Azure Service Principal - Account Disabled?

0
votes

I'm having trouble authenticating to Azure Resource Manager with a service principal. In the course of troubleshooting I noticed that Get-AzureADServicePrincipal shows AccountEnabled: False for my service principal, while Get-MsolServicePrincipal shows AccountEnabled: True for the same service principal.

C:\Users\virklba> Get-AzureADServicePrincipal -SearchString azuremaint |fl

ServicePrincipalName : https://mycompany.com/AzureMaint
ApplicationId        : 20bc779d-0edb-4a00-becf-952fda93edc5
AccountEnabled       : False <-----------
DisplayName          : AzureMaint
Id                   : 585cd6c7-403a-4940-9817-5139a254245e
Type                 :

C:\Users\virklba> Get-MsolServicePrincipal -ObjectId 585cd6c7-403a-4940-9817-5139a254245e

ExtensionData         : System.Runtime.Serialization.ExtensionDataObject
AccountEnabled        : True <-----------
Addresses             : {Microsoft.Online.Administration.RedirectUri, Microsoft.Online.Administration.RedirectUri}
AppPrincipalId        : 20bc779d-0edb-4a00-becf-952fda93edc5
DisplayName           : AzureMaint
ObjectId              : 585cd6c7-403a-4940-9817-5139a254245e
ServicePrincipalNames : {https://mycompany.com/AzureMaint, 20bc779d-0edb-4a00-becf-952fda93edc5}
TrustedForDelegation  : False

I tried doing Set-MsolServicePrincipal -ObjectId 585cd6c7-403a-4940-9817-5139a254245e -AccountEnabled $true, but that didn't change anything. There is no Set-AzureADServicePrincipal cmdlet.
So how do I make sure the account is really enabled?

1
azureazure-active-directoryazure-resource-manager
how have you configured your service principal ? it should have been granted permissions to Azure Service Management API as described here: msdn.microsoft.com/en-us/library/azure/dn790557.aspxastaykov
I followed these instructions: azure.microsoft.com/en-us/documentation/articles/…BenV
I created another service principal following the instructions you linked - same result. Maybe it's a bug in Get-AzureADServicePrincipal.BenV
but your service principal is working, it is just this property value from the powershell ? You can run fiddler and inspect the calls and results from the powershell.astaykov
Good point. Fiddler shows that the API call behind Get-AzureADServicePrincipal is returning accountEnabled=True, so apparently it is an issue with Get-AzureADServicePrincipal. I still can't get my service principal to work in Azure Automation, but that's for another question.BenV

1 Answers

1
votes

Confirmed with MS that this is a bug in the PS module. Also, I documented my "service principal in Azure Automation" issue here (ended up being another PS bug).