Version

ModuleType Version    Name                                ExportedCommands                                                            
---------- -------    ----                                ----------------                                                            
Script     6.1.1      AzureRM                                                                                                         

Environment Data

Name                           Value                                                                                                  
----                           -----                                                                                                  
PSVersion                      5.1.16299.251                                                                                          
PSEdition                      Desktop                                                                                                
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                
BuildVersion                   10.0.16299.251                                                                                         
CLRVersion                     4.0.30319.42000                                                                                        
WSManStackVersion              3.0                                                                                                    
PSRemotingProtocolVersion      2.3                                                                                                    
SerializationVersion           1.1.0.1    

Debug Output

Logging in to AzureRM Account
DEBUG: 16:02:32 - ConnectAzureRmAccountCommand begin processing with ParameterSet 'ServicePrincipalWithSubscriptionId'.
DEBUG: 16:02:32 - Autosave setting from startup session: 'CurrentUser'
DEBUG: 16:02:32 - No autosave setting detected in environment variable 'AzureRmContextAutoSave'. 
DEBUG: 16:02:32 - Using Autosave scope 'CurrentUser'
DEBUG: [Common.Authentication]: Authenticating using configuration values: Domain: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx', Endpoint: 'https://login.microsoftonline.com/', ClientId: '1950a258-227b-4e31-a9cf-717495945fc2', ClientRedirect: 'urn:ietf:wg:oauth:2.0:oob', Reso
urceClientUri: 'https://management.core.windows.net/', ValidateAuthrity: 'True'
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 : 
DEBUG: 05/31/2018 15:02:32: 5a0d474c-b33f-4ae6-acca-5e035b13f496 - AcquireTokenHandlerBase: === Token Acquisition started:
	Authority: https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/
	Resource: https://management.core.windows.net/
	ClientId: 8faa51b4-e956-40db-9762-5bc8bcd9c18e
	CacheType: Microsoft.Azure.Commands.Common.Authentication.ProtectedFileTokenCache (5 items)
	Authentication Target: Client
	

DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 : 
DEBUG: 05/31/2018 15:02:32:  - TokenCache: Deserialized 5 items to token cache.

DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Verbose: 1 : 
DEBUG: 05/31/2018 15:02:32: 5a0d474c-b33f-4ae6-acca-5e035b13f496 - TokenCache: Looking up cache for a token...

DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 : 
DEBUG: 05/31/2018 15:02:32: 5a0d474c-b33f-4ae6-acca-5e035b13f496 - TokenCache: An item matching the requested resource was found in the
 cache

DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Verbose: 1 : 
DEBUG: 05/31/2018 15:02:32: 5a0d474c-b33f-4ae6-acca-5e035b13f496 - TokenCache: 58.9887543616667 minutes left until token in cache expir
es

DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 : 
DEBUG: 05/31/2018 15:02:32: 5a0d474c-b33f-4ae6-acca-5e035b13f496 - TokenCache: A matching item (access token or refresh token or both) 
was found in the cache

DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 : 
DEBUG: 05/31/2018 15:02:32: 5a0d474c-b33f-4ae6-acca-5e035b13f496 - AcquireTokenHandlerBase: === Token Acquisition finished successfully
. An access token was retuned:
	Access Token Hash: fICoF5192aRnIWkp/RdV2p2FbHN+3FlqQ50VgiDydWs=
	Refresh Token Hash: [No Refresh Token]
	Expiration Time: 05/31/2018 16:01:31 +00:00
	User Hash: null
	

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx?api-version=2016-06-01

Headers:
x-ms-client-request-id        : 30cfb03a-6075-4e62-a131-6dc99bebea9b
accept-language               : en-US

Body:



DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Pragma                        : no-cache
x-ms-ratelimit-remaining-subscription-reads: 14999
x-ms-request-id               : 67ea9978-cdb3-4ac6-aade-0892b6a9c466
x-ms-correlation-request-id   : 67ea9978-cdb3-4ac6-aade-0892b6a9c466
x-ms-routing-request-id       : UKWEST:20180531T150231Z:67ea9978-cdb3-4ac6-aade-0892b6a9c466
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Cache-Control                 : no-cache
Date                          : Thu, 31 May 2018 15:02:31 GMT

