Service principal authentication fails in Azure Automation

[jodoglevy]

Currently, it is not possible to use the ARM cmdlets in Azure Automation, if authenticating with a service principal, due to the fact that Azure Automation sandboxes don't have the cred store the ARM module tries to store the SP cred in. The ARM module should be updated to not assume there is a cred store for the SP cred.

I know this is already being tracked internally by Azure PowerShell (as 4392531), just opening here so affected Azure Automation users can follow the issue.

[jodoglevy]

Reopening since this still repros.

[jodoglevy]

FYI for anyone blocked by this issue, as a workaround you can use a hybrid runbook worker. Service principal auth should work there.

[BrianFarnhill]

Was this issue ever resolved? I believe currently seeing issues with this at the moment

[dgarc23]

me too..

[jodoglevy]

We're working on a feature to make this easier, for now you have to generate a service principal that can auth via a certificate, and then auth via that service principal certificate in Azure Automation runbooks. Attached is a script that can be used to generate a service principal / certificate, and a runbook that auths to Azure via a service principal using certificate auth.

01CreateCertAndServicePrincipal.ps1.txt

03ServicePrincipalWithCertRunbook.ps1.txt

[dgarc23]

The CreateCert code only Works for Windows 8 and above... So I had a hard time figuring that out... now... the thing is that creating the AzureRMADApplication fails...
New-AzureRmADApplication : {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"Key credential end date is
invalid."},"values":[{"item":"PropertyName","value":"None"},{"item":"PropertyErrorCode","value":"InvalidKeyEndDate"}]}}

[dgarc23]

Ok, finally its working for me... what I did...
Create a self signed certificate, using IIS. (because im working with Windows 7)
Then, obtained all the properties for the certificate
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("C:${name}${name}.pfx", "CertificatePassword")
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())

$startDate = $cert.GetEffectiveDateString()
$endDate = $cert.GetExpirationDateString()

and finally créate the App

$azureAdApplication = New-AzureRmADApplication -DisplayName "${applicationName}" -HomePage "https://${applicationName}" -IdentifierUris "https://${applicationName}" -KeyValue $keyValue -KeyType "AsymmetricX509Cert" -KeyUsage "Verify" -StartDate $startDate -EndDate $endDate

[jodoglevy]

Please note - make sure the service principal cert is marked exportable when imported as an asset to Azure Automation.

[jodoglevy]

Please note - if you get error:
PrincipalNotFound: Principal <some id> does not exist in the directory <some guid> when running the script provided above that creates service principals and service principal certificates (https://github.com/Azure/azure-powershell/files/104033/01CreateCertAndServicePrincipal.ps1.txt), please add a sleep of 30 seconds between steps 5 & 6 in the script, that will resolve the issue:

Start-Sleep -s 30

[jodoglevy]

We are taking steps in the service to make creation of a service principal / cert easier

[jodoglevy]

Creation of a service principal / service principal certificate, and authentication with it from the Automation service, is now much easier. Please see https://azure.microsoft.com/en-us/documentation/articles/automation-sec-configure-azure-runas-account/ for more details.

[cloud-owen]

why is this closed? it isn't fixed