This blog post describes my recent experience with an Azure AD service principal authentication with a certificate. The process is well documented and seemed quite straightforward, however this was not my experience.
I was able to successfully follow the process to setup Azure AD service principal until the step where I granted the service principal with a role (using PS cmdlets). When I tried to login as the service principal, I encountered the issue below.
Login-AzureRmAccount -CertificateThumbprint $cert.Thumbprint -ApplicationId $appId -ServicePrincipal -TenantId $subscription.TenantId Login-AzureRmAccount : Invalid provider type specified. At line:1 char:1 + Login-AzureRmAccount -CertificateThumbprint $cert.Thumbprint -Applica ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [Add-AzureRmAccount], CryptographicException + FullyQualifiedErrorId : http://Microsoft.Azure.Commands.Profile.AddAzureRMAccountCommand
Referring to the documentation on Add-AzureRMAccount (Login-AzureRMAccount is an alias) the TenantId parameter expected an array of strings, which prompted me to change the command to:
Login-AzureRmAccount -CertificateThumb print $cert.Thumbprint -ApplicationId $azureAdApplication.IdentifierUris -ServicePrincipal -TenantId string$subscription.TenantId
This time the error received was:
Login-AzureRmAccount : 'authority' should be in Uri format Parameter name: authority At line:1 char:1 + Login-AzureRmAccount -CertificateThumbprint $cert.Thumbprint -Applica ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [Add-AzureRmAccount], ArgumentException + FullyQualifiedErrorId : http://Microsoft.Azure.Commands.Profile.AddAzureRMAccountCommand
Note: I updated the Azure PowerShell module to 1.3.2 (19 April 2016) and still received the ‘authority‘ error. The ‘Invalid provider type‘ error didn’t appear though, instead it provided a clearer error message: Cannot convert ‘System.Object’ to the type ‘System.String’ required by parameter ‘TenantId’
The workaround / fix
As a workaround, I resorted to using the Azure cross-platform (version, as tested, is 0.9.2) CLI that performs the equivalent operation in PowerShell. If you don’t mind CLI, I think this can be considered a fix.
Before running this command you need to convert the PFX file to a PEM file as described here.
azure login --service-principal --tenant "$tenantid" -u "$appid" --certificate-file <path to PEM file>\cert.pem --thumbprint "$cert"
This resulted in the following.
info: Executing command login info: Added subscription <Subscription name> info: Setting subscription "<Subscription Name>" as default info: login command OK
I have not performed a detailed analysis on why the PS cmdlet produced such errors – there might be information that can be gleaned via Fiddler on what REST API requests were generated (in the mean time I raised this issue with @AzureSupport and an issue on Github).
Hope this short post saves you troubleshooting time.