Can't connect to managed identity with User Administrator role
After applying the solution provided in this thread, which was basically adding User Administrator role to the managed identity I am using, I am getting the following error when connecting to the managed identity, which didn't happen before:
Unable to acquire token for tenant 'organizations' with error 'ManagedIdentityCredential authentication failed: Internal Server Error occured with identity passed!
Status: 500 (Internal Server Error)
Content:
Headers:
Transfer-Encoding: chunked
Content-Type: application/json; charset=utf-8
Date: Tue, 14 Nov 2023 12:34:53 GMT
Server: Microsoft-HTTPAPI/2.0
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot'
ManagedIdentityCredential authentication failed: Internal Server Error occured with identity passed!
Status: 500 (Internal Server Error)
Content:
Headers:
Transfer-Encoding: chunked
Content-Type: application/json; charset=utf-8
Date: Tue, 14 Nov 2023 12:34:53 GMT
Server: Microsoft-HTTPAPI/2.0
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot
Run Connect-AzAccount to login.
UPDATE
Here's the automation account identity section:
Here's the contributor role:
Here's the user administrator role:
The error might occur if you missed adding that user-assigned managed identity in your automation account, that you are specifying in
AccountIdparameter.
I have one managed identity with Contributor role under subscription:
Now, I added User Administrator directory role to that user-assigned managed identity like this:
Initially, I have not added any user assigned managed identity in automation account as below:
When I ran below script to create SQL server by connecting via user assigned managed identity, I got same error as below:
Disable-AzContextAutosave -Scope Process
$context = (Connect-AzAccount -Identity -AccountId "<account-client-id>").context
$subscriptionId = "subId"
Select-AzSubscription -SubscriptionId $subscriptionId
$context = Set-AzContext -SubscriptionName $context.Subscription -DefaultProfile $context
$rgName = "Sri"
$newServerName = "sqlserver151123"
$location = "Central US"
$adminAccount = "Testuser"
New-AzSqlServer -ResourceGroupName $rgName -ServerName $newServerName -ServerVersion "12.0" -Location $location -AssignIdentity -EnableActiveDirectoryOnlyAuthentication -ExternalAdminName $adminAccount
Response:
To resolve the error, make sure to add the user-assigned managed identity that you are specifying in AccountId under the automation account like this:
When I ran the same script again now, I got response successfully as below:
Disable-AzContextAutosave -Scope Process
$context = (Connect-AzAccount -Identity -AccountId "<account-client-id>").context
$subscriptionId = "subId"
Select-AzSubscription -SubscriptionId $subscriptionId
$context = Set-AzContext -SubscriptionName $context.Subscription -DefaultProfile $context
$rgName = "Sri"
$newServerName = "sqlserver151123"
$location = "Central US"
$adminAccount = "Testuser"
New-AzSqlServer -ResourceGroupName $rgName -ServerName $newServerName -ServerVersion "12.0" -Location $location -AssignIdentity -EnableActiveDirectoryOnlyAuthentication -ExternalAdminName $adminAccount
Response:
To confirm that, I checked the same in Portal where SQL server created successfully with below properties:
- Azure Service Plan - Convert Consumption App to Premium App
- No PK or FK when exporting SQL Server database
- Assigning a Token Lifetime Policy to an application in Microsoft EntraID seems to have no effect
- How to create a dataset for Azure custom speech using spx (speechCLI)
- Azure App Service Autoscale Fails to Scale In
- Azure Scale Out on Memory keeps flapping (not scaling in)
- Setting a server minimum for Azure Web App when using automatic scaling, from Bicep
- A keyvault created with access policy using BICEP creates compound identity
- Azure Loadbalancer with public IP forward traffic to Container Apps
- How to grant a Managed Identity permissions to an Azure SQL Database using IaC?
- What means skipNegotiation in SignalR HubConnection?
- Azure ClientCertificateCredential - Using SNI
- Azure AI Search MultiIndex / Conditional Semantic search
- MSAL Node service & The Partner Center API
- Load Registered Component in Azure ML for Pipeline using Python sdk v2
- Azure Blob:- How to automate Azure Archive Storage to Cool/Hot tier conversion, send download link once it's avaible , and re-archive after 72 hours?
- Azure App Service Custom Backup to Firewall Enabled Storage Account not working as expected
- How to take max value and replace it in drived column in data factory
- Synapse/ ADF - How to Truncate table if dynamic config column is True in pre-copy script
- Azure Cost Management - track costs associated with Databricks job
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How to check Debug.Writeline() output in VS code?
- C# API - Provide download of files from Azure Blobstorage
- localhost:300/api is not working : "This page isn’t working"
- Creating an Azure Linux VM with Ubuntu 20.04 with Terraform
- Failed to deploy path that does not exist
- Using Azure WAF for my server(not in Azure)
- How and where to define an environment variable on Azure
- Azure Data Factory - Unable to preview data
- Azure yaml trigger pipeline every 14 days on a Saturday