Body:
{
  "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "subscriptionId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "displayName": "Visual Studio Enterprise – MPN",
  "state": "Enabled",
  "subscriptionPolicies": {
    "locationPlacementId": "Public_2014-09-01",
    "quotaId": "MSDN_2014-09-01",
    "spendingLimit": "On"
  },
  "authorizationSource": "RoleBased"
}




Account          : 
SubscriptionName : 
SubscriptionId   : 
TenantId         : 
Environment      : 

DEBUG: AzureQoSEvent: CommandName - Connect-AzureRmAccount; IsSuccess - True; Duration - 00:00:00.2459544; Exception - ;
DEBUG: Finish sending metric.
DEBUG: 16:02:32 - ConnectAzureRmAccountCommand end processing.
DEBUG: 16:02:32 - ConnectAzureRmAccountCommand end processing.
DEBUG: 16:02:32 - GetAzureRMSubscriptionCommand begin processing with ParameterSet 'ListByIdInTenant'.
Get-AzureRmSubscription : Run Connect-AzureRmAccount to login.
At C:\Deployment\main.ps1:32 char:1
+ Get-AzureRmSubscription
+ ~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-AzureRmSubscription], PSInvalidOperationException
    + FullyQualifiedErrorId : InvalidOperation,Microsoft.Azure.Commands.Profile.GetAzureRMSubscriptionCommand

[mehmetseckin]

After adding the line Import-Module -Name AzureRM.Profile before the script, it started to use my work account by default as this is my work machine.

Then I ran Remove-AzureRmAccount to clear it up, and re-run my script and it worked fine.

[wuy3]

I have the same issue on Azure Functions App and finally found your post. I have already installed an recent AzureRM.Profile and AzureRM.Resource modules (not shown in the example) to the wwwroot/<func name>/Modules folder, so I'm not sure what I'm missing. The problem persists for me.

Azure function output below. Note the empty values for Account, SubscriptionName, SubscriptionId, TenantId, and Environment.

"\r\nModuleType Version Name ExportedCommands \r\n---------- ------- ---- ---------------- \r\nScript 5.1.0 AzureRM.Profile {Add-AzureRmEnvironment, Clear-AzureRmContext, Clear-AzureR...\r\n\r\n\r\nSPmanager: \r\n\r\n\r\nAccount : \r\nSubscriptionName : \r\nSubscriptionId : \r\nTenantId : \r\nEnvironment : \r\n\r\n\r\n\r\n"

[wuy3]

I figured out what was wrong. For others who find my issue through google, see below for the explanation.

In order for Azure Functions App to run Connect-AzureRmAccount, you need to manually install AzureRM.Profile and AzureRM.Resource through Kudu (zip em up, drop em in a modules folder under your function folder). My Azure Functions App was set to 32-bit by default (why 32-bit by default Azure team? this is 2018). The powershell modules I packed up and installed were 64-bit (because my dev machine runs 64-bit windows10).

As soon as I toggled my Azure Functions App to 64-bit, the 64-bit AzureRM.Profile and AzureRM.Resource modules started working again.

[wuy3]

Actually let me correct myself. Connect-AzureRmAccount seems to enter a state where it will return empty results, but I can solve this by toggling between 32-bit and 64-bit execution

[jackyycheng]

I have experienced similar issue too. How I resolved this issue is a little bit different. I have two subscriptions, the service principal account I created would not be able to logon on. I tried to do above suggestions and did not work. Finally I found out that I can resolve this issue is to go to subscription, Access control, and give the reader role to SP account I created. Then everything works perfectly fine after.

[pebre77]

@wuy3 @jackyycheng Could you please provide more details on how was resolved? I created an Azure Function that will receive a PS Script as a parameter, but the problem is that "The term 'Connect-AzureRMAccount' is not recognized as the name of a cmdlet, function, script file, or operable program" I created a folder "modules" and copied "AzureRM.Profile" folder and "AzureRM.Resource" folder into it and it's not working, change from 32 to 64 bits, same.....What else needs to be changed on the Azure function?