EXCEPTION: Please provide a valid tenant or a valid subscription.

Question

EXCEPTION: Please provide a valid tenant or a valid subscription.

Dhaval Shah 20

Hello,

We have one Azure function app function with one Powershell script running. we have stored the value of secrets in the key vault and in the PowerShell script it retrieves from the key vault. when powershell script runs it shows the below error.
[Error] EXCEPTION: Please provide a valid tenant or a valid subscription.

We have checked the vault and the value is correct in the key vault. Please find the attached screenshot of the error.

Can you please help here User's image

MuthuKumaranMurugaachari-MSFT 22,431 Reputation points Moderator

2024-02-23T15:00:54.7033333+00:00
Dhaval Shah Thanks for posting your question in Microsoft Q&A. Going through the discussion, I assume you have the following code snippet running in your PowerShell Azure Function:

#Getting Keyvault Secret $OnboardingParams = Invoke-Expression $((Get-AzKeyVaultSecret -VaultName $env:KeyvaultName -Name "FUN-ONBOARDING-PARAMS").SecretValueText); Set-AzContext -Subscription $OnboardingParams.AzSubscription;

There are few things to validate:

You already validated the secret in the Key Vault. have you validated if $OnboardingParams.AzSubscription is correctly reflecting Subscription ID or Name? (Since the exception is thrown in SetCurrentContext.

If the subscription is correct, then make sure to enable managed identity for the function app (if not) and assign appropriate RBAC role such as reader to the targeted subscription.

If the validation is successful, then validate and make sure latest versions referred in your requirement file. Let me know for any questions or still face the issue.

2 answers

Your answer

MuthuKumaranMurugaachari-MSFT 22,431 Reputation points Moderator

2024-02-23T15:00:54.7033333+00:00

Dhaval Shah Thanks for posting your question in Microsoft Q&A. Going through the discussion, I assume you have the following code snippet running in your PowerShell Azure Function:

#Getting Keyvault Secret $OnboardingParams = Invoke-Expression $((Get-AzKeyVaultSecret -VaultName $env:KeyvaultName -Name "FUN-ONBOARDING-PARAMS").SecretValueText); Set-AzContext -Subscription $OnboardingParams.AzSubscription;

There are few things to validate:

You already validated the secret in the Key Vault. have you validated if $OnboardingParams.AzSubscription is correctly reflecting Subscription ID or Name? (Since the exception is thrown in SetCurrentContext.

If the subscription is correct, then make sure to enable managed identity for the function app (if not) and assign appropriate RBAC role such as reader to the targeted subscription.

If the validation is successful, then validate and make sure latest versions referred in your requirement file. Let me know for any questions or still face the issue.

Answer 1

Deepanshukatara-6769 16,160 Moderator

Hi , Verify that the Azure Function App has the necessary permissions to access the Key Vault. The managed identity or service principal associated with the Azure Function App should have at least "Get" permissions on secrets in the Key Vault. check document for details to assign permissions on KV https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal Please accept answer if it helps

Dhaval Shah 20 Reputation points

2024-02-23T10:00:54.23+00:00

Hello, We have already permission in the key vault for Entra Application.
Deepanshukatara-6769 16,160 Reputation points Moderator

2024-02-23T10:03:17.82+00:00

What type of Permissions may I know please?
Dhaval Shah 20 Reputation points

2024-02-23T10:05:17.12+00:00

Please see the below screenshot.
Dhaval Shah 20 Reputation points

2024-02-23T10:05:58.38+00:00

Please see the below screenshot.
Deepanshukatara-6769 16,160 Reputation points Moderator

2024-02-23T10:10:47.4566667+00:00

And does this svc-updateuser is connected to Azure function where running scripts? and if yes then issue with script , please share that to have a right fix
Dhaval Shah 20 Reputation points

2024-02-23T10:15:02.2866667+00:00

This is the Entra Appplication name and we have stored the value in the key vault.

Please find the below PowerShell script stored in the azure function.

#Getting Keyvault Secret $OnboardingParams = Invoke-Expression $((Get-AzKeyVaultSecret -VaultName $env:KeyvaultName -Name "FUN-ONBOARDING-PARAMS").SecretValueText); Set-AzContext -Subscription $OnboardingParams.AzSubscription
Deepanshukatara-6769 16,160 Reputation points Moderator

2024-02-23T10:25:29.79+00:00

Retrieve the secret value from Key Vault

$secret = Get-AzKeyVaultSecret -VaultName "<your-unique-keyvault-name>" -Name "FUN-ONBOARDING-PARAMS" -AsPlainText

Convert the secret JSON string to an object

$onboardingParams = ConvertFrom-Json $secret

Set Azure context using the subscription ID from the retrieved secret

Set-AzContext -Subscription $onboardingParams.AzSubscription Simply use this and try
Dhaval Shah 20 Reputation points

2024-02-23T10:30:30.9133333+00:00

Hi, I have tried bu t it shows me error.
Deepanshukatara-6769 16,160 Reputation points Moderator

2024-02-23T10:32:55.3566667+00:00

Ok , can you please: Verify the secret value stored in the Key Vault to ensure it is valid JSON format. It should be a properly formatted JSON string with key-value pairs. If the secret value is not in JSON format or contains invalid characters, it will result in the "Invalid JSON primitive" error. And if it is in a plain text then we need to convert in to json we can simply get it as plain text
Dhaval Shah 20 Reputation points

