I want to create the AzureProfile.json file using the Az Module command in PowerShell, so that I can import the json file anytime I want to login to Azure to start\stop my VM's.
Below is the command\script I am using to create it but it is giving me error as shown in the screenshot.
I tried using the below code as well but it gives same error.
Connect-AzAccount -UseDeviceAuthentication
Save-AzProfile -path "$PSScriptRoot\AzureProfile.json"
WARNING: Unable to acquire token for tenant 'organizations'
Connect-AzAccount : DeviceCodeCredential authentication failed: Retry
failed after 4 tries.
From the error message, it looks like the authentication of your account is failing in the Browser pop-up that comes after Login-AzAccount.
I ran the first set of commands and it ran successfully.
Powershell:
Created File:
Note that my PowerShell version is 5.7.0.18831.
You have tried both :
Connect-AzAccount -UseDeviceAuthentication
Login-AzAccount
Both Interactive and non-interactive mode of login.
The error is occurring while trying you communicate to azure. I am suspecting it could be an issue at a machine level or network level (proxy/firewall)
The above issue usually occurs (reproducible at my end) when there are connection issues with the Microsoft Services - blocked by proxy /firewall/GPO etc...
For a quick test you could run the below PowerShell command :
Invoke-WebRequest -Uri "https://login.microsoftonline.com/organizations/oauth2/v2.0/devicecode" -Body "client_id=1950a258-227b-4e31-a9cf-717495945fc2&scope=https%3A%2F%2Fmanagement.core.windows.net%2F%2F.default+offline_access+profile+openid" -Method Post
Sample Success Response :
Why the above command ?
The above end point https://login.microsoftonline.com/organizations/oauth2/v2.0/devicecode is hit when you use Connect-AzAccount -UseDeviceAuthentication by powershell.
If you encounter a timeout/Name unresolvable issue - the issue is with the network/machine config.
Related
I am required to write a PowerShell script, which can connect to my company's Azure account, check and create Azure resources (eg. Service Bus namespace, Service Bus topic, and Service Bus subscriptions). Everything worked well until I tried to deploy my script as a step in my project's on-premise TeamCity. I keep getting this error message
Exception calling "ShouldContinue" with "2" argument(s): "Windows
PowerShell is in NonInteractive mode. Read and Prompt functionality is
not available."
I investigated and found out that the problem is in this line
Connect-AzAccount
If I run the script manually, it will pop up a prompt asking me to login to Azure. I believe that's what went wrong. Because my project's on-premise TeamCity does not seem have an option to open a prompt for PowerShell command. I have read some workarounds, even on this website, but none of them is applicable to my case. Even a solution like https://stackoverflow.com/a/61099568/8213536 gave me these errors
WARNING: Unable to acquire token for tenant 'organizations' with error
'UsernamePasswordCredential authentication failed: There was an error
parsing WS-Trust response from the endpoint. This may occur if there
is an issue with your ADFS configuration. See
https://aka.ms/msal-net-iwa-troubleshooting for more details. Error
Message: Object reference not set to an instance of an object. See the
troubleshooting guide for more information.
https://aka.ms/azsdk/net/identity/usernamepasswordcredential/troubleshoot'
Connect-AzAccount : UsernamePasswordCredential authentication failed:
There was an error parsing WS-Trust response from the endpoint. This
may occur if there is an issue with your ADFS configuration. See
https://aka.ms/msal-net-iwa-troubleshooting for more details. Error
Message: Object reference not set to an instance of an object. See the
troubleshooting guide for more information.
https://aka.ms/azsdk/net/identity/usernamepasswordcredential/troubleshoot
At line:1 char:1
Connect-AzAccount -Credential $creds
+ CategoryInfo : CloseError: (:) [Connect-AzAccount], AuthenticationFailedException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand
One of the other solutions https://stackoverflow.com/a/52014189/8213536 requires an application's principal id, which is not applicable for my scenario either, as I am not creating a new application. I just need to be able to automatically connect to Azure (without prompt), check and create SB Namespace, SB Topic and SB Subscription.
Could someone please help me on this? Thanks.
As promised, I would like to post my solution. First I created a service principal with a client secret key. Then I asked my company's cloud engineer to assign it to the Azure subscription of my company and to the resource group that I intended to group all my necessary resources into. Finally in my code, I implemented something similar to https://stackoverflow.com/a/61099568/8213536
$applicationId = $azServicePrincipalId
Write-Host "Connecting to Azure using principal $applicationId"
$securePassword = $azServicePrincipalPw | ConvertTo-SecureString -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $applicationId, $securePassword
Connect-AzAccount -ServicePrincipal -TenantId $azureTenantId -Credential $credential
$azServicePrincipalId and $azServicePrincipalPw came from the Service Principal itself, while $azureTenantId came from my company's Azure subscription.
It is now working as expected.
I'm desperate here with Powershell and Azure.
I use PowerShell 7.0.1 and AZ 4.1.0.
When I try to connect (by the way, as global admin via 'Connect-AzAccount'), I get this prompt every time: "WARNING: To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code xxxxxxxxx to authenticate."
Of course I do that and then I get this error message every time:
Connect-AzAccount: xxxxxxxxxxxxx: Device authentication is required.
Trace ID: xxxxxxxxxxxxxxxxxxxxxxxxx
Correlation ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Timestamp: 2020-05-20 09:12:18Z: Response status code does not indicate success: 401 (Unauthorized).
Does anyone have an idea why this does not work? I have also tried it temporarily without MFA, with the same result.
As Allen pointed, the right thing to do in this case is to engage the ActiveDirectory authentication team.
Meanwhile, can you try the preview of the new authentication experience here.
