Multitenant serviceprincipal fails to change context in Az.Accounts version 2.10.4

[lassehastrup]

Description

After Az.Accounts was updated to version 2.10.4 we can no longer change AzContext or generate a Access Token with a multi-tenant App registration.

Connect-AzAccount -TenantId (Tenant1 where the app registration is created) - this works OK.

Set-AzContext -TenantId (Tenant2 where the app registration is linked and registered as an Enterprise App) - We receive error.

Error: ##[error]The running command stopped because the preference variable "WarningPreference" or common parameter is set to Stop: Unable to acquire token for tenant 'XYZ' with error 'No certificate thumbprint or secret provided for the given service principal '***'.'

This is tested and worked in Az.Accounts version 2.10.0 - 2.10.3, and this is critical, as the way the import of Az.Accounts works is difficult to handle. Even though we specify an older version of
AzurePowershell
azurePowerShellVersion: OtherVersion
preferredAzurePowerShellVersion: 9.1.1 (tested with 8.3.0 and 9.1.0)

The Az will still import the latest version of Az.Accounts which has this error.

Issue script & Debug output

Connect-AzAccount -Tenant (Tenant1 where the app registration is created) -Credential $creds -ServicePrincipal- this works OK.

Set-AzContext -TenantId (Tenant2 where the app registration is registered as an Enterprise App) - We receive error.

Environment data

This is tested and working in Az.Accounts version 2.10.0 - 2.10.3

Module versions

Az.Accounts version 2.10.4

Error output

Error: ##[error]The running command stopped because the preference variable "WarningPreference" or common parameter is set to Stop: Unable to acquire token for tenant 'XYZ' with error 'No certificate thumbprint or secret provided for the given service principal '***'.'

[dingmeng-xue]

Thanks for reporting. Could you share the exception stack after you hit the problem? You can get except stack via $Error[0].Exception | fl -f * .

[lassehastrup]

ErrorRecord                 : The running command stopped because the preference variable "WarningPreference" or common parameter is set to Stop:     
                              Unable to acquire token for tenant 'XXXXXXX' with error 'No certificate thumbprint or 
                              secret provided for the given service principal 'XXXXX'.'
WasThrownFromThrowStatement : False
TargetSite                  : System.Collections.ObjectModel.Collection`1[System.Management.Automation.PSObject] 
                              Invoke(System.Collections.IEnumerable)
Message                     : The running command stopped because the preference variable "WarningPreference" or common parameter is set to Stop: 
                              Unable to acquire token for tenant 'XXXXXX' with error 'No certificate thumbprint or 
                              secret provided for the given service principal 'XXXXXXXXX'.'
Data                        : {[System.Management.Automation.Interpreter.InterpretedFrameInfo, 
                              System.Management.Automation.Interpreter.InterpretedFrameInfo[]]}
InnerException              : 
HelpLink                    : 
Source                      : System.Management.Automation
HResult                     : -2146233087
StackTrace                  :    at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
                                 at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
                                 at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
                                 at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, 
                              PSDataCollection`1 output, PSInvocationSettings settings)
                                 at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 
                              output, PSInvocationSettings settings)
                                 at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection`1 output, 
                              PSInvocationSettings settings)
                                 at System.Management.Automation.PowerShell.Invoke[T](IEnumerable input, IList`1 output, PSInvocationSettings 
                              settings)
                                 at System.Management.Automation.PowerShell.Invoke[T](IEnumerable input, PSInvocationSettings settings)
                                 at Microsoft.PowerShell.EditorServices.Services.PowerShell.Utility.PowerShellExtensions.InvokeAndClear[TResult](Powe
                              rShell pwsh, PSInvocationSettings invocationSettings) in 
                              D:\a\_work\1\s\src\PowerShellEditorServices\Services\PowerShell\Utility\PowerShellExtensions.cs:line 82
                                 at Microsoft.PowerShell.EditorServices.Services.PowerShell.Execution.SynchronousPowerShellTask`1.ExecuteNormally(Can
                              cellationToken cancellationToken) in 
                              D:\a\_work\1\s\src\PowerShellEditorServices\Services\PowerShell\Execution\SynchronousPowerShellTask.cs:line 187

[msJinLei]

@lassehastrup

Could you check the results of the following cmdlet?

PS C:\> Get-AzContext -ListAvailable

Name                                     Account             SubscriptionName    Environment         TenantId
----                                     -------             ----------------    -----------         --------

Please see whether all the items are valid?

