azureazure-functionsazure-powershell

Function App ERROR: ClientCertificateCredential authentication failed: Could not find tenant id for provided tenant domain 'XXXXX'

I have a Time Trigger Azure function which runs a PowerShell script to fetch some data from Azure. The trigger fails throwing below error.

"ERROR: ClientCertificateCredential authentication failed: Could not find tenant id for provided tenant domain 'XXXX'. Please ensure that the provided service principal 'XXXX' is found in the provided tenant domain."

This was previously working without any errors related to SPN and the SPN used in the script exist in the same tenant. Not sure if this could be due to AZ modules, below are the modules updated in the FunctionApp requirements.psd1 file.

'Az' = '12.*'
'Az.Accounts' = '3.0.0'
'Microsoft.Graph.Authentication' = '2.8.0'
'Az.Resources' = '7.1.0'
'Az.Storage' = '2.3.0'
'Az.ResourceGraph' = '0.13.0'

Is there anything I'm missing w.r.t the issue ! Please let me know if any further details are required.

Solution

  • Ensure the Service Principal is still valid and is still associated with the correct tenant and is part of the same directory.

    enter image description here

    Redeploy the Azure function.

    I have followed below steps, and it worked:

    run.ps1:

    param($Timer)

$tenantId = "<Tenant_ID>"
$thumb = "<Certificate_Thumbprint>"
$appId = "<Client_ID>"
$appName = "<App_Name>"

Write-Host "Connecting Azure through $appName SPN login to call UC API"

Connect-AzAccount -ServicePrincipal -Tenant $tenantId -CertificateThumbprint $thumb -ApplicationId $appId
$subscriptions = Get-AzSubscription
Write-Host "Subscriptions fetched: $($subscriptions.Count)"

$currentUTCtime = (Get-Date).ToUniversalTime()

if ($Timer.IsPastDue) {
    Write-Host "PowerShell timer is running late!"
}

Write-Host "PowerShell timer trigger function ran! TIME: $currentUTCtime"

    requirements.ps1:

    @{
    'Az' = '12.*'
    'Az.Accounts' = '3.0.0'
    'Az.Resources' = '7.1.0'
    'Az.Storage' = '2.3.0'
}

    Assign Contributor role to Service Principal in the Subscription=>Access Control(IAM).

    Output:

    [2025-03-21T11:38:44.523Z] Executing 'Functions.TimerTrigger' (Reason='Timer fired at 2025-03-21T17:08:44.4676651+05:30', Id=6c170e3e-dc71-46d7-b7cd-b13cf61a1cc2)
[2025-03-21T11:38:44.527Z] Trigger Details: UnscheduledInvocationReason: IsPastDue, OriginalSchedule: 2025-03-21T13:50:00.0000000+05:30
[2025-03-21T11:38:45.981Z] Worker process started and initialized.
[2025-03-21T11:38:46.911Z] INFORMATION: Connecting Azure through kpappp SPN login to call UC API
[2025-03-21T11:38:48.745Z] Host lock lease acquired by instance ID '000000000000000000000000F72731CC'.
[2025-03-21T11:38:51.248Z] OUTPUT: 
[2025-03-21T11:38:53.441Z] INFORMATION: Subscriptions fetched: 1
[2025-03-21T11:38:53.451Z] INFORMATION: PowerShell timer is running late!
[2025-03-21T11:38:53.455Z] INFORMATION: PowerShell timer trigger function ran! TIME: 03/21/2025 11:38:53
[2025-03-21T11:38:53.496Z] OUTPUT: Subscription name              Tenant
[2025-03-21T11:38:53.498Z] OUTPUT: -----------------              ------
[2025-03-21T11:38:53.503Z] OUTPUT: <SUBSCRIPTION_NAME>          <TENANT_ID>
[2025-03-21T11:38:53.507Z] OUTPUT:
[2025-03-21T11:38:53.547Z] Executed 'Functions.TimerTrigger' (Succeeded, Id=6c170e3e-dc71-46d7-b7cd-b13cf61a1cc2, Duration=9069ms)