Set-AzContext: Please provide a valid tenant or a valid subscription - azure

I am trying to swap over to a different subscription within my Azure Account. The subscription is correct and the command itself seems to be correct but I am getting the error in the screenshot. Any suggestions..?

Make sure you logged in with the correct AAD tenant which the subscription locates in, just pass the tenant id to the command.
Set-AzContext -Subscription <subscription-id> -Tenant <tenant-id>

After receiving this error I ran
Login-AzureRmAccount
Logged in to the login screen that appeared and it started working

I avoid issues like that by listing all of your subscriptions you have access to, filter those for the one you want, and set that as your active context.
Get-AzContext -ListAvailable | Where{$_.Name -match 'MySub1'} | Set-AzContext
You just need to fill in the name of the subscription or something. You can also run Get-AzContext -ListAvailable to see what subscriptions are available to you.

Related

unable to authenticate to azure using powershell

we had an azure tenant.
we opened a new one, and passed our users to the new tenant and then added our users to the old tenants as guests.
Passing means that we deleted our users from the first tenant, then we migrated the domain to the new tenant and we created the users with the same properties in the new tenant.
since then every time we try to connect to azure using powershell with the commend Connect-azaccount -TenantId we get the following error:
Unable to acquire token for tenant '***' with error 'SharedTokenCacheCredential authentication unavailable. No account matching the specified username: *** tenantId: *** was found in the cache.'
does someone knows hoe to fix this?
thank you
we have tried every thing we found online.
we tries clear-azcontext, deleting the certificated from our machines, deleting powershell and reinstalling, etc...
Unable to acquire token for tenant xxx with error SharedTokenCacheCredential authentication unavailable. No account matching the specified username: xxx tenantId: xxx was found in the cache
The error usually occurs if the user is not present in the tenant you are trying to sign-in.
To check the error in detail, you can try debugging like below:
$DebugPreference = "Continue"
Connect-AzAccount -TenantID XXXX
Based on the debug details, you can check which Tenant is the user being connected to or any user details.
Try to connect with Subscription ID like below:
Connect-AzAccount -Subscription SubscriptionID -TenantId TenantID
Check if the user is having MFA enabled and try connecting with Global Admin account. And it might be the scenario where the account might be still cached in the local machine, so try if it works in another machine.
You can also make use of Device Authentication like below:
Connect-AzAccount -Tenant TenantID -UseDeviceAuthentication
Open the browser and enter the code:
Make sure to install the Az module like below:
Initially clear the cache and try to install by setting execution policy
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
Install-Module Az
Import-Module Az
Update-Module -Name Az
Check whether the user account in the Tenant has required permissions to the subscription.
Try to select the Context in PowerShell:
Get-AzContext -ListAvailable
Select-AzContext -Name Name
Or you can set context to the SubscriptionID by including TenantID:
Set-AzContext -Subscription $subscription -Tenant $tenantId | Out-null
If still the issue persists, it might be some environment problem while migrating the domain.
For me the problem seemed to be related to using a "legacy" account (or whatever they're called). Making and using a new account seemed to resolve the issue for me.

managed identity for this assignment does not have the appropriate permissions to remediate these resources. Edit Assignment page and re-save it

I have a requirement of creating policy assignment from policy initiative and do remediation. I can create assignment using the below command.
$newRgAssignment = New-AzPolicyAssignment -Name $assigName -PolicySetDefinition $policySet -PolicyParameterObject $Params -AssignIdentity -Location 'westus' -scope $rgscope -DisplayName $assigName
In this I can create assignment successfully. while trying to remediation manually in I can see the below error message in azure portal .
The managed identity for this assignment does not have the appropriate permissions to remediate these resources. To add these permissions, go to the Edit Assignment page for this Policy and re-save it.
I tried creating a policy assignment by passing SystemAssigned identity type but ran into same problem.
I have left with only one option that is UserAssigned identity type. To pass this parameter we need to get the assigned user identity . To get the user identity I used the below commands
Set-AzContext -Subscription 'XYZ-123-ABC'
$UserAssignedIdentity = Get-AzUserAssignedIdentity
But no use.
Can any one help me on this issue. Any help can be appriciated.
Thank you.
TenantId 'xxxx-xxxx-xxxx-xxxx' contains more than one active
subscription. First one will be selected for further use. To select
another subscription, use Set-AzContext. This is not any error. Its a
warning. Get-AzUserAssignedIdentity command returning null.
We have tried with below cmd after installing module Az.ManagedSericeIdentity and can able to get the results.
Warning you might receive but after Set-AzContext -Subscription 'XYZ-123-ABC'
it will be logged into the correct subscription you wanted to.
After successfully login type $UserAssignedIdentity even if you have user role to that subscription.
For more information please refer the below links:-
MS DOC| Get-AzUserAssignedIdentity
SO THREAD .

