Search code examples
powershellazureazure-automationazure-mcd

Set-AzureRmContext error when executed within an Azure Automation Runbook

Update:

Seems like someone else had the same issue and reported it.

I am facing an issue with a simple PowerShell script when invoking it from an Azure Automation Runbook. The same piece of code works flawless when running it locally.

I have added a Service Principal in an Azure Active Directory (hosted in Azure German Cloud) with password credential and grant it contributor access to a subscription (also hosted in Azure German Cloud).

The Azure Automation service is hosted in North Europe since it's currently not available in the Azure German Cloud.

All I try to do is to login to my subscription with the above mentioned principal using the Add-AzureRmAccount cmdlet. After that I try to set the current context using the Set-AzureRmContext and getting the following error message:

Set-AzureRmContext : Please provide a valid tenant or a valid subscription.
At line:26 char:1
+ Set-AzureRmContext -TenantId $TenantId -Su ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Set-AzureRmContext], ArgumentException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.SetAzureRMContextCommand

Here is the script I try to run (left the configuration blank):

$TenantId = ""
$ApplicationId = ""
$ClientSecret = ""
$SubscriptionId = ""

$secpasswd = ConvertTo-SecureString $ClientSecret -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ($ApplicationId , $secpasswd)

Add-AzureRmAccount -ServicePrincipal -Environment 'AzureGermanCloud' -Credential $mycreds -TenantId $TenantId
Set-AzureRmContext -TenantId $TenantId -SubscriptionId $SubscriptionId

I also tried to use Login-AzureRmAccount without success. Also I am able to use the Get-AzureRmResourceGroup cmdlet to retrieve the resource groups so the login seems to work.

All Azure modules are updated to the latest version.

TLTR:

My main goal is to start a SQL export job using the New-AzureRmSqlDatabaseExport from the runnbook but it seems like the above mentioned error causes the cmdlet to fail with the following message:

New-AzureRmSqlDatabaseExport : Your Azure credentials have not been set up or have expired, please run 
Login-AzureRMAccount to set up your Azure credentials.
At line:77 char:18
+ ... rtRequest = New-AzureRmSqlDatabaseExport -ResourceGroupName $Resource
Solution

  • It looks like this is a known issue and I wasn't able to find a fix for that. But there are two workarounds:

    1. Using a Hybrid Runnbook Worker (mentioned by Walter - MSFT)
    2. Using a RunAsAccount with certificate credentials (mentioned by Bruno Faria)

    It is important to specify the -Environment parameter. Otherwise I got the following exception:

    Login-AzureRmAccount : AADSTS90038: Confidential Client is not supported in Cross Cloud request.

    Here is the code I am using to login to AzureGermanCloud (MCD) from an Azure Runbook hosted in NorthEurope:

    $connectionAssetName = "AzureRunAsConnection"
$conn = Get-AutomationConnection -Name $ConnectionAssetName

Login-AzureRmAccount `
    -ServicePrincipal `
    -CertificateThumbprint $conn.CertificateThumbprint `
    -ApplicationId $conn.ApplicationId `
    -TenantId $conn.TenantID `
    -Environment AzureGermanCloud