Azure Service Principal Credential verifcation from command line (CLI) Description<!-- div.margin{ padding: 10px 40px 40px 30px; } table.tocTable{ border: 1px solid; border-color:#E0E0E0; background-color: rgb(245, 245, 245); padding-top: .6em; padding-bottom: .6em; padding-left: .9em; padding-right: .6em; } table.noteTable{ border:1px solid; border-color:#E0E0E0; background-color: rgb(245, 245, 245); width: 100%; border-spacing:2; } table.internaltable { white-space:nowrap; text-align:left; border-width: 1px; border-collapse: collapse; font-size:14px; width: 85%; } table.internaltable th { border-width: 1px; padding: 5px; border-style: solid; border-color: rgb(245, 245, 245); background-color: rgb(245, 245, 245); } table.internaltable td { border-width: 1px; padding: 5px; border-style: solid; border-color: #E0E0E0; color: #000000; } .title { color: #D1232B; font-weight:normal; font-size:28px; } h1{ color: #D1232B; font-weight:normal; font-size:21px; margin-bottom:-5px } h2{ color: #646464; font-weight:bold; font-size:18px; } h3{ color: #000000; font-weight:BOLD; font-size:16px; text-decoration:underline; } h4{ color: #646464; font-weight:BOLD; font-size:15px; text-decoration:; } h5{ color: #000000; font-weight:BOLD; font-size:13px; text-decoration:; } h6{ color: #000000; font-weight:BOLD; font-size:14px; text-decoration:; } ul{ list-style: disc outside none; margin-left: 0; } li { padding-left: 1em; } --> Contents OverviewCommon ErrorCausePrerequisiteVerificationAdditional Information 1. Overview There are situations where the Azure Discovery fails with multiple errors and it goes difficult to understand where the issue is from, it could be Azure Credential, ServiceNow Cloud API, MID server or any other reasons, this article will demonstrate to verify the Azure credentials from Command line to narrow down the issue. 2. Common Errors Failed to execute API - Failed with status code and message: 403: {"error":{"code":"AuthorizationFailed","message":"The client '572864c1-e43f-43b3-8770-d51eaa7db603' with object id '572864c1-e43f-43b3-8770-d51eaa7db603' does not have authorization to perform action 'Microsoft.Resources/subscriptions/locations/read' over scope '/subscriptions/51da9d66-1794-405e-b15f-6d9838208edd'."}} (script_include:CloudRESTAPIInvoker; line 122) java.lang.IllegalArgumentException: Invalid uri 'https://management.azure.com/subscriptions/ 6d1fadd8-05a4-4b22-9dec-5e7ca49f8674/resourcegroups?api-version=2015-01-01': escaped absolute path not valid", which says the subscription is invalid, and couldn't recognise it for discovery. Custom operation Cloud REST - add response to context failed to execute script due to Custom operation Failed to run script due to the following error: JAVASCRIPT_CODE_FAILURE: com.snc.sw.exception.CommandFailureException: Failed to execute cloud request. Reason: SSLHandshakeException:PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (script_include:AzureApiCommand; line 58). Check the discovery logs for more details. 3. Cause The Secret Key might be expired The Secret key associated with the Application Id is not matching Unknown Application ID and Secret Key The User with the Subscription ID have no access or no Reader roles 4. Prerequisite As mentioned in our documentation (Create a service account for Azure), to configure the Azure credentials and Service Principal, you will need: Directory IDApplication IDApplication KeySubscription ID Subscription ID is used while configuring the Service Principal and other used for Azure Credentials, the customer might have Parent subscription ID and multiple Application ID along with Application Key. 5. Verification Note: Once the Credentials are saved in the ServiceNow Credentials table, the provided secret key is not visible and it will not be possible to know, the customer needs to have all the information handy for verification. Log in to Azure cloud Shell (If not available, customer needs to install) Keep the APP_ID handy and copy, execute command "az role assignment list --assignee APP_ID" Command returned no output which means there are no roles provided to the APP_ID Command returned output with some result and we can see the "Reader" role provided to the APP_ID 6. Additional information Create an Azure service principal with Azure CLI [Microsoft]