Get-AzureRmSubscription does not work correctly when multiple user accounts map to a single email #1665
Comments
|
@timoschwarte, Thanks for reporting. Which version of Azure powershell cmdlets are you using? Are you using any parameters for |
|
@hovsepm In this case I ran E.g. when running outside of my organizational domain: With parameters (again outside my organization): I did nothing else in between, just ran the same command twice. Similar things happen when I try to First Get, then Select: One more thing... I have two aliases associated with my Microsoft account (primary .com + one additional alias .fi). |
|
Out of curiosity have you turned on two factor auth (2FA) for your Microsoft account? I noticed that if I use the then I get the same issues as you have mentioned, the unable to acquire token error. If I just do Not sure if that helps, but it works for me. |
|
Is there any solution for this. In second Automation account, the same script and same user get this error on login Any advise would help to move forward Thanks |
|
@damienmci Yes, I have two factor authentication enabled on my Microsoft account and always authenticate through the popup dialog. I'm considering trying to disable 2FA and try the Get-Credential method, just to check if it changes anything... will comment if it does. |
|
@timoschwarte To figure this out, we're going to need the ADAL traces while you are logging in and doing the Get-AzureRMSubscription. I would also suggest using the latest version (released today). I suspect this may be related to the account name returned in the token from ADAL, but without the ADAL traces, it is difficult to say. To get ADAL traces, run the commands with |
|
When using Select-AzureRmProfile -Path "C:\foo.json" using a subscription that isn't the default I get this same error. the creds work even though the error is there. |
|
@markcowl I updated to version 1.2.0 and sent you a transcript of the process in an email. The automatic login to my Organizational account which I noticed in the previous versions does NOT happen anymore with 1.2.0, which is good :) The errors are also slightly different now in 1.2.0, I get And from what I can tell, it has definitely to do with my account and its aliases... |
|
@timoschwarte @deltadan @damienmci The common denominator for these issues seems to be a difference between the display ID (i.e., login id) between your default tenant and another tenant that you have access to. This can happen for various kinds of reasons, normally having to do with some kind of invitation account, in which an invitation is extended to one email address and you accept with a different login. The issue occurs because the user id returned in the token doesn't match the one you logged in with, which prevents us from retrieving the token from the cache later. We are working on using a different key for the token, and have a fix targeted for the next release. |
|
@ashwanikapoor I don't think this issue is related - this sounds like you are trying to use a user id that requires multi-factor authentication (MFA) with a PSCredential login - this will not work, as MFA always requires ueerr interaction.. The solution is to use a service principal when running PowerShell automation. |
|
Hi, I created an automation user and I also get |
|
The same powershell commands I use to log in successfully on many VMS do not work on a specific VM, even though all VMs were created based on the same generalized image of mine (so they all have the same powershell version etc.).
Also
The exact same commands work fine on all my other VMs... Any advice? |
|
Hi. I have the same issue. When an account has permission on multiple subscriptions, if you only run Add-AzureRmAccount and Save-AzureRmProfile, the Profile Save by the Save-AzureRmProfile is not completed. After, when you load this profile, you can’t loop throw AzureRmSubscription with the Select-AzureRmSubscription command. In my case, the workaround has to save connect to Azure (Add-AzureRmAccount), select my first subscription (Select-AzureRmSubscription -SubscriptionName "***_1" ), Save-AzureRmProfile, then select my second subscription (Select-AzureRmSubscription -SubscriptionName "_***2" ) and save it as another profile. Then in the PowerShell script I’m running, I’m looping the AzureRMProfile files created previously to connect the subscription without errors. |
|
In my case, my account only has access to one subscription. |
|
Ok so it turned out that in my case it was the DNS of my server that was wrong. My server was unable to resolve addresses and I found it out by upgrading Azure Powershell from 1.1.0 to 1.3.0. In 1.1.0 I was getting that error I mentioned previously (Provided subscription does not exist) and in 1.3.0 the error was slightly more helpful (something along the lines of "cannot resolve login.microsoftonline.com"). |
|
Having the same issue. Inconsistently on various VMs/laptops. What would be the troubleshooting and workaround? |
Root CauseThe DisplayableId in the token for some tenants does not match the login id. This causes the token not to be retrieved if we set RequiredDisplayableId as the user identifier type when making calls to ADAL. Proposed Solution
Cost (Work Units): 6 |
|
@venkataitha This issue is particularly about the issue with multiple UPNs being associated with an email address. If you have a different problem, please file a different issue. To answer your question, you cna add a service principal to an existing app if you have sufficient privileges, then you should be able to log in using the certificate credentials. Log in using SPN + Secret in Automation doesn't work becauser the CredManCache is used for storing the secret and this API is not one of the APIs on the allowl list for the Automation sandbox. SPN + subscription will work. Note that new runbooks contain a 'RunAs" connection automatically which can make this easier - it consistes of a preconfigured SPN + cert. |
markcowl
changed the title
|
Cost: 8 |
|
Thanks @markcowl for this explanation. When you say that "SPN + Secret in Automation doesn't work", is this something that is considered as a bug or is this something official that is by designed? If it's by design it would be great to have a page explaining the authentication method we have when using Azure Automation. |
|
the command worked for me Login-AzureRmAccount -TenantId $tenantId
|
|
Guys, this is 2019 now. And the problem still remains? |
|
But wait there’s more, for a limited time only can you use azurerm. Microsoft is abandoning azurerm. So get your bug fixes in while you can because you only get bug fixes up through at least December 2020 https://docs.microsoft.com/en-us/powershell/azure/new-azureps-module-az?view=azps-2.2.0 |
|
Been tracking this for a while, now I have the same problem.. Anyone from MS going to handle it? |
|
still not fixed. This is a blocker. Azure Powershell become useless. |
|
I have same thing - I have Live and Office 365 account [email protected] which results wrong subscriptions to be listed |
|
AzureRM already been retired, so we will close this issue. |
and others
Uh oh!
There was an error while loading. Please reload this page.
I noticed following bug in the Get-AzureRmSubscription cmdlet:
I have two accounts associated with 3 separate Azure subscriptions:
(A) Microsoft account associated with subscriptions A and B
(B) Organizational account associated with subscription C
Scenario 1 (the worse scenario):
I'm logged in into Windows with my AD account (B) which is associated with the Organizational account for subscription C.
Login-AzureRmSubscriptionand provide credentials for my Microsoft account (A)Get-AzureRmSubscription-> Subscriptions A and B are returned (correct)Get-AzureRmSubscriptionagain (without doing anything else) -> Subscription C is returnedIt seems I'm automatically logged in through our organizational ADFS to my organizational account (B) associated with subscription C without me actively doing anything to achieve this. Worse: I do not even get any indication about this happening.
Scenario 2:
I'm logged into Windows with an account outside of my organizations AD domain (e.g. local account).
Login-AzureRmSubscriptionand provide credentials for my Microsoft account (A)Get-AzureRmSubscription-> Subscriptions A and B are returned (correct)Get-AzureRmSubscriptionagain (without doing anything else) -> Subscription B is returned and I get following Warning messages:WARNING: Unable to acquire token for tenant 'Common'WARNING: Unable to acquire token for tenant '--tenant GUID for subscription A--'It seems I can still run Select-AzureRmSubscription and select subscription B, but not Subscription A.
Probably not relevant, but subscription A is an "Visual Studio Premium with MSDN" subscription.
I hope this explanation is understandable :)
Best regards
Timo
The text was updated successfully, but these errors were encountered: