Can't connect to managed identity with User Administrator role
After applying the solution provided in this thread, which was basically adding User Administrator role to the managed identity I am using, I am getting the following error when connecting to the managed identity, which didn't happen before:
Unable to acquire token for tenant 'organizations' with error 'ManagedIdentityCredential authentication failed: Internal Server Error occured with identity passed!
Status: 500 (Internal Server Error)
Content:
Headers:
Transfer-Encoding: chunked
Content-Type: application/json; charset=utf-8
Date: Tue, 14 Nov 2023 12:34:53 GMT
Server: Microsoft-HTTPAPI/2.0
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot'
ManagedIdentityCredential authentication failed: Internal Server Error occured with identity passed!
Status: 500 (Internal Server Error)
Content:
Headers:
Transfer-Encoding: chunked
Content-Type: application/json; charset=utf-8
Date: Tue, 14 Nov 2023 12:34:53 GMT
Server: Microsoft-HTTPAPI/2.0
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot
Run Connect-AzAccount to login.
UPDATE
Here's the automation account identity section:
Here's the contributor role:
Here's the user administrator role:
The error might occur if you missed adding that user-assigned managed identity in your automation account, that you are specifying in
AccountIdparameter.
I have one managed identity with Contributor role under subscription:
Now, I added User Administrator directory role to that user-assigned managed identity like this:
Initially, I have not added any user assigned managed identity in automation account as below:
When I ran below script to create SQL server by connecting via user assigned managed identity, I got same error as below:
Disable-AzContextAutosave -Scope Process
$context = (Connect-AzAccount -Identity -AccountId "<account-client-id>").context
$subscriptionId = "subId"
Select-AzSubscription -SubscriptionId $subscriptionId
$context = Set-AzContext -SubscriptionName $context.Subscription -DefaultProfile $context
$rgName = "Sri"
$newServerName = "sqlserver151123"
$location = "Central US"
$adminAccount = "Testuser"
New-AzSqlServer -ResourceGroupName $rgName -ServerName $newServerName -ServerVersion "12.0" -Location $location -AssignIdentity -EnableActiveDirectoryOnlyAuthentication -ExternalAdminName $adminAccount
Response:
To resolve the error, make sure to add the user-assigned managed identity that you are specifying in AccountId under the automation account like this:
When I ran the same script again now, I got response successfully as below:
Disable-AzContextAutosave -Scope Process
$context = (Connect-AzAccount -Identity -AccountId "<account-client-id>").context
$subscriptionId = "subId"
Select-AzSubscription -SubscriptionId $subscriptionId
$context = Set-AzContext -SubscriptionName $context.Subscription -DefaultProfile $context
$rgName = "Sri"
$newServerName = "sqlserver151123"
$location = "Central US"
$adminAccount = "Testuser"
New-AzSqlServer -ResourceGroupName $rgName -ServerName $newServerName -ServerVersion "12.0" -Location $location -AssignIdentity -EnableActiveDirectoryOnlyAuthentication -ExternalAdminName $adminAccount
Response:
To confirm that, I checked the same in Portal where SQL server created successfully with below properties:
- VM has reported a failure when processing extension AzureDiskEncryption
- How to pass secrets downloaded from Azure KeyVault as parameters to an Azure Function?
- Trigger / queue build policy pipeline on ADO PR with Azure CLI
- Azure AD B2C Password Reset
- Batch create mailbox folders with GRAPH API (from Graph Explorer)
- Azure Web App on Linux: "Error: Container didn't respond to HTTP pings on port: 8080" - when using: "start": "pm2 start server.js"
- How can I apply name=value tags to service principals in Azure?
- Visual Studio Code: Could not find $web blob container for storage account
- Error when registering data factory integration runtime on windows VM
- Retrieve list of repositories and their tag versions in one call
- Getting Error while running Azure DevOps Pipeline "Error: building account: could not acquire access token to parse claims: clientCredentialsToken
- Create Resource Group with Azure Management C# API
- Azure LDAP Authentication Connection Refused On Cloud Server or Other Desktops
- Create a gpu nodepool on azure with a student account
- How to set redirect URLs to b2clogin.com for Azure Active Directory B2C in React JS application
- Cannot connect to SQL Server from logic app
- How to Resolve Errors When Running Python Jobs in Azure App Service WebJobs
- How do I open Kudu console in Azure functions consumption plan?
- Azure AutoML Image Classification Job
- Onedrive GRAPH API - 403 when getting user's OneDrive
- Azure Government Get incidents returns 401 Forbidden
- Delta Table Partitioning - why only for tables bigger than 1 TB
- How to check if an Azure storage queue has messages
- Azure WAF exclusion, what's the difference between RequestArgNames and RequestArgValues?
- How to order results of a query by the results of an aggregate function in ComosDb?
- Azure routing between different subscriptions - force one, common outbound IP and share Site-to-site (IPSec) defined in Virtual network gateway
- Bot Framework Python SDK ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
- Azure DevOps - Create a work item from incoming email
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?