Add-AzureRmAccount : No certificate was found in the certificate store

[dthilagan]

When executing runbooks locally, the Add-AzureRmAccount cmdlet fails with "Add-AzureRmAccount : No certificate was found in the certificate store with thumbprint XXXXXX". Where XXXXXX = the cert thumbrint of the Azure Automation Account. Is the local script execution expecting to find an Azure Automation cert in my local cert store? Note: both the connection and the cert are added to SecureLocalAssets.json. AzureRM.profile module logs an error for Connect-AzureRmAccount to "C:\Users\\AppData\Roaming\Windows Azure Powershell\ErrorRecords"

[eamonoreilly]

Did you check the Run As box from the main configuration page? If you do, then the tool will add a new local certificate to the current user certificate store and also add this certificate to the Run As service principal that is used within the Azure service. It will also update the Azure RunAs connection locally to point to this certificate. When you then try and use the service principal on the local machine, it will retrieve the certificate on the local machine and not the one that was created on the Run As account in the Automation account.

If you run the following:

$ServicePrincipalConnection = Get-AutomationConnection -Name "AzureRunAsConnection" Add-AzureRmAccount -ServicePrincipal -TenantId $ServicePrincipalConnection.TenantId -ApplicationId $ServicePrincipalConnection.ApplicationId -CertificateThumbprint $ServicePrincipalConnection.CertificateThumbprint | Write-Verbose

$SubscriptionContext = Set-AzureRmContext -SubscriptionId $ServicePrincipalConnection.SubscriptionId

it should pull the local certificate from the connection object and use that for authentication. Thanks, Eamon

[dthilagan]

After checking the "Run As box", AddOn fails with "Error Configuring RunAs: Operation returned an invalid status code 'Forbidden'". When running the AddOn solution, the exception is on UpdateKeyCredentialsAsync() "Authorization_RequestDenied" and "Insufficient privileges to complete the operation.".

What access do I need? Since the error looks to be with importing the cert to the Automation Account app registration, do I need be owner of the app registration?

Exception on RunAs.cs: // Update Application in AD with new cert try { await graphClient.Applications.UpdateKeyCredentialsAsync( applicationObjectId, keyCredentialsUpdateParameters); } catch (Exception exception) { throw exception; }

[eamonoreilly]

Yes - the code is trying to add the local certificate to the Azure AD application so you can use it for Authentication. You need to be an owner on the Azure AD app. You can find the application in the Azure portal by opening up Azure AD blade and finding it under app registrations. You can get the name by looking at it in the automation account under RunAs Account. If you do not have permissions to add yourself as an owner on the app, then you will need to get the owner to add you. By default, if you create a new Automation account, then you will be the owner of the application and service principal that gets created. Thanks, Eamon

[dthilagan]

Thanks Eamon - getting temporary Owner access to the AAD app registration allowed the cert to be created on the app and imported locally.