Get-AzureRmSubscription does not work correctly when multiple user accounts map to a single email

[timoschwarte]

I noticed following bug in the Get-AzureRmSubscription cmdlet:

I have two accounts associated with 3 separate Azure subscriptions: (A) Microsoft account associated with subscriptions A and B (B) Organizational account associated with subscription C

Scenario 1 (the worse scenario): I'm logged in into Windows with my AD account (B) which is associated with the Organizational account for subscription C.

1. I run Login-AzureRmSubscription and provide credentials for my Microsoft account (A)
2. I run Get-AzureRmSubscription -> Subscriptions A and B are returned (correct)
3. I run Get-AzureRmSubscription again (without doing anything else) -> Subscription C is returned It seems I'm automatically logged in through our organizational ADFS to my organizational account (B) associated with subscription C without me actively doing anything to achieve this. Worse: I do not even get any indication about this happening.

Scenario 2: I'm logged into Windows with an account outside of my organizations AD domain (e.g. local account).

1. I run Login-AzureRmSubscription and provide credentials for my Microsoft account (A)
2. I run Get-AzureRmSubscription -> Subscriptions A and B are returned (correct)
3. I run Get-AzureRmSubscription again (without doing anything else) -> Subscription B is returned and I get following Warning messages: WARNING: Unable to acquire token for tenant 'Common' WARNING: Unable to acquire token for tenant '--tenant GUID for subscription A--' It seems I can still run Select-AzureRmSubscription and select subscription B, but not Subscription A.

Probably not relevant, but subscription A is an "Visual Studio Premium with MSDN" subscription.

I hope this explanation is understandable :) Best regards Timo

[hovsepm]

@timoschwarte, Thanks for reporting. Which version of Azure powershell cmdlets are you using? Are you using any parameters for Get-AzureRmSubscription calls (filtering by tenant id or subscription Id/Name) ?

[timoschwarte]

@hovsepm I noticed the issue with version 1.0.2, and then upgraded to 1.1.0, but the same issue remains.

In this case I ran Get-AzureRmSubscription without parameters, but the same issue remains with parameters.

E.g. when running outside of my organizational domain:

PS C:\> Login-AzureRmAccount

Environment           : AzureCloud
Account               : xxxx.xxxx@xxxx.com
TenantId              : 5cc872ff-xxxx-xxxx-xxxx-xxxxxxxxxxxx
SubscriptionId        :
CurrentStorageAccount :

PS C:\> Get-AzureRmSubscription

SubscriptionName : Visual Studio Premium with MSDN
SubscriptionId   : 8b9dc558-xxxx-xxxx-xxxx-xxxxxxxxxxxx
TenantId         : 5cc872ff-xxxx-xxxx-xxxx-xxxxxxxxxxxx

SubscriptionName : MyOtherSubscription
SubscriptionId   : efe77f65-xxxx-xxxx-xxxx-xxxxxxxxxxxx
TenantId         : a25981ec-xxxx-xxxx-xxxx-xxxxxxxxxxxx

PS C:\> Get-AzureRmSubscription
WARNING: Unable to acquire token for tenant 'Common'
WARNING: Unable to acquire token for tenant '5cc872ff-xxxx-xxxx-xxxx-xxxxxxxxxxxx'

SubscriptionName : MyOtherSubscription
SubscriptionId   : efe77f65-xxxx-xxxx-xxxx-xxxxxxxxxxxx
TenantId         : a25981ec-xxxx-xxxx-xxxx-xxxxxxxxxxxx

With parameters (again outside my organization):

PS C:\> Login-AzureRmAccount

Environment           : AzureCloud
Account               : xxxx.xxxx@xxxx.com
TenantId              : 5cc872ff-xxxx-xxxx-xxxx-xxxxxxxxxxxx
SubscriptionId        :
CurrentStorageAccount :

PS C:\> Get-AzureRmSubscription -SubscriptionName "Visual Studio Premium with MSDN"

SubscriptionName : Visual Studio Premium with MSDN
SubscriptionId   : 8b9dc558-xxxx-xxxx-xxxx-xxxxxxxxxxxx
TenantId         : 5cc872ff-xxxx-xxxx-xxxx-xxxxxxxxxxxx

PS C:\> Get-AzureRmSubscription -SubscriptionName "Visual Studio Premium with MSDN"
WARNING: Unable to acquire token for tenant 'Common'
WARNING: Unable to acquire token for tenant '5cc872ff-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
Get-AzureRmSubscription : Subscription Visual Studio Premium with MSDN was not found in tenant . Please verify that the
 subscription exists in this tenant.
At line:1 char:1
+ Get-AzureRmSubscription -SubscriptionName "Visual Studio Premium with MSDN"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Get-AzureRmSubscription], PSArgumentException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.GetAzureRMSubscriptionCommand

I did nothing else in between, just ran the same command twice.

