Connect-AzAccount "Value cannot be null" on 2.11.1.

[LainRobertson]

Description

Hi, folks.

Using Connect-AzAccount from Az.Accounts version 2.7.6 with a certificate works, where it fails under version 2.11.1.

In my case, the certificate is stored in the user profile (Cert:\CurrentUser\My), not the computer profile (Cert:\LocalMachine\My.)

I'm not a fan of guessing, but it "feels" like 2.11.1 is perhaps only checking the computer store. Regardless, I've backdated to the working 2.7.6 as I don't currently have the time to investigate it - or any in-between versions - further.

Failure under 2.11.1:

Success under module 2.7.6:

Cheers,
Lain

Edited for a grammatical correction and to sanitise the failure screenshot.

Issue script & Debug output

Connect-AzAccount -Tenant $Tenant -ApplicationId $AppId -CertificateThumbprint $Thumbprint -ServicePrincipal;

Environment data

PS C:\Data\Scripts> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.19041.2364
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.19041.2364
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Module versions

The two versions listed in the brief: 2.7.6 (working) and 2.11.1 (not working.)

Error output

PS C:\Data\Scripts> Connect-AzAccount -Tenant $Tenant -ApplicationId $AppId -CertificateThumbprint $Thumbprint -ServicePrincipal;
Connect-AzAccount : Value cannot be null.
Parameter name: Could not find tenant id for provided tenant domain 'xxxxxxx.onmicrosoft.com'. Please ensure that the provided service principal
'f7xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx3c' is found in the provided tenant domain.
At line:1 char:1
+ Connect-AzAccount -Tenant $Tenant -ApplicationId $AppId -CertificateT ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Connect-AzAccount], ArgumentNullException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand

PS C:\Data\Scripts> $Error[0].exception | fl *
Value cannot be null.
Parameter name: Could not find tenant id for provided tenant domain 'xxxxxxx.onmicrosoft.com'. Please ensure that the provided service principal
'f7xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx3c' is found in the provided tenant domain.

[dingmeng-xue]

@LainRobertson, thanks for reporting. We will check this issue in the next week because developer is off.

It will be great if you can share error track by executing $Error[0].exception | fl * -f?

[LainRobertson]

Hi, @dingmeng-xue.

Thanks for the reply!

PS C:\Data\Scripts> $Error[0].exception | fl * -Force


Message        : Value cannot be null.
                 Parameter name: Could not find tenant id for provided tenant domain 'xxxxxxx.onmicrosoft.com'. Please ensure that the provided service principal
                 'f7xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx3c' is found in the provided tenant domain.
ParamName      : Could not find tenant id for provided tenant domain 'xxxxxxx.onmicrosoft.com'. Please ensure that the provided service principal
                 'f7xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx3c' is found in the provided tenant domain.
Data           : {}
InnerException :
TargetSite     : Microsoft.Azure.Commands.Common.Authentication.Models.AzureRmProfile Login(Microsoft.Azure.Commands.Common.Authentication.Abstractions.IAzureAccount,
                 Microsoft.Azure.Commands.Common.Authentication.Abstractions.IAzureEnvironment, System.String, System.String, System.String, System.Security.SecureString,
                 Boolean, System.Action`1[System.String], System.String, Boolean, Int32, System.String)
StackTrace     :    at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.Login(IAzureAccount account, IAzureEnvironment environment, String tenantIdOrName, String
                 subscriptionId, String subscriptionName, SecureString password, Boolean skipValidation, Action`1 promptAction, String name, Boolean shouldPopulateContextList,
                 Int32 maxContextPopulation, String authScope)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass127_2.<ExecuteCmdlet>b__5()
                    at System.Threading.Tasks.Task`1.InnerInvoke()
                    at System.Threading.Tasks.Task.Execute()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass127_0.<ExecuteCmdlet>b__1(AzureRmProfile localProfile, RMProfileClient
                 profileClient, String name)
                    at Microsoft.Azure.Commands.Profile.Common.AzureContextModificationCmdlet.ModifyContext(Action`2 contextAction)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.SetContextWithOverwritePrompt(Action`3 setContextAction)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
HelpLink       :
Source         : Microsoft.Azure.PowerShell.Cmdlets.Accounts
HResult        : -2147467261

[isra-fel]

This exception is thrown when we couldn't find the provided tenant in all the tenants that the account has access to. But it still doesn't make sense because 2.7.6 works. Needs furture investigation.

https://github.com/Azure/azure-powershell/blob/main/src/Accounts/Accounts/Models/RMProfileClient.cs#L189

[isra-fel]

Hi @msJinLei could you try if we can reproduce this issue by ourselves?
I'm not 100% sure if this could be related to the recent code change to key store. Could you confirm?
If not related to key store, we may need to compare the code change between the two versions.

