Login-AzureRmAccount : The provided account does not have access to subscription ID

Posted on

You might get the above error message in Azure PowerShell when using Login-AzureRmAccount cmdlet with the subscription Id parameter, even though you submit a valid subscription Id and login using the account which has the access to the subscription.

SOLUTION: User the Tenant Id parameter along with the Subscription Id in order to login to the subscription as below.

Login-AzureRmAccount –SubscriptionId <subscription id> -TenantId <tenant Id>

Scenario

This is because the cmdlet checks against the particular tenant in the Azure. In order to understand the domain consider this following scenario. The Id user@domain.com is attached to 2 Azure accounts, this is the service administrator Id for one account and co-administrator for the subscriptions in the other account. The below diagram explains this.

image

When login through Login-AzureRmAccount using the credentials without specifying any parameters you will get login to a subscription.

image

In my test case this was my Subscription 2 which is, in an Azure account doesn’t belong to me, but I’m a co-administrator for subscription 2 and 3.

In order to access Subscription 3 which is attached to the Tenant 2, just specifying the subscription Id in the cmdlet would be enough, like below.

image

As with that, trying to login to the Subscription 1 under Account 1, by specifying the subscription Id.

image

As you see the user account has full access to Account 1 and subscription 1, in fact it has higher access to this subscription than 2 & 3 since it is a service administrator for subscription 1, but still the error says that the account does not have access to the subscription.

This is due to resource manager login is associated with the Tenant 2 and not with the Tenant 1. So when I submitted a subscription Id which is not associated with the Tenant 1, it gives the error. In order to solve this provide the Tenant Id as a parameter as well.

image

Advertisements