Similar things happen when I try to Select-AzureRmSubscription. If I run Get-AzureRmSubscription first, and then try to Select, it will fail. Selecting before running Get succeeds, but Get-AzureRmSubscription subsequently fails.:

PS C:\> Select-AzureRmSubscription -SubscriptionName "Visual Studio Premium with MSDN"

Environment           : AzureCloud
Account               : xxxx.xxxx@xxxx.fi
TenantId              : 5cc872ff-xxxx-xxxx-xxxx-xxxxxxxxxxxx
SubscriptionId        : 8b9dc558-xxxx-xxxx-xxxx-xxxxxxxxxxxx
CurrentStorageAccount :

PS C:\> Get-AzureRmSubscription
WARNING: Unable to acquire token for tenant 'Common'
WARNING: Unable to acquire token for tenant '5cc872ff-xxxx-xxxx-xxxx-xxxxxxxxxxxx'

First Get, then Select:

PS C:\> Login-AzureRmAccount

Environment           : AzureCloud
Account               : xxxx.xxxx@xxxx.com
TenantId              : 5cc872ff-xxxx-xxxx-xxxx-xxxxxxxxxxxx
SubscriptionId        :
CurrentStorageAccount :

PS C:\> Get-AzureRmSubscription

SubscriptionName : Visual Studio Premium with MSDN
SubscriptionId   : 8b9dc558-xxxx-xxxx-xxxx-xxxxxxxxxxxx
TenantId         : 5cc872ff-xxxx-xxxx-xxxx-xxxxxxxxxxxx

SubscriptionName : MyOtherSubscription
SubscriptionId   : efe77f65-xxxx-xxxx-xxxx-xxxxxxxxxxxx
TenantId         : a25981ec-xxxx-xxxx-xxxx-xxxxxxxxxxxx

PS C:\> Select-AzureRmSubscription -SubscriptionName "Visual Studio Premium with MSDN"
Select-AzureRmSubscription : Provided subscription Visual Studio Premium with MSDN does not exist
At line:1 char:1
+ Select-AzureRmSubscription -SubscriptionName "Visual Studio Premium with MSDN"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Set-AzureRmContext], ArgumentException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.SetAzureRMContextCommand

One more thing... I have two aliases associated with my Microsoft account (primary .com + one additional alias .fi). When I run the "traditional" Get-AzureSubscription, I get:

PS C:\> Get-AzureSubscription

SubscriptionId            : 8b9dc558-xxxx-xxxx-xxxx-xxxxxxxxxxxx
SubscriptionName          : Visual Studio Premium with MSDN
Environment               : AzureCloud
DefaultAccount            : xxxx.xxxx@xxxx.com
IsDefault                 : True
IsCurrent                 : True
TenantId                  : 5cc872ff-xxxx-xxxx-xxxx-xxxxxxxxxxxx
CurrentStorageAccountName : premiumdemo

SubscriptionId            : efe77f65-xxxx-xxxx-xxxx-xxxxxxxxxxxx
SubscriptionName          : MyOtherSubscription
Environment               : AzureCloud
DefaultAccount            : xxxx.xxxx@xxxx.fi
IsDefault                 : False
IsCurrent                 : False
TenantId                  : a25981ec-xxxx-xxxx-xxxx-xxxxxxxxxxxx
CurrentStorageAccountName :

[damienmci]

Out of curiosity have you turned on two factor auth (2FA) for your Microsoft account?

I noticed that if I use the $cred = Get-Credential and then Login-AzureRMAccount -TenentId $tenentId -SubscriptionId $sub

then I get the same issues as you have mentioned, the unable to acquire token error.

