Reputation: 1720
Service Principal az cli login failing - NO subscriptions found
Trying to perform an az cli login using a Service Principal and it is throwing an error stating No subscriptions found for <Service_Principal_AppId>. If this is expected, use '--allow-no-subscriptions'. This code has worked fine previously but now it does not appear to work any longer. Command line being used is below:
$sp_appid = (Get-AzureRmADServicePrincipal -DisplayName $spDisplayName).ApplicationId.Guid
$sp_secret = (Get-AzureKeyVaultSecret -VaultName $kvName -Name $appKeySecretName).SecretValueText
az login --service-principal --username $sp_appid --password $sp_secret --tenant $tenant_Id
I verified that the Service Principal is assigned the Contributor role at the subscription level.
Upvotes: 32
Views: 54974
Answers (9)
Reputation: 3479
Try the allow-no-subscriptions parameter.
az login --service-principal --username yourclientid --password yourclientsecret --tenant yourtenant --allow-no-subscriptions
Upvotes: 0
Reputation: 611
I just faced this issue with az 2.62.0 which uses Web Account Manager (WAM) for authentication but had to switch back to browser-based authentication in order for it to work.
az account clear
az config set core.enable_broker_on_windows=false
az login
Documentation: https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli-interactively#sign-in-with-web-account-manager-wam-on-windows
Upvotes: 3
Reputation: 31
Create a Service Principal with Owner/Contributor access,
az ad sp create-for-rbac --name <service-principal-name> --role Owner --scopes /subscriptions/<subscription-id>
Upvotes: 3
Reputation: 17040
Trying to az login with a Service Principal account, which does not have Role Based Access Control in its Subscription Scope, will fail with ERROR: No subscriptions found.
Moreover in recent Azure CLI, using the login command with the subscription flag would return unrecognized arguments: --subscription
Thus, to login without specifying subscription, make sure to add a role to your Service Principal account:
# Authenticate via browser
az login
# Get current subscription
subscriptionID=$(az account show --query id -o tsv)
# Create/update servie account with a role (e.g. "Owner")
az ad sp create-for-rbac --name ${theServiceAccount} --role Owner --scopes /subscriptions/${subscriptionID}
# Get current tenant
tenantID=$(az account show --query tenantId -o tsv)
# Login with the updated service account
az login --service-principal --tenant ${tenantID} -u yourUser -p yourPassword
Upvotes: 1
Reputation: 1758
After creating a service principal in the Azure Active Directory you need to give this new user some roles within a subscription:
- go to your subscription
- go to
Access Control (IAM) - Add a
roles assignment(for instance make your service principalcontributor)
Then az login should work.
Upvotes: 38
Reputation: 1406
For me, running cache purge worked:
az cache purge
Also, if it still does not work try printing verbose information using:
az login --verbose
Upvotes: 13
Reputation: 117
I had the same issue that suddenly no subscriptions where showing up for my service principal (on 2 different build servers that I originally installed at the same time).
Updating the Azure CLI seemed to fix the issue.
Upvotes: 0
Reputation: 1720
The original problem appears to have been a transient platform problem. Went back to the same code yesterday and it work with no issues.
Upvotes: 0
Reputation: 42163
Actually, I don't recommend you to mix the Azure Powershell and CLI together. If you insist on doing it, I have tried your script, I could not reproduce your issue, it works fine.
According to the error, you could try to pass a --subscription, it also works.
$sp_appid = (Get-AzADServicePrincipal -DisplayName joywebapp2).ApplicationId.Guid
$sp_secret = (Get-AzKeyVaultSecret -VaultName joykeyvault1 -Name joywebapp2).SecretValueText
$tenant_Id = "xxxxxxxxxxxx"
$subscription_Id = "xxxxxxxxxxx"
az login --service-principal --username $sp_appid --password $sp_secret --tenant $tenant_Id --subscription $subscription_Id
Note: Due to the AzureRM powershell module has been deprecated, I use the new Az powershell module, if you want to upgrade to Az, see this link. (It may not be the reason of the issue, but I recommend you to upgrade it.)
Update:
We have to use AZ CLI simply for the property we are trying to grab...there is no PowerShell equivalent.
Actually you can login with a service principal via powershell, the strong password is the secret, more details see this post.
$azureAplicationId ="Azure AD Application Id"
$azureTenantId= "Your Tenant Id"
$azurePassword = ConvertTo-SecureString "strong password" -AsPlainText -Force
$psCred = New-Object System.Management.Automation.PSCredential($azureAplicationId , $azurePassword)
Add-AzureRmAccount -Credential $psCred -TenantId $azureTenantId -ServicePrincipal
Upvotes: 2
Related Questions
- Azure login for tenant failing for Az app/principal with No subscription found message
- Azure automation: Authentication succeeds but no subscriptions are returned, works in local powershell though
- az login command fails - Azure cli
- AZ CLI login using Service Principal fails from specific computer
- unable to get subscription details when logging in with service principal id in azure using PowerShell
- "No subscription found in the context" error when invoking Azure Powershell cmdlets
- Azure CLI initialization saying invalid login?
- "az login --allow-no-subscriptions" not supported anymore?
- MS Azure PowerShell - The subscription name doesn't exist
- Azure default subscription not found