[msJinLei]

The error message shows that the service principal is not found in the provided tenant.

@LainRobertson could you run

Connect-AzAccount -Tenant $Tenant -ApplicationId $AppId -CertificateThumbprint $Thumbprint -ServicePrincipal -Debug

We would like to check the error log from MSAL.Desktop

Thanks

[LainRobertson]

@msJinLei

Here we go. I've uninstall 2.7.6 and re-installed 2.11.1 (using Install-Module -Name Az.Accounts -Force -Scope AllUsers;) to produce the following:

PS C:\Data\Scripts> Get-Module -ListAvailable -Name Az.Accounts


    Directory: C:\Program Files\WindowsPowerShell\Modules


ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     2.11.1     Az.Accounts                         {Disable-AzDataCollection, Disable-AzContextAutosave, Enable-AzDataCollection, Enable-AzContextAutosave...}


PS C:\Data\Scripts> Connect-AzAccount -Tenant $Tenant -ApplicationId $AppId -CertificateThumbprint $Thumbprint -ServicePrincipal -Debug;
DEBUG: 4:36:19 PM - ConnectAzureRmAccountCommand begin processing with ParameterSet 'ServicePrincipalCertificateWithSubscriptionId'.

Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): a
DEBUG: 4:36:20 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 4:36:20 PM - [ConfigManager] Got nothing from [DefaultSubscriptionForLogin], Module = [], Cmdlet = []. Returning default value [].