If I just do Login-AzureRmAccount -TenantId $tenantId and the large popup login dialog box appears for logging in it then supports the 2 factor auth and thus correctly authenticates to the tenancy and must then get a valid token.

Not sure if that helps, but it works for me. I'm wondering then that Microsoft Accounts (not AAD accounts) with two factor auth are not going to be supported for automation in PowerShell scripts. I guess then that an account within you Tenancy AAD would be a better solution with the correct admin rights assigned?

[ashwanikapoor]

Is there any solution for this. I create two Automation account. In first one i imported latest modules (including AzureAutomationAuthoringToolkitInner.psm1). when i run the book, it give error that locally the password is set to Null so can't bind it.

In second Automation account, the same script and same user get this error on login 'The user is required to use multi-factor authentication to access this resource'

Any advise would help to move forward

Thanks

[timoschwarte]

@damienmci Yes, I have two factor authentication enabled on my Microsoft account and always authenticate through the popup dialog. I'm considering trying to disable 2FA and try the Get-Credential method, just to check if it changes anything... will comment if it does.

[markcowl]

@timoschwarte To figure this out, we're going to need the ADAL traces while you are logging in and doing the Get-AzureRMSubscription. I would also suggest using the latest version (released today). I suspect this may be related to the account name returned in the token from ADAL, but without the ADAL traces, it is difficult to say.

To get ADAL traces, run the commands with

$DebugPreference="Continue"

[deltadan]

When using Select-AzureRmProfile -Path "C:\foo.json" using a subscription that isn't the default I get this same error. the creds work even though the error is there.

[timoschwarte]

@markcowl I updated to version 1.2.0 and sent you a transcript of the process in an email.

The automatic login to my Organizational account which I noticed in the previous versions does NOT happen anymore with 1.2.0, which is good :) The errors are also slightly different now in 1.2.0, I get WARNING: Unable to acquire token for tenant immediately on the first Get-AzureRmSubscription call.

And from what I can tell, it has definitely to do with my account and its aliases...

[markcowl]

@timoschwarte @deltadan @damienmci The common denominator for these issues seems to be a difference between the display ID (i.e., login id) between your default tenant and another tenant that you have access to. This can happen for various kinds of reasons, normally having to do with some kind of invitation account, in which an invitation is extended to one email address and you accept with a different login.

The issue occurs because the user id returned in the token doesn't match the one you logged in with, which prevents us from retrieving the token from the cache later. We are working on using a different key for the token, and have a fix targeted for the next release.

[markcowl]

@ashwanikapoor I don't think this issue is related - this sounds like you are trying to use a user id that requires multi-factor authentication (MFA) with a PSCredential login - this will not work, as MFA always requires ueerr interaction.. The solution is to use a service principal when running PowerShell automation.

[tmds]

Hi, I created an automation user and I also get WARNING: Unable to acquire token for tenant 'Common'. My automation user is not using MFA. I have tried executing Login-AzureRmAccount the specifying -TenantId and without. I get the same message every time.

[nbst84]

The same powershell commands I use to log in successfully on many VMS do not work on a specific VM, even though all VMs were created based on the same generalized image of mine (so they all have the same powershell version etc.).

PS C:> Select-AzureRmSubscription -SubscriptionId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -TenantId "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy" Select-AzureRmSubscription : Provided subscription xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx does not exist

Also

PS C:> Get-AzureRmSubscription WARNING: Unable to acquire token for tenant 'Common'

The exact same commands work fine on all my other VMs... Any advice?

[SimonT-STHS]

Hi.

I have the same issue. When an account has permission on multiple subscriptions, if you only run Add-AzureRmAccount and Save-AzureRmProfile, the Profile Save by the Save-AzureRmProfile is not completed. After, when you load this profile, you can’t loop throw AzureRmSubscription with the Select-AzureRmSubscription command.

In my case, the workaround has to save connect to Azure (Add-AzureRmAccount), select my first subscription (Select-AzureRmSubscription -SubscriptionName "_1" ), Save-AzureRmProfile, then select my second subscription (Select-AzureRmSubscription -SubscriptionName "_2" ) and save it as another profile. Then in the PowerShell script I’m running, I’m looping the AzureRMProfile files created previously to connect the subscription without errors.

[nbst84]

In my case, my account only has access to one subscription.