Remove Role assignment using powershell in azure

when im trying to remove role assignment for a storage account using azure automation account
Remove-AzRoleAssignment -SignInName "john#example.com" -RoleDefinitionName "Storage File Data SMB Share Contributor" -Scope "/subscriptions/000-8888-7777/resourceGroups/$resourcegroup/providers/Microsoft.Storage/storageAccounts/$storageaccount"
using above command getting
Cannot find principle using specified options
Email you provide seem to be not correct SigninName.
If you have access to Azure Active Directory you may check User Principal Name for this user and try it instead. In case of my private subscription it did end with onmicrosoft.com. If you use User Principal Name you should get results you expect.
The error "Cannot find principle using specified options" usually occurs if you don't have the required privileges.
Make sure to run as an Administrator and login with Admin credentials to Azure AD.
I tried in my environment and got the same error when the role is missing with incorrect sign-in name like below:
Please check whether the role you are trying to remove is existing or not in the scope like below:
Get-AzRoleAssignment -SignInName "UPN" | FL DisplayName, RoleDefinationName, Scope
Ensure to give correct UPN (User Principal Name) of the user.
Make use of the above response to run the below command:
Remove-AzRoleAssignment -SignInName "UPN" -RoleDefinitionName "Storage File Data SMB Share Contributor" -Scope "Your_Scope"
Please recheck the scope you are providing.

How to find out who the Global Administrator is for a directory to which I belong

I have checked in every possible area in the classic Azure portal but I can't seem to find the "Global Administrator" for the directory to which I belong.
Is there a way to find this out in the portal?
You should be able to look up the company administrators in your tenant by making two queries to the AAD or Microsoft Graph API.
The first query will allow you to identify the objectId of the "Company Administrator" role in your tenant.
https://graph.windows.net/<tenant>/directoryRoles
Then you need to find the directoryRole where "roleTemplateId": "62e90394-69f5-4237-9190-012177145e10", and save the objectId.
Next you can query the members of that directoryRole using the following:
https://graph.windows.net/<tenant>/directoryRoles/<objectId>/members
Try it all out using the Graph Explorer, and it's demo Tenant:
Query 1
Query 2
Let me know if this helps!
Global Administrators are also called Company Administrators. The following PowerShell script can help you print out all your Company Administrators. The Install-Module is included in case you do not already have the AzureAD PS Module installed.
# Install-Module AzureAD
Connect-AzureAD -TenantID [Your Tenant ID]
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Company Administrator'}
Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | Get-AzureADUser
Currently there's no way on the portal, however using PowerShell, enter the following code:
Connect-MsolService #to connect to your Azure tenant
Get-MsolRoleMember -RoleObjectId (Get-MsolRole -RoleName "Company Administrator").ObjectId

Running New-AzureRmResourceGroupDeployment from within a Function App

I need to wire up a stateless worker ad-hoc to perform a long running job based off a user action that self destructs when its done. I am trying to run New-AzureRmResourceGroupDeployment from within a PoSh Function App and cannot figure out how to authenticate to Azure from within the PoSh script.
I tried this:
$accountName = "myID#mydomain.com"
$pwd = ConvertTo-SecureString "password" -AsPlainText -Force
$cred = new-object PSCredential($accountName, $pwd)
Add-AzureRmAccount -Credential $cred
New-AzureResourceGroupDeployment -ResourceGroupName yadda yadda
And I get an error message that I need to use an Organization ID (which I am, our Azure AD is federated and we use AD Sync (and SiteMinder w/o WS-* if that matters)):
Add-AzureRmAccount : -Credential parameter can only be used with Organization ID credentials. For more information, please refer to http://go.microsoft.com/fwlink/?linkid=331007&clcid=0x409 for more information about the difference between an organizational account and a Microsoft account.
I tried "Login-AzureRMAccount -Credential $cred" with similar results.
If I do the Add- or Login- cmdlets from a PoSh window on my local machine (which is member joined to AD) with the -Credential flag I get a similar error. If I run the cmdlets without the credential I am prompted for credentials through an interactive ID/PW window (I do not have to enter my password once I type in my ID).
Does anyone know how I can do the authentication? I would be okay with authenticating like above, some sort of pass through credential from our web layer, or even an Option C I don't know about.
You will need to use service principal for authentication. A sample with instructions can be found here.
Azure Function role like permissions to Stop Azure Virtual Machines
For that you would need to use Service Principal auth. I don't think there is any sense of copypasting Azure Doc's to this answer, just consult this document:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal

Resources