I’ve some PowerShell Script on Configuring the Azure Key Vault, where I’m running each command one by one for observing the execution flow:
#Log into Azure
Add-AzAccount
Result:
#Select the correct subscription
Get-AzSubscription -SubscriptionName "Test Subscription" | Select-AzSubscription
Error:
Get-AzSubscription -SubscriptionName "Test Subscription" | Select-AzS …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| SharedTokenCacheCredential authentication failed: AADSTS9002332: Application '<some_Guid_id>'(Windows Azure Service Management API) is configured for use by Azure Active Directory users only. Please do not use the /consumers endpoint to serve this request.
I didn’t get much details about above error for resolving the issue.
Note:
- I’m the owner of my Azure Tenant/Subscription, logged in with the same account credentials in the Visual Studio code for executing the PowerShell Script.
2
Answers
To log into Azure, I would suggest using:
Connect-AzAccount
To set the Azure subscription you want to work in:
Set-AzContext -SubscriptionName ‘paste-your-subscription-name-here’
I can see the user principal name of the user you’re logging with the Azure PowerShell command, is ending with the external identity provider i.e.,
gmail.com.If that user is the root user (Tenant Owner + Subscription Owner), then you cannot login with the
Add-AzAccountbecause they are added as external users.To login with that command, you have to add the user in that subscription and give the Global Administrator as Azure AD Role and required role in Subscription level such as Owner, Contributor etc.
Hence, this new user is part of your Azure Tenant Domain and UPN ends with the domain such as
onmicrosoft.comor any other configured custom domain.For more information on External Users, Guest Users, Tenant Domain users, Refer to this Similar issues on SO #35727866 given by the user @PhilippeSignoret and MS Q&A #81053 by the user @VasilMichev.