[nbst84]

Ok so it turned out that in my case it was the DNS of my server that was wrong. My server was unable to resolve addresses and I found it out by upgrading Azure Powershell from 1.1.0 to 1.3.0. In 1.1.0 I was getting that error I mentioned previously (Provided subscription does not exist) and in 1.3.0 the error was slightly more helpful (something along the lines of "cannot resolve login.microsoftonline.com").

[avishnyakov]

Having the same issue. Inconsistently on various VMs/laptops. Also, we run various PS scripts under CI and have that issue happening pretty much randomly. Most of the times works, then suddenly stops working.

Get-AzureRmSubscription : Subscription XXYYZZZ was not found in tenant . Please
verify that the subscription exists in this tenant.

What would be the troubleshooting and workaround? Seems that issue been reported in Jan, yet can't see any suggestions on the resolution.

[markcowl]

Root Cause

The DisplayableId in the token for some tenants does not match the login id. This causes the token not to be retrieved if we set RequiredDisplayableId as the user identifier type when making calls to ADAL.

Proposed Solution

• Change AzureContext so that the Account contains a mapping from tenant to user id for each tenant
• Make the saved user id in this mapping a UniqueId and not a DisplayableID
• Change display types and type converters to round-trip this new structure
• Create user accounts using the graph API that have different returned id and login id
• Add live tests using the created IDs

Cost (Work Units): 6

[waldner]

Any estimation of when this will be released?

[marcobocca]

Is there any update about this problem ? Thank you Marco

[bigtfromaz]

I just uncovered a condition where this message is emitted and I think it is by design.

I created an account in AzureAD and gave it only one permission and that is to update DNS records in one Azure DNS zone owned by one subscription.

When I issue Get-AzureRmSubscription to enumerate subscriptions, this user apparently does not have the necessary permissions and the "WARNING: Unable to acquire token for tenant 'Common'" message is emitted.

This is exactly what I want because I need this user to be constrained to a very specific function and I don't want it able to rummage.

Azure DNS commands such as New-AzureRmDnsRecordSet work just fine as long as I select the subscription id first. All I need to do is ensure that the credentials used at runtime and the subscription ID are secure.

I imagine there's a permission that would allow an account to enumerate the subscriptions in its scope. It would be nice to know what it is and how to grant it. But for now, this is a normal warning I can avoid by not issuing the offending command.

[ward0]

Is there any update about this problem ? Thank you Ward

[SquirrelAssassin]

Im seeing this issue from Azure Automation only. From my local machine it works fine. I tried different version of azurerm.profile module version 2.5 and 2.8 in Azure Automation. This was working then it seems yesterday it stopped working across multiple tenants. I have tested this in 3 different automation accounts across two completely separate tenants. Both SPN's only have access to a single tenant.

[FredrikGoransson]

What is that status of this issue? I am seeing the same behavior without MFA for a specific customer.

The outputs from the cmdlets is very contradictory, Login- or Add-AzureRmAccount will show me the tenant and subscription I want to get, but when trying to get it I get the warning Unable to acquire token for tenant and then it claims the subscription does not exist in the tenant. It does exist in that context looking at it through the portal for instance.

PS> Add-AzureRmAccount -TenantId 96ca84cb-xxxx-xxxx-xxxx-xxxx

Environment           : AzureCloud
Account               : fredrik.goransson@xxxx.com
TenantId              : 96ca84cb-xxxx-xxxx-xxxx-xxxx09bf6dff
SubscriptionId        : 8a69378d-xxxx-xxxx-xxxx-xxxxf04ea3be
SubscriptionName      : YYYYYYYY
CurrentStorageAccount : 

PS> Get-AzureRmSubscription -SubscriptionId 8a69378d-xxxx-xxxx-xxxx-xxxxf04ea3be -TenantId 96ca84cb-xxxx-xxxx-xxxx-xxxx09bf6dff
WARNING: Unable to acquire token for tenant '96ca84cb-xxxx-xxxx-xxxx-xxxx09bf6dff'
Get-AzureRmSubscription : Subscription 8a69378d-xxxx-xxxx-xxxx-xxxxf04ea3be was not found in tenant 96ca84cb-xxxx-xxxx-xxxx-xxxx09bf6dff. 
    Please verify that the subscription exists in this tenant.
At line:1 char:1
+ Get-AzureRmSubscription -SubscriptionId 8a69378d-xxxx-xxxx-xxxx-xxxxf ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Get-AzureRmSubscription], PSArgumentException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.GetAzureRMSubscriptionCommand

Any workaround for this?

