Search code examples
azureazure-web-app-serviceazure-automation

Azure powershell - application id and client secret login problem

I try to use my application ID and client secret token to login in PowerShell. But I got the error message in following content. What should I do to mke it have enough permission?

My script:

$password = ConvertTo-SecureString "client secret" -AsPlainText -Force
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "application ID", $password

Write-Output "Login to azure environment"

Connect-AzAccount -Credential $cred -Tenant "tenant ID" -Subscription "subscription ID" -ServicePrincipal

Write-Output "Restarting Web App..."

Restart-AzWebApp -ResourceGroupName "testconfogproxy_group" -Name "testconfogproxy"

Write-Output "Operation Completed."

Error message.

Connect-AzAccount : The provided account adf74536-2bd3-456a-96ba-2f98e4902525 does not have access to subscription ID "
d9c408ef-39c7-408a-97c7-68c6ae84b760". Please try logging in with different credentials or a different subscription ID.
 If a subscription is not specified, please check the configs by `Get-AzConfig`.
Solution

  • Check that the service principal has the proper contributor role under both the automation account and the web app.

    Also, go to the corresponding paths to see if you enabled system managed identity for the automation account and provided automation contributor role for the related service principal.

    Automation account >> Access control >> Add a role assignment and follow the same for web app at the subscription role.

    If still the issue persists, assign the appropriate Contributor or Owner role to the service principal associated with the application ID.

    enter image description here

    After providing the necessary permissions, I was able to execute the below script successfully as shown.

    $clientsecret="xxx"
$appid="xxxx"
$tenantid="xxxx"
$subscriptionid="xxxx"
$password = ConvertTo-SecureString $clientsecret -AsPlainText -Force
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $appid, $password
Write-Output "Login to azure environment"
Connect-AzAccount -Credential $cred -Tenant $tenantid -Subscription $subscriptionid -ServicePrincipal
Write-Output "Restarting Web App..."
Restart-AzWebApp -ResourceGroupName "xxxx" -Name "newapj"
Write-Output "Operation Completed."

    Output:

    enter image description here

    And I also tried running the script from Azure PowerShell. Here to login and restart the web app from PowerShell, you need to provide website contributor role as well to the application Id for accessing it with the service principal.

    Goto below path:

    Webapp >> Access control >> Add a role assignment >> website contributor >> select your service principal app id

    enter image description here