Search code examples
azurepowershellazure-analysis-services

Restart-AzAnalysisServicesInstance : Response status code does not indicate success: 401 (Unauthorized)

I have an Azure Analysis Services with S1 SKU. There is an SPN who has OWNER RBAC over the AAS. I am trying to use a PowerShell 5.1 Runbook through an Automation Account to run the Restart-AzAnalysisServicesInstance cmdlet.

When I run the Runbook, I get to see the error:

Restart-AzAnalysisServicesInstance : Response status code does not indicate success: 401 (Unauthorized).

However, when I run the cmdlet locally, using my credentials to Connect-AzAccount in Windows Powershell ISE, it works. I am also an OWNER over the AAS.

Here's the Runbook:

    # Init
    $ErrorActionPreference = 'Stop'
    $AutomationAccountConnectionName = "Name of my Connection that uses the Owner SPN" 

    # Get Automation connection (SPN connection details)
    $servicePrincipalConnection = Get-AutomationConnection -Name $AutomationAccountConnectionName 
    Write-Output "Connected using SPN:"
    $servicePrincipalConnection

    # Connect using SPN
    Write-Output "Connecting to AZ using the SPN connection:"
    $Connection | ConvertTo-Json
    $azContext = Connect-AzAccount -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint `
        -ApplicationId $servicePrincipalConnection.ApplicationId `
        -Tenant $servicePrincipalConnection.TenantId -ServicePrincipal
    Write-Output ("Connected to azure using certificate with app id : " + $Connection.AppId)
    
   # Get AAS
    $aasServer = "test113aas"
    $subscriptionId = "GUID of my azure subscrition"
    Select-AzSubscription -Subscription $subscriptionId
    $resourceObj = Get-AzAnalysisServicesServer -Name $aasServer 
    $ResourceObj
    $AnalysisServer = $resourceObj.Name
    $AnalysisServerLocation = 'northeurope'
    $ModelName = 'adventureworks'

    # # Connect AAS Account => This did not help as well
    # Write-Host "Adding AAS Account"
    # Add-AzAnalysisServicesAccount -RolloutEnvironment "$AnalysisServerLocation.asazure.windows.net" `
    #     -ServicePrincipal -ApplicationId $servicePrincipalConnection.ApplicationId `
    #   -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint -TenantId $servicePrincipalConnection.TenantId
    
    # Restart AAS server
    Write-Host "Server's full name is $($resourceObj.ServerFullName)"
    Write-Host "$AnalysisServer : Preparing to Restart the Analysis Server"
    $result = Restart-AzAnalysisServicesInstance –Instance $resourceObj.ServerFullName -PassThru # returns true if successful
    $result

Any idea as to what I am missing out here? Documentation: https://learn.microsoft.com/en-us/powershell/module/az.analysisservices/restart-azanalysisservicesinstance?view=azps-7.2.0

I even tried running the same within an Azure PowerShell Core Function, since the documentation is for PowerShell 7+, but to no avail.

Solution

  • Turns out that we need to whitelist the client's IP before calling the cmdlet.

    The error message could have been more precise.