[cmendible]

Any news on the status of this issue?

[bigtfromaz]

Fredrick, I don't know if you are using the same user id for both activities or not. But I experienced this issue. I had granted access to a resource to a account I am using as a service account (not admin or user) but I had not granted access to account/tenant data. If you are using a user account with limited access my post from November 23, 2016 might be helpful. This may also be as simple as the user id you are using does not have permission for the object you are selecting.

[FredrikGoransson]

Yes, same user for this. It is not a SA user either. The user can access the subscription and resources within just fine from the portal so it is likely not a permission issue (unless there is another issue in the portal that erroneously gives acces to subscriptions I shouldnt have acces to.) Looking at Access rights in the portal that doesnt seem to be the problem.

[bigtfromaz]

That does look wrong!

[markcowl]

@bigtfromaz @FredrikGoransson @cmendible We made some changes to the Context type to allow saving the information that would fix this issue. Our sense is that this doesn't impact very many peoiple, but it is painful when it does.

[markcowl]

@bigtfromaz Subscriptions are ARM artifacts, so you need to provide RBAC authorization to allow reading the subscriptions in order to list them. This is separate from the Graph permissions for the user.

Note that you can provide the TenantId to Add-AzureRmAccount to log in to a specific tenant. We do plan to allow specifying domain name instaed of tenant ID in this case, which should make discovery of the proper value easier.

[bigtfromaz]

We seek to provide service accounts with exactly the privileges it needs and no more. In this case the account being used to maintain DNS records does not need to have a subscription list. Using a domain name would be convenient because if we were to move the domain to another subscription it would be one less configuration change to worry about.

Tom Hebert 480-788-6601

From my phone, so this message may be more terse than normal

From: Mark Cowlishaw Sent: Tuesday, May 23, 9:53 AM Subject: Re: [Azure/azure-powershell] Get-AzureRmSubscription does not work correctly (#1665) To: Azure/azure-powershell Cc: Tom Hebert (HCI), Mention

@bigtfromazhttps://github.com/bigtfromaz Subscriptions are ARM artifacts, so you need to provide RBAC authorization to allow reading the subscriptions in order to list them. This is separate from the Graph permissions for the user.

Note that you can provide the TenantId to Add-AzureRmAccount to log in to a specific tenant. We do plan to allow specifying domain name instaed of tenant ID in this case, which should make discovery of the proper value easier.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/Azure/azure-powershell/issues/1665#issuecomment-303464094, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AHjxRvf7ajM710vzNJG_ZWxDVg45oTi0ks5r8w8JgaJpZM4HFhum.

[Rcho22]

I posted a solution here: https://www.bountysource.com/issues/29898378-get-azurermsubscription-does-not-work-correctly?show_profile_modal=1

[danstis]

Is there any news on this issue? I have been experiencing this for the last few months, it is very annoying. I'm using the AzureRM module version 4.2.1

[RonnieViklund]

Also experiencing similar issues trying to implement Azure Powershell monitoring in SCOM against different subscriptions in the same tenant, seems you can only work against one subscription at a time. Using 4.3.1

[FredrikGoransson]

Not sure if this is a solution for others, but it solved the issue for me. My situation was a dual-account (Microsoft and Work account) connected to the same email (my work email). The Microsoft account was invited as a guest user in another Azure Active Directory. Up until some point in May I was able to access the Azure subscriptions in that tenant I was invited to with Login-AzureRmAccount and then Get-AzureRmSubscription. After release 4.0.0 of ps module this stopped working with the error "Unable to acquire token for tenant XXXX". Reverting to the old module didn't solve the issue either. After a lot of trial-and-errors (including changing my Mcirosoft account's email so it no longer was a dual-account) I found that simply running Clear-AzureProfile -Force fixed the issue for me.

A side note on the dual-account: this is likely not related to the problem at all and if you have a dual-account today and like it that way, do not change your email on the Microsoft account, you will never be able to set it back to the same email as your work account.

