Lesson Learned: Azure Stack Azure Active Directory Application Creation

I recently deployed App Services again to my production Azure Stack. Again? Yes, even though it is a “production” stack in reality this is actually more for developing services, testing, etc. So, that should explain the again part. I have been deploying App Services since 1.1 or 1.2, even before when Azure Stack was still TP2 and TP3. You would think I would have this down and it would be flawless for me, right? Welcome to the world of Kris. So this is another reason I blog, not only to try to help others not do what I did the first, second or third time, but to also help me remember what not to do.

I am at the step in preparing for App Services were you are to create the Azure Active Directory application. I think the reason I may have ran into some issues is normally I don’t remove the AAD Application and just reuse it every time I have redeployed App Services. (For this specific Stack that is.) This time I had removed it because I ran into some issues I thought were App Service related but they ended up being something totally different which I spent many hours troubleshooting something that wasn’t actually causing the issue.

This was supposed to be a short lessons learned blog. Ha! I write what is in my head and there is a lot of stuff floating up here so forgive me for dragging this blog out.

Anyway, back to the Azure Active Directory Application issue I was running into.

Azure Active Directory Application Creation Issue

So using the Microsoft Documentation for Offer App Service as PaaS in the section called Create an Azure Active Directory application I went forward with running the following PowerShell cmdlet Create-AADIdentityApp.ps1. The first time I didn’t give it any of the required parameters. So it prompted me for all the required parameters except for one. (Is this called foreshadowing?)

The script started to run, it prompted it me my Admin credentials and I entered them. Things looked good until kaput!

PS C:\temp\AppService\1.4\AppServiceHelperScripts> .\Create-AADIdentityApp.ps1

cmdlet Create-AADIdentityApp.ps1 at command pipeline position 1
Supply values for the following parameters:
(Type !? for Help.)
DirectoryTenantName: xxxxxxxx.onmicrosoft.com
AdminArmEndpoint: adminmanagement.xxx.azurestack.xxxxxx.com
TenantArmEndpoint: management.xxx.azurestack.xxxxxxxx.com
CertificateFilePath: C:\temp\AppService\Certificates\AppServices\sso_appservcies_dfw.pfx
CertificatePassword: ************
VERBOSE: Removing the imported "Find-GraphApplication" function.
VERBOSE: Removing the imported "Find-GraphApplicationDataByServicePrincipalTag" function.


Add-AzureRmAccount : Value cannot be null.
Parameter name: Could not find tenant id for provided tenant domain 'xxxxxxxxx.onmicrosoft.com'. Please ensure that
the provided service principal is found in the provided tenant domain.
At C:\temp\AppService\1.4\AppServiceHelperScripts\Common.ps1:22 char:21
+     $azureAccount = Add-AzureRmAccount @params
+                     ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Connect-AzureRmAccount], ArgumentNullException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand

So this time I tried again but gave it all the parameters that were required except for one. More foreshadowing?

 Add-AzureRmAccount : Value cannot be null.
    Parameter name: Could not find tenant id for provided tenant domain 'xxxxxxxxxx.onmicrosoft.com'. Please ensure that the provided service principal is found in the provided tenant domain.
    At C:\temp\AppService\1.4\AppServiceHelperScripts\Common.ps1:22 char:21
    +     $azureAccount = Add-AzureRmAccount @params
    +                     ~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : CloseError: (:) [Connect-AzureRmAccount], ArgumentNullException
        + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand   

I am looking at the error above and see that it says it can’t find the id for the provided tenant domain. However, it keeps prompting me with a pop up to sign on to that tenant.

I am a little confused at this point. So I go back to the Microsoft Documentation. (My life story! Always going back to the Microsoft Documentation and getting the slap in the face!)

Yep, one of the required parameters I had never included.

ParameterRequired or optionalDefault valueDescription
AzureStackAdminCredentialRequiredNullAzure AD service admin credential.

I do have to say that I thought since it was popping up the sign in window that somehow those credentials would pass through. Nope, that isn’t the case. So I added the required parameter “-AzureStackAdminCredential.”

Amazingly the script worked and within a few minutes I had my newly created Azure Active Directory application ID. I was now again ready to deploy App Services.

Final Thoughts

I really only have one final thought for this blog. Read the documentation. Which seems to be something I keep saying to myself over and over and over and over again. Old habits die hard and I know that I will be once again saying Read the documentation again one day.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s