In addition, the debug log should contain the accountId of the context you set to

PS C:\> Set-AzContext -TenantId $tenantId -Debug
DEBUG: 1:13:12 PM - SetAzureRMContextCommand begin processing with ParameterSet 'TenantNameOnly'.
DEBUG: 1:13:12 PM - using account id 'xxxxxxx-bf4c-xxxx-xxxx-xxxxxxxxxxx'...
DEBUG: 1:13:12 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].

account Id is the applicationId could you check whether it is valid?

[ReneRebsdorf]

@msJinLei FYI it works consistently with 2.10.2, using the same service principal, @lassehastrup also mentions it working with 2.10.3

Easiest way to reproduce is to:

1. Create an App Registration in Tenant A as a Multi-Tenant App Reg
2. Onboard the app to Tenant B
3. Give the app reader permission on a subscription in tenant B
4. Connect using Connect-AzAccount -ServicePrincipal -Credentials $cred -TenantId $tenantBId

The error is reproducible on Linux, Windows, and MacOS.

This is experienced when using Azure DevOps Pipelines which will perform the Connect-AzAccount against 'our' TenantId

When I update to 2.10.4 and run Get-AzContext -ListAvailable I see subscriptions relating to both our tenant, as well as for clients.

Might be worth mentioning we see this even if we try to set context using only -TenantId $tenantId (providing no subscription specification).

When changing tenant we get the warning using Set-AzContext:

'WARNING: Unable to acquire token for tenant 'X with error 'No certificate thumbprint or secret provided for the given service principal 'Y'.''

And using commands such as Get-AzResource will yield the error message:

Get-AzResource: Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials.
No certificate thumbprint or secret provided for the given service principal 'Y'.

Debug output from Set-AzContext -TenantID $clientTenantId -Debug

DEBUG: 00:42:06 - SetAzureRMContextCommand begin processing with ParameterSet 'TenantNameOnly'.
DEBUG: 00:42:06 - using account id '823c2bdf-0bc2-4c93-b91d-e9a4bf7df1a8'...
DEBUG: 00:42:06 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].

Confirm
Targeting all subsequent cmdlets in this session at a different tenant
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):

DEBUG: 00:43:12 - Autosave setting from startup session: 'CurrentUser'
DEBUG: 00:43:12 - No autosave setting detected in environment variable 'AzContextAutoSave'.
DEBUG: 00:43:12 - Using Autosave scope 'CurrentUser'
WARNING: Unable to acquire token for tenant 'c905c127-525f-47a9-83f1-bec014f6d613' with error 'No certificate thumbprint or secret provided for the given service principal '823c2bdf-0bc2-4c93-b91d-e9a4bf7df1a8'.'

Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"):

Name                                     Account                                          SubscriptionName                                 Environment                                      TenantId
----                                     -------                                          ----------------                                 -----------                                      --------
 () - REDACTED CUSTOMER TENANTID… REDACTED APPLICATION ID AzureCloud                                       REDACTED TENANTID

DEBUG: AzureQoSEvent:  Module: Az.Accounts:2.10.4; CommandName: Set-AzContext; PSVersion: 7.3.1; IsSuccess: True; Duration: 00:01:22.1493206
DEBUG: 00:43:28 - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
DEBUG: 00:43:28 - SetAzureRMContextCommand end processing.

Running a cmdlet such as Get-AzResource after the above gives:

 Get-AzResource -Debug
DEBUG: 00:44:56 - GetAzureResourceCmdlet begin processing with ParameterSet 'ByTagNameValueParameterSet'.
DEBUG: 00:44:56 - using account id 'REDACTED ACCOUNT ID'...
DEBUG: 00:44:56 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: [Common.Authentication]: Authenticating using Account: 'REDACTED ACCOUNT ID', environment: 'AzureCloud', tenant: 'REDACTED CLIENT TENANT ID'
DEBUG: [Common.Authentication]: Received exception No certificate thumbprint or secret provided for the given service principal 'REDACTED ACCOUNT ID'., while authenticating.
DEBUG: 00:44:56 - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
Get-AzResource: Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials.
No certificate thumbprint or secret provided for the given service principal 'REDACTED ACCOUNT ID'.
DEBUG: 00:44:56 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Resources:6.5.0; CommandName: Get-AzResource; PSVersion: 7.3.1; IsSuccess: False; Duration: 00:00:00.0129289; Exception: Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials.
No certificate thumbprint or secret provided for the given service principal '823c2bdf-0bc2-4c93-b91d-e9a4bf7df1a8'.;
DEBUG: 00:44:56 - GetAzureResourceCmdlet end processing.

[msJinLei]

@msJinLei FYI it works consistently with 2.10.2, using the same service principal, @lassehastrup also mentions it working with 2.10.3

@ReneRebsdorf
Want to double confirm the issue the issue is only found with Az.Accounts 2.10.4 or the issue is found with Az.Accounts 2.10.2, 2.10.3, 2.10.4?