[RonnieViklund]

@FredrikGoransson I use SPN so that's not the same issue for me, my work around is unfortunately to do REST calls and skipping azure powershell entirely due to this issue.

[sharpjs]

FWIW, @FredrikGoransson's suggestion (Clear-AzureProfile -Force) fixed this problem for me.

[venkataitha]

Hello everyone, i am trying to use Get-AzureRmSubscription from azure runbook and getting the error "unable to acquire token for tenant ".i am connecting azure with my own appid and tenantid.

[SquirrelAssassin]

.... if your trying to use a application id and secrete ... stop. It never works. Switch to a SPN with a certificate.

Get Dates

$currentDate =Get-Date $endDate =$currentDate.AddYears(20) $notAfter =$endDate.AddYears(20)

Make Cert

$certName =Read-Host -Prompt “Enter FQDN Subject Name for certificate, this will be used for the spn name and uris” $certStore =“Cert:\LocalMachine\My” $certThumbprint =(New-SelfSignedCertificate -DnsName “$certName” -CertStoreLocation $CertStore -KeyExportPolicy Exportable -Provider “Microsoft Enhanced RSA and AES Cryptographic Provider” -NotAfter $notAfter).Thumbprint $pfxPassword =Read-Host -Prompt “Enter password to protect exported certificate:” -AsSecureString $pfxFilepath =Read-Host -Prompt “Enter full path to export certificate (ex C:\folder\filename.pfx)” Export-PfxCertificate -Cert “$($certStore)\$($certThumbprint)” -FilePath $pfxFilepath -Password $pfxPassword

grab cert thumbprint

$cert = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate -ArgumentList @($pfxFilepath, $pfxPassword) $keyValue =[System.Convert]::ToBase64String($cert.GetRawCertData())

make spn

$adsp = New-AzureRmADServicePrincipal -DisplayName $certName -CertValue $keyValue -StartDate $currentDate -EndDate $endDate Get-AzureRmADApplication -ApplicationId $adsp.ApplicationId

[venkataitha]

Thanks for the reply.My requirement is i am using an existing appid,appkey to connect to azure because of multiple dependencies and get all the subscriptions and then secrets from the keyvault.is it possible to use existing app with cert attached to it and it should not impact existing appid/appkey functionality?

[venkataitha]

can someone please advice?

[markcowl]

@venkataitha This issue is particularly about the issue with multiple UPNs being associated with an email address. If you have a different problem, please file a different issue.

To answer your question, you cna add a service principal to an existing app if you have sufficient privileges, then you should be able to log in using the certificate credentials. Log in using SPN + Secret in Automation doesn't work becauser the CredManCache is used for storing the secret and this API is not one of the APIs on the allowl list for the Automation sandbox. SPN + subscription will work.

Note that new runbooks contain a 'RunAs" connection automatically which can make this easier - it consistes of a preconfigured SPN + cert.

[markcowl]

Cost: 8

[JamesDLD]

Thanks @markcowl for this explanation.

When you say that "SPN + Secret in Automation doesn't work", is this something that is considered as a bug or is this something official that is by designed?

If it's by design it would be great to have a page explaining the authentication method we have when using Azure Automation. Personally I use to recommend authentication through Service Principe & Certificate.

[venpun]

the command worked for me Login-AzureRmAccount -TenantId $tenantId Previously it use to work with just Login-AzureRmAccount and login with the any orgID (I have 2 org ids), however got this below error since a day and was fixed when login to specific tenantid

Get-AzureRmSubscription WARNING: Unable to acquire token for tenant....

[killa1218]

Guys, this is 2019 now. And the problem still remains?

[SquirrelAssassin]

But wait there’s more, for a limited time only can you use azurerm. Microsoft is abandoning azurerm. So get your bug fixes in while you can because you only get bug fixes up through at least December 2020

https://docs.microsoft.com/en-us/powershell/azure/new-azureps-module-az?view=azps-2.2.0

[pixelicous]

Been tracking this for a while, now I have the same problem.. Anyone from MS going to handle it?

[lAnubisl]

still not fixed. This is a blocker. Azure Powershell become useless.

[tomgron]

I have same thing - I have Live and Office 365 account tomgron@calm.fi which results wrong subscriptions to be listed