This uses a vastly updated authentication experience, and may unblock you while we work out the underlying issue.
Use the below script to install Az.Accounts 2.0.1-preview module.
Install-Module -Name Az.Accounts -AllowPrerelease
For more details, you could refer to this issue.
I have installed Az.Accounts 2.0.1-preview, but now a different error message appears. After connecting all seams working fine, but after calling a function it comes to an error again:
PS> Connect-AzAccount -Subscription 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
WARNING: Attempting to launch a browser for authorization code login.
WARNING: We have launched a browser for you to login. For the old experience with device code flow, please run 'Connect-AzAccount -UseDeviceAuthentication'.
WARNING: Unable to acquire token for tenant 'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy'
Account SubscriptionName TenantId Environment
------- ---------------- -------- -----------
michael.kristen#inhouse.wko.at INH-Subscription xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx AzureCloud
PS> Get-AzDefault
Get-AzDefault: Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials.
I have downloaded powershell azure ad modules and I'm trying to connect to azure ad using below command but it throwing error.
Connect-AzureAD -Confirm
AADSTS900144: The request body must contain the following parameter: 'code'.
I have specified correct credentials even then getting above issue .
https://social.msdn.microsoft.com/Forums/en-US/281ffa55-1024-4d39-b83f-a7f184fc4da8/cannot-login-to-azure-portal?forum=AzureAvailabilityZones
Looks like it might be an azure auth issue.
I am trying to use Powershell to upload a certificate PFX file to Key Vault using the command below:
Import-AzureKeyVaultCertificate -VaultName $kvName -Name $kvCertName -FilePath $aseCertPFXFile -Password $SecureStringPassword
When I run this command, I get the error below:
Import-AzureKeyVaultCertificate : Operation returned an invalid status code 'Forbidden'
I can manually upload this certificate using the portal with no issues and the account I am using to run the PowerShell script is the same one I use when doing it via the portal.
The problem wound up being that there was a residual context from a Service Principal that did not have the necessary permissions to perform the actions. Once I removed that context, it forced a new login where I used my user account and the import worked.
I'm writing a powershell script to setup a new Data Lake store gen1 account, and create folders with updated ACLs. The New-AzDataLakeStoreAccount statement works fine; New-AzDataLakeStoreItem and Get-AzDataLakeStoreItem fail with similar Unknown Error.
Following powershell code will create a new Data Lake store. I have a resourcegroup and security group in the subscription as listed below. The second and third scripts for listing and adding a folder fail. I'm using https://shell.azure.com to execute the powershell.
New-AzDataLakeStoreAccount -ResourceGroupName "ade-dev-eastus2" -Name "adedeveastus2" -Location "East US 2" -DefaultGroup (Get-AzADGroup -DisplayName "Technical Operations").Id -Encryption ServiceManaged -Tag #{User="ADE";}-Tier Consumption
Get-AzDataLakeStoreItem -AccountName "adedeveastus2" -Path "/"
New-AzDataLakeStoreItem -AccountName "adedeveastus2" -Path "/Staging" -Folder
Following is an error message for Get-AzDataLakeStoreItem
Get-AzDataLakeStoreItem : Error in getting metadata for path /.
Operation: GETFILESTATUS failed with Unknown Error: Token Length is 6. Token is most probably malformed. Source: StackTrace: .
Last encountered exception thrown after 5 tries. [There was an error retrieving the managed service access token for resource 'https://datalake.azure.net' using the URI 'http://localhost:50342/oauth2/token?resource=https%3A%2F%2Fdatalake.azure.net&api-version=2018-02-01'. Please check that this managed service is configured to emit tokens at this address and that the associated managed service identity has the appropriate role assignment and try logging in again.,Token Length is 6. Token is most probably malformed.,Token Length is 6. Token is most probably malformed.,Token Length is 6. Token is most probably malformed.,Token Length is 6. Token is most probably malformed.]
[ServerRequestId:]
At line:1 char:1
+ Get-AzDataLakeStoreItem -Account "adedeveastus2" -Path "/"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Get-AzDataLakeStoreItem], AdlsException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.DataLakeStore.GetAzureDataLakeStoreItem
The error returned when using a Windows Powershell host is more descriptive.
Operation: GETFILESTATUS failed with Unknown Error: The 'User-Agent' header must be modified using the appropriate property or method.
I would expect to get back a DataLakeStoreItem object, and things like Name and Path. I think a general error for other users of ADL or the Cloud shell powershell?
I can reproduce your issue in the Azure Cloud Shell, when I run the command in local(PSVersion is 5.1.17134.228), I got the same error with the GitHub known issue.
As the datalake team said, see this link:
This is a problem with Httpwebrequest class used by our SDK. Setting useragent for httpwebrequest is different across netframework and netcore:
NET framework: webReq.UserAgent = client.GetUserAgent()
net standard: webReq.Headers["User-Agent"] = client.GetUserAgent()
If you try to later thing in net framework you get the error you are getting above.
When you use this az module which is using the netstandard dll of our SDK. When you use that from windows powershell, its trying to use net standard dll on netframework which gives this error.
And the soluation:
I tested this in net core powershell. It runs fine.
We are moving from httpwebrequest to httpclient which will probably fix the issue.
So basically if you are using windows powershell use azurerm or else use Az from powershell netcore.
It seems explains the error The 'User-Agent' header must be modified using the appropriate property or method, so you could try to use the Az powershell in Powershell core. If it is acceptable, you can also use AzureRM powershell module in windows powershell, it works fine on my side.
Get-AzureRmDataLakeStoreItem -Account "joydatalake2" -Path "/"
New-AzureRmDataLakeStoreItem -Account "joydatalake2" -Path "/Staging" -Folder