Confirm
Are you sure you want to perform this action?
Performing the operation "log in" on target "ServicePrincipal account in environment 'AzureCloud'".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): a
DEBUG: 4:36:21 PM - Autosave setting from startup session: 'CurrentUser'
DEBUG: 4:36:21 PM - No autosave setting detected in environment variable 'AzContextAutoSave'.
DEBUG: 4:36:21 PM - Using Autosave scope 'CurrentUser'
DEBUG: 4:36:21 PM - [ServicePrincipalAuthenticator] Calling ClientCertificateCredential.GetTokenAsync - Thumbprint:'4exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf6',
ApplicationId:'f7xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx3c', TenantId:'xxxxxxx.onmicrosoft.com', Scopes:'https://management.core.windows.net//.default',
AuthorityHost:'https://login.microsoftonline.com/'
DEBUG: ClientCertificateCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-02-02 08:36:21Z - 94343069-0071-46db-9733-6f0bc1c8e432] MSAL MSAL.Desktop with assembly
version '4.49.1.0'. CorrelationId(94343069-0071-46db-9733-6f0bc1c8e432)
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-02-02 08:36:21Z - 94343069-0071-46db-9733-6f0bc1c8e432] ===
AcquireTokenForClientParameters ===
SendX5C: False
ForceRefresh: False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-02-02 08:36:21Z - 94343069-0071-46db-9733-6f0bc1c8e432]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenForClient
IsConfidentialClient - True
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 94343069-0071-46db-9733-6f0bc1c8e432
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-02-02 08:36:21Z - 94343069-0071-46db-9733-6f0bc1c8e432] === Token Acquisition
(ClientCredentialRequest) started:
  Scopes: https://management.core.windows.net//.default
 Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-02-02 08:36:21Z - 94343069-0071-46db-9733-6f0bc1c8e432] [Instance Discovery] Instance
discovery is enabled and will be performed
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-02-02 08:36:21Z - 94343069-0071-46db-9733-6f0bc1c8e432] [Region discovery] Not using a
regional authority.
DEBUG: Request [566bb5d4-389d-42a1-8a86-61a93e41c42a] POST https://login.microsoftonline.com/xxxxxxx.onmicrosoft.com/oauth2/v2.0/token
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-CPU:REDACTED
x-client-OS:REDACTED
x-client-current-telemetry:REDACTED
x-client-last-telemetry:REDACTED
x-ms-lib-capability:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-app-name:REDACTED
x-app-ver:REDACTED
Content-Type:application/x-www-form-urlencoded
x-ms-client-request-id:566bb5d4-389d-42a1-8a86-61a93e41c42a
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.6.1 (.NET Framework 4.8.4515.0; Microsoft Windows 10.0.19044 )
client assembly: Azure.Identity
DEBUG: Response [566bb5d4-389d-42a1-8a86-61a93e41c42a] 200 OK (00.2s)
Pragma:no-cache
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
client-request-id:REDACTED
x-ms-request-id:2db83205-1d84-419a-b53b-7e5e59504c00
x-ms-ests-server:REDACTED
x-ms-clitelem:REDACTED
X-XSS-Protection:REDACTED
Cache-Control:no-store, no-cache
Content-Type:application/json; charset=utf-8
Expires:-1
P3P:REDACTED
Set-Cookie:REDACTED
Date:Thu, 02 Feb 2023 08:36:21 GMT
Content-Length:1497
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-02-02 08:36:21Z - 94343069-0071-46db-9733-6f0bc1c8e432] ScopeSet was missing from the
token response, so using developer provided scopes in the result.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-02-02 08:36:21Z - 94343069-0071-46db-9733-6f0bc1c8e432] Checking client info returned from
 the server..
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-02-02 08:36:21Z - 94343069-0071-46db-9733-6f0bc1c8e432] Saving token response to cache..
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-02-02 08:36:21Z - 94343069-0071-46db-9733-6f0bc1c8e432] [SaveTokenResponseAsync] ID Token
not present in response.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-02-02 08:36:21Z - 94343069-0071-46db-9733-6f0bc1c8e432] Cannot determine home account id -
 or id token or no client info and no subject
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-02-02 08:36:21Z - 94343069-0071-46db-9733-6f0bc1c8e432] [SaveTokenResponseAsync] Saving AT
 in cache and removing overlapping ATs...
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-02-02 08:36:21Z - 94343069-0071-46db-9733-6f0bc1c8e432] Looking for scopes for the
authority in the cache which intersect with https://management.core.windows.net//.default
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-02-02 08:36:21Z - 94343069-0071-46db-9733-6f0bc1c8e432] Intersecting scope entries count -
 0
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-02-02 08:36:21Z - 94343069-0071-46db-9733-6f0bc1c8e432]
 === Token Acquisition finished successfully:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-02-02 08:36:21Z - 94343069-0071-46db-9733-6f0bc1c8e432]  AT expiration time: 2/02/2023
9:36:20 AM +00:00, scopes: https://management.core.windows.net//.default. source: IdentityProvider
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-02-02 08:36:21Z - 94343069-0071-46db-9733-6f0bc1c8e432] Fetched access token from host
login.microsoftonline.com.
DEBUG: ClientCertificateCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  ExpiresOn:
2023-02-02T09:36:20.4393188+00:00
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/tenants?api-version=2021-01-01

Headers:
x-ms-client-request-id        : 7fc18ae6-7d80-4fb7-8945-3cea1f8bf542
accept-language               : en-US

Body:


DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Pragma                        : no-cache
x-ms-ratelimit-remaining-tenant-reads: 11999
x-ms-request-id               : feae9ddf-647a-41f5-b5fc-a76800677c1a
x-ms-correlation-request-id   : feae9ddf-647a-41f5-b5fc-a76800677c1a
x-ms-routing-request-id       : AUSTRALIAEAST:20230202T083621Z:feae9ddf-647a-41f5-b5fc-a76800677c1a
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Cache-Control                 : no-cache
Date                          : Thu, 02 Feb 2023 08:36:20 GMT

Body:
{
  "value": [
    {
      "id": "/tenants/c5852f23-3xxx-4xxx-bxxx-51xxxxxxxxxx",
      "tenantId": "c5852f23-3xxx-4xxx-bxxx-51xxxxxxxxxx",
      "tenantCategory": "Home"
    }
  ]
}

DEBUG: 4:36:21 PM - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].

