20

Trying to perform an az cli login using a Service Principal and it is throwing an error stating No subscriptions found for <Service_Principal_AppId>. If this is expected, use '--allow-no-subscriptions'. This code has worked fine previously but now it does not appear to work any longer. Command line being used is below:

$sp_appid = (Get-AzureRmADServicePrincipal -DisplayName $spDisplayName).ApplicationId.Guid
$sp_secret = (Get-AzureKeyVaultSecret -VaultName $kvName -Name $appKeySecretName).SecretValueText
az login --service-principal --username $sp_appid --password $sp_secret --tenant $tenant_Id

I verified that the Service Principal is assigned the Contributor role at the subscription level.

phydeauxman
  • 1,432
  • 3
  • 26
  • 48

7 Answers7

16

After creating a service principal in the Azure Active Directory you need to give this new user some roles within a subscription:

  • go to your subscription
  • go to Access Control (IAM)
  • Add a roles assignment (for instance make your service principal contributor)

Then az login should work.

Benjam
  • 1,401
  • 2
  • 16
  • 22
  • 2
    For more details please see [Create an Azure AD app and service principal in the portal - Microsoft identity platform | Microsoft Docs](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal). – li ki Mar 20 '22 at 10:34
2

Actually, I don't recommend you to mix the Azure Powershell and CLI together. If you insist on doing it, I have tried your script, I could not reproduce your issue, it works fine. According to the error, you could try to pass a --subscription, it also works.

$sp_appid = (Get-AzADServicePrincipal -DisplayName joywebapp2).ApplicationId.Guid
$sp_secret = (Get-AzKeyVaultSecret -VaultName joykeyvault1 -Name joywebapp2).SecretValueText
$tenant_Id = "xxxxxxxxxxxx"
$subscription_Id = "xxxxxxxxxxx"
az login --service-principal --username $sp_appid --password $sp_secret --tenant $tenant_Id --subscription $subscription_Id

enter image description here

Note: Due to the AzureRM powershell module has been deprecated, I use the new Az powershell module, if you want to upgrade to Az, see this link. (It may not be the reason of the issue, but I recommend you to upgrade it.)

Update:

We have to use AZ CLI simply for the property we are trying to grab...there is no PowerShell equivalent.

Actually you can login with a service principal via powershell, the strong password is the secret, more details see this post.

$azureAplicationId ="Azure AD Application Id"
$azureTenantId= "Your Tenant Id"
$azurePassword = ConvertTo-SecureString "strong password" -AsPlainText -Force
$psCred = New-Object System.Management.Automation.PSCredential($azureAplicationId , $azurePassword)
Add-AzureRmAccount -Credential $psCred -TenantId $azureTenantId  -ServicePrincipal
Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • Thanks for testing...will go back and try it again today. Maybe it was a platform issue. We have to use AZ CLI simply for the property we are trying to grab...there is no PowerShell equivalent. Also, would love to move to the new Az module but we do not control the platform we work from and the people that do have not rolled out the Az module yet. – phydeauxman Apr 02 '19 at 16:29
  • @phydeauxman Actually you can login with a service principal via powershell, see my update. Also, if you still have the issue, you can try to pass the `-Subscription` parameter in `Add-AzureRmAccount` command. – Joy Wang Apr 03 '19 at 01:10
  • 2
    az login does not take subscription argument. Error: unrecognized arguments: --subscription 7cd27cfd-2ba5-4907-a46b-b0eb4b992636 – Lakpa Tamang Apr 19 '22 at 02:28
2

For me, running cache purge worked:

az cache purge

Also, if it still does not work try printing verbose information using:

az login --verbose

Rajesh Swarnkar
  • 601
  • 1
  • 6
  • 18
1

The original problem appears to have been a transient platform problem. Went back to the same code yesterday and it work with no issues.

phydeauxman
  • 1,432
  • 3
  • 26
  • 48
  • 2
    Actually, I have mentioned your script works fine in my reply, could you accept it as the answer?thanks. – Joy Wang Apr 10 '19 at 07:08
0

I had the same issue that suddenly no subscriptions where showing up for my service principal (on 2 different build servers that I originally installed at the same time).

Updating the Azure CLI seemed to fix the issue.

Wout
  • 77
  • 1
  • 8
0

Trying to az login with a Service Principal account, which does not have Role Based Access Control in its Subscription Scope, will fail with ERROR: No subscriptions found.

Moreover in recent Azure CLI, using the login command with the subscription flag would return unrecognized arguments: --subscription

Thus, to login without specifying subscription, make sure to add a role to your Service Principal account:

# Authenticate via browser
az login
# Get current subscription
subscriptionID=$(az account show --query id -o tsv)
# Create/update servie account with a role (e.g. "Owner")
az ad sp create-for-rbac --name ${theServiceAccount} --role Owner --scopes /subscriptions/${subscriptionID}
# Get current tenant
tenantID=$(az account show --query tenantId -o tsv)
# Login with the updated service account
az login --service-principal --tenant ${tenantID} -u yourUser -p yourPassword
Noam Manos
  • 15,216
  • 3
  • 86
  • 85
0

Create a Service Principal with Owner/Contributor access,

 az ad sp create-for-rbac --name <service-principal-name> --role Owner --scopes /subscriptions/<subscription-id>
Jeremy Caney
  • 7,102
  • 69
  • 48
  • 77
Ratheesh Mahalingam
  • 1