2024-02-23T10:39:23.5966667+00:00

For security reasons, i can not paste the secret value here but it is in below format.
@{Environment='<envname>';ApiManagement='<API Instance name>';AzureResourceGroup='<rgname>';LogAnalytics='<loganalyticsname>';TenantId='<tenantid>';ClientId='<EntraApplicatioId>';ClientSecret='<EntraApplicationSecret>';AzSubscription='<Subscriptionid>'}
Deepanshukatara-6769 16,160 Reputation points Moderator

2024-02-23T10:46:18.26+00:00
Thank you for providing the format of the secret value. Based on the format you provided, it seems that the secret value is in PowerShell hashtable format, rather than JSON format. Therefore, you should treat it as a hashtable rather than attempting to convert it from JSON. Here's how you can modify your script to work with the provided format

try { # Retrieve the secret value from Key Vault $secret = Get-AzKeyVaultSecret -VaultName "

Please try this and let us know if any error
Dhaval Shah 20 Reputation points

2024-02-23T10:48:44.5366667+00:00

I think the code block was not properly copied. can you please check
Deepanshukatara-6769 16,160 Reputation points Moderator

2024-02-23T11:11:58.1966667+00:00
try { # Retrieve the secret value from Key Vault $secret = Get-AzKeyVaultSecret -VaultName "<your-unique-keyvault-name>" -Name "FUN-ONBOARDING-PARAMS" -AsPlainText

# Convert the secret string to a PowerShell hashtable $onboardingParams = Invoke-Expression $secret # Set Azure context using the subscription ID from the retrieved secret Set-AzContext -Subscription $onboardingParams.AzSubscription

} catch { Write-Host "Error: $_" }

Answer 2

Deepanshukatara-6769 16,160 Moderator

Please check this

try {
    # Retrieve the secret value from Key Vault
    $secret = Get-AzKeyVaultSecret -VaultName "<your-unique-keyvault-name>" -Name "FUN-ONBOARDING-PARAMS" -AsPlainText

    # Convert the secret string to a PowerShell hashtable
    $onboardingParams = Invoke-Expression $secret

    # Set Azure context using the subscription ID from the retrieved secret
    Set-AzContext -Subscription $onboardingParams.AzSubscription
}
catch {
    Write-Host "Error: $_"
}

Deepanshukatara-6769 16,160 Reputation points Moderator

2024-02-23T11:56:06.6333333+00:00

@User , can you please update ?
Dhaval Shah 20 Reputation points

2024-02-23T13:14:32.66+00:00
Only problem in the this command.
receiving same exception error that I share in starting.

Set-AzContext -Subscription $OnboardingParams.AzSubscription
Dhaval Shah 20 Reputation points

2024-02-23T13:16:46.6066667+00:00

2024-02-23T08:49:26Z [Error] EXCEPTION: Please provide a valid tenant or a valid subscription. Exception : Type : System.ArgumentException Message : Please provide a valid tenant or a valid subscription. TargetSite : Name : SetCurrentContext DeclaringType : Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient MemberType : Method Module : Microsoft.Azure.PowerShell.Cmdlets.Accounts.dll Source : Microsoft.Azure.PowerShell.Cmdlets.Accounts HResult : -2147024809
Deepanshukatara-6769 16,160 Reputation points Moderator

2024-02-23T13:48:27.7666667+00:00

Hi , I reproduced the issue and it is working fine for me so it is maybe Invalid Subscription ID: The subscription ID retrieved from the secret might be incorrect or invalid.
Deepanshukatara-6769 16,160 Reputation points Moderator

2024-02-26T06:51:34.5866667+00:00

@Dhaval , Following up to see if the provided answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Dhaval Shah 20 Reputation points

2024-02-26T10:07:48.9066667+00:00

We have tried the try-and-catch block, but it does not work.
Deepanshukatara-6769 16,160 Reputation points Moderator

2024-02-26T11:30:47.7066667+00:00
So as per above comment , There are few things to validate:

You already validated the secret in the Key Vault. have you validated if $OnboardingParams.AzSubscription is correctly reflecting Subscription ID or Name? (Since the exception is thrown in SetCurrentContext.)

If the subscription is correct, then make sure to enable managed identity for the function app (if not) and assign appropriate RBAC role such as reader to the targeted subscription.
Dhaval Shah 20 Reputation points

2024-02-26T11:34:19.5233333+00:00

Hello,

We have verified both things and its correct.
Deepanshukatara-6769 16,160 Reputation points Moderator

2024-02-26T11:42:35.7+00:00

Ok , please lastly Check Azure AD Tenant ID: Ensure that the Azure AD Tenant ID associated with the subscription is correct. This ID should match the Azure AD tenant where the function app is deployed. You can retrieve the Azure AD Tenant ID from the Azure portal
Dhaval Shah 20 Reputation points

2024-02-26T11:45:31.1033333+00:00

Tenant Id was correct. we already verified that
Deepanshukatara-6769 16,160 Reputation points Moderator

2024-02-26T12:07:57.2933333+00:00

I think better to connect on meeting somewhere .
Dhaval Shah 20 Reputation points

2024-02-26T12:14:43.6466667+00:00

Can we connect tomorrow during IST time?
Dhaval Shah 20 Reputation points

2024-02-26T12:15:31.6366667+00:00

Can we connect tomorrow during IST time?
Deepanshukatara-6769 16,160 Reputation points Moderator

2024-02-29T15:10:37.1766667+00:00

Hi Dhaval , did it got resolved?

Share via

EXCEPTION: Please provide a valid tenant or a valid subscription.

2 answers

Retrieve the secret value from Key Vault

Convert the secret JSON string to an object

Set Azure context using the subscription ID from the retrieved secret

Your answer