Confirm
Value cannot be null.
Parameter name: Could not find tenant id for provided tenant domain 'xxxxxxx.onmicrosoft.com'. Please ensure that the provided service principal
'f7xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx3c' is found in the provided tenant domain.
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): a
Connect-AzAccount : Value cannot be null.
Parameter name: Could not find tenant id for provided tenant domain 'xxxxxxx.onmicrosoft.com'. Please ensure that the provided service principal
'f7xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx3c' is found in the provided tenant domain.
At line:1 char:1
+ Connect-AzAccount -Tenant $Tenant -ApplicationId $AppId -CertificateT ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Connect-AzAccount], ArgumentNullException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand

DEBUG: 4:36:22 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:2.11.1; CommandName: Connect-AzAccount; PSVersion: 5.1.19041.2364; IsSuccess: False; Duration: 00:00:03.7017287; Exception:
Value cannot be null.
Parameter name: Could not find tenant id for provided tenant domain 'xxxxxxx.onmicrosoft.com'. Please ensure that the provided service principal
'f7xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx3c' is found in the provided tenant domain.;
DEBUG: 4:36:22 PM - ConnectAzureRmAccountCommand end processing.

[msJinLei]

@LainRobertson The workaround is to use tenantId c5852f23-3xxx-4xxx-bxxx-51xxxxxxxxxx rather than domain to login

And will further check other things.

[LainRobertson]

@msJinLei

Thanks for the response!

That said, I might just wait for a future release to fix the issue, as I know the customer won't take having to use a GUID too kindly. There's been enough struggling around GUIDs in this project (between Active Directory and Azure Active Directory) already.

Cheers,
Lain

[isra-fel]

The response of "tenant list" API didn't contain domain names (unlike when signing in as a user)

{
  "value": [
    {
      "id": "/tenants/c5852f23-3xxx-4xxx-bxxx-51xxxxxxxxxx",
      "tenantId": "c5852f23-3xxx-4xxx-bxxx-51xxxxxxxxxx",
      "tenantCategory": "Home"
    }
  ]
}

which caused the exception. However, the question remains why 2.7.6 could work. Maybe because the API version is different?

To resolve the issue, we could either obtain the GUID of the tenant from the authentication result of Azure.Identity, or like Azure CLI, leverage the OpenID well-known configuration document to get the GUID. (Thanks for @jiasli 's suggestion)

https://github.com/Azure/azure-cli/blob/a7afdf11ab917e257e99b03890804c8b50a4b8ee/src/azure-cli/azure/cli/command_modules/profile/_validators.py

[msJinLei]

@LainRobertson @isra-fel
Az.Accounts 2.7.6 doesn't support login with tenant domain name. It's a new feature supported since Az.Accounts 2.10.2

However the previous product code won't report an error when you try to connect Az.Accounts with an valid tenant name or id if it can find a valid tenant for you to login (use a fallback login by design)

When the new feature applied, Az.Accounts will filter the input tenant domain with the all tenant domains attached to your account. In your case, the response from the server doesn't return the domains attached to the tenant. And I try with my application Id and find the response is the same. As I observe, service principal account doesn't receive the tenant domain. If it was always true, we should not allow login with domain when using service principal.

[dolauli]

@msJinLei Any update on this?

[msJinLei]

Hi service team,

We find the list-tenants response contains less information from service principal account than that listed in the document https://learn.microsoft.com/en-us/rest/api/resources/tenants/list?tabs=HTTP.

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/tenants?api-version=2021-01-01

Headers:
x-ms-client-request-id        : 7fc18ae6-7d80-4fb7-8945-3cea1f8bf542
accept-language               : en-US

Body:


DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Pragma                        : no-cache
x-ms-ratelimit-remaining-tenant-reads: 11999
x-ms-request-id               : feae9ddf-647a-41f5-b5fc-a76800677c1a
x-ms-correlation-request-id   : feae9ddf-647a-41f5-b5fc-a76800677c1a
x-ms-routing-request-id       : AUSTRALIAEAST:20230202T083621Z:feae9ddf-647a-41f5-b5fc-a76800677c1a
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Cache-Control                 : no-cache
Date                          : Thu, 02 Feb 2023 08:36:20 GMT

Body:
{
  "value": [
    {
      "id": "/tenants/c5852f23-3xxx-4xxx-bxxx-51xxxxxxxxxx",
      "tenantId": "c5852f23-3xxx-4xxx-bxxx-51xxxxxxxxxx",
      "tenantCategory": "Home"
    }
  ]
}

Could you help to take a look at the issue?

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @josephkwchan, @jennyhunter-msft.

