I have an Automation Runbook (PowerShell 5.1) that is failing with the following message
Principal 'xxxxxxx' could not be resolved. Error message: 'AADSTS700016: Application with identifier 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' was not found in the directory 'XXXX'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. Trace ID: 44ad3532-d0fd-48dd-ba9e-d8d0e7cebf00 Correlation ID: 3db5fcb3-62b4-4e3c-b11d-71401397748c Timestamp: 2024-03-26 17:03:42Z'
User or role 'xxxxxxxxx' does not exist in this database.
Msg 33134, Level 16, State 1, Procedure , Line 2
The PowerShell script is
#Connect with Managed Identity
try {
$AzureContext = (Connect-AzAccount -Identity).context
}
catch {
Write-Output "There is no system-assigned user identity. Aborting."
exit
}
Set-AzContext -Subscription 'EDHC Cloud' -InformationAction SilentlyContinue
$access_token = (Get-AzAccessToken -ResourceUrl https://database.windows.net).Token
$query = `
"IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE [name] = N'xxxxx' AND TYPE = 'X')
CREATE USER [xxxxx] FROM EXTERNAL PROVIDER;
EXEC sp_addrolemember 'db_owner','xxxxx'"
Invoke-Sqlcmd -ServerInstance "edhmcusvpwsql01.database.windows.net" -AccessToken $access_token -Database DBA -Query $query
The error occurs when executing the Invoke-Sqlcmd command.
As a side note if I change the query to a simple SELECT command it completes successfully
So I thought the issue is permissions related, but my system assigned managed identity has the Directory Reader role in Microsoft Entra.
Additionally, I couldn't figure out what the application identifier in the error message relates to. I ran
Get-AzADApplication -ApplicationId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
but it returned no results.
I have no idea where to look to resolve this issue