Issue Details

---

Description

Hi, folks.

Using Connect-AzAccount from Az.Accounts version 2.7.6 with a certificate works, where it fails under version 2.11.1.

In my case, the certificate is stored in the user profile (Cert:\CurrentUser\My), not the computer profile (Cert:\LocalMachine\My.)

I'm not a fan of guessing, but it "feels" like 2.11.1 is perhaps only checking the computer store. Regardless, I've backdated to the working 2.7.6 as I don't currently have the time to investigate it - or any in-between versions - further.

Failure under 2.11.1:

Success under module 2.7.6:

Cheers,
Lain

Edited for a grammatical correction and to sanitise the failure screenshot.

Issue script & Debug output

Connect-AzAccount -Tenant $Tenant -ApplicationId $AppId -CertificateThumbprint $Thumbprint -ServicePrincipal;

Environment data

PS C:\Data\Scripts> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.19041.2364
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.19041.2364
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Module versions

The two versions listed in the brief: 2.7.6 (working) and 2.11.1 (not working.)

Error output

PS C:\Data\Scripts> Connect-AzAccount -Tenant $Tenant -ApplicationId $AppId -CertificateThumbprint $Thumbprint -ServicePrincipal;
Connect-AzAccount : Value cannot be null.
Parameter name: Could not find tenant id for provided tenant domain 'xxxxxxx.onmicrosoft.com'. Please ensure that the provided service principal
'f7xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx3c' is found in the provided tenant domain.
At line:1 char:1
+ Connect-AzAccount -Tenant $Tenant -ApplicationId $AppId -CertificateT ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Connect-AzAccount], ArgumentNullException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand

PS C:\Data\Scripts> $Error[0].exception | fl *
Value cannot be null.
Parameter name: Could not find tenant id for provided tenant domain 'xxxxxxx.onmicrosoft.com'. Please ensure that the provided service principal
'f7xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx3c' is found in the provided tenant domain.

Author:	LainRobertson
Assignees:	msJinLei
Labels:	ARM, Service Attention, bug, Authentication, customer-reported, needs-team-attention, Accounts, Tracking
Milestone:	-

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @LizMS, @cbrooksmsft.

Issue Details

---

Description

Hi, folks.

Using Connect-AzAccount from Az.Accounts version 2.7.6 with a certificate works, where it fails under version 2.11.1.

In my case, the certificate is stored in the user profile (Cert:\CurrentUser\My), not the computer profile (Cert:\LocalMachine\My.)

I'm not a fan of guessing, but it "feels" like 2.11.1 is perhaps only checking the computer store. Regardless, I've backdated to the working 2.7.6 as I don't currently have the time to investigate it - or any in-between versions - further.

Failure under 2.11.1:

Success under module 2.7.6:

Cheers,
Lain

Edited for a grammatical correction and to sanitise the failure screenshot.

Issue script & Debug output

Connect-AzAccount -Tenant $Tenant -ApplicationId $AppId -CertificateThumbprint $Thumbprint -ServicePrincipal;

Environment data

PS C:\Data\Scripts> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.19041.2364
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.19041.2364
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Module versions

The two versions listed in the brief: 2.7.6 (working) and 2.11.1 (not working.)

Error output

PS C:\Data\Scripts> Connect-AzAccount -Tenant $Tenant -ApplicationId $AppId -CertificateThumbprint $Thumbprint -ServicePrincipal;
Connect-AzAccount : Value cannot be null.
Parameter name: Could not find tenant id for provided tenant domain 'xxxxxxx.onmicrosoft.com'. Please ensure that the provided service principal
'f7xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx3c' is found in the provided tenant domain.
At line:1 char:1
+ Connect-AzAccount -Tenant $Tenant -ApplicationId $AppId -CertificateT ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Connect-AzAccount], ArgumentNullException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand

PS C:\Data\Scripts> $Error[0].exception | fl *
Value cannot be null.
Parameter name: Could not find tenant id for provided tenant domain 'xxxxxxx.onmicrosoft.com'. Please ensure that the provided service principal
'f7xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx3c' is found in the provided tenant domain.

Author:	LainRobertson
Assignees:	-
Labels:	Service Attention, bug, ARM - RBAC, Authentication, customer-reported, needs-team-attention, Accounts, Tracking
Milestone:	-