azure-powershell
azure-powershell copied to clipboard
Published
20 hours ago •
Azure
Azure
Keyvault Certificate Contact powershell doesnt work
Description
Unable to add, get, or remove email addresses using the Add-AzKeyVaultCertificateContact cmdlet.
If I run the cmd:
Add-AzKeyVaultCertificateContact -VaultName mykvt01
It will prompt for an email address to add. It continually asks for more and more emails. As soon as you dont put an email in, it will fail with object reference not set to an instance of an object.
I cannot even use the Get-AzKeyVaultCertificateContact cmdlet to see emails already added manually by the GUI.
Issue script & Debug output
PS C:\Users\david> $DebugPreference='Continue'
PS C:\Users\david> Add-AzKeyVaultCertificateContact -VaultName mykvt01
cmdlet Add-AzKeyVaultCertificateContact at command pipeline position 1
Supply values for the following parameters:
(Type !? for Help.)
EmailAddress[0]: [email protected]
EmailAddress[1]: [email protected]
EmailAddress[2]: [email protected]
EmailAddress[3]:
DEBUG: 9:20:10 AM - AddAzureKeyVaultCertificateContact begin processing with ParameterSet 'Interactive'.
DEBUG: 9:20:10 AM - using account id '[email protected]'...
DEBUG: 9:20:10 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: [Common.Authentication]: Authenticating using Account: '[email protected]', environment: 'AzureCloud', tenant: '943e6074-9b1a-46fs-9h61-6ccbf404ebr1'
DEBUG: 9:20:10 AM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'943e6074-9b1a-46fs-9h61-6ccbf404ebr1', Scopes:'https://vault.azure.net/.default', Authorit
yHost:'https://login.microsoftonline.com/', UserId:'[email protected]'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId:
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - beb17bd8-6f28-410b-ae3c-02064b3dd5a5] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - beb17bd8-6f28-410b-ae3c-02064b3dd5a5] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - beb17bd8-6f28-410b-ae3c-02064b3dd5a5] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - beb17bd8-6f28-410b-ae3c-02064b3dd5a5] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - beb17bd8-6f28-410b-ae3c-02064b3dd5a5] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - beb17bd8-6f28-410b-ae3c-02064b3dd5a5] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - beb17bd8-6f28-410b-ae3c-02064b3dd5a5] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - beb17bd8-6f28-410b-ae3c-02064b3dd5a5] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - beb17bd8-6f28-410b-ae3c-02064b3dd5a5] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88] Found 5 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88] Returning 5 accounts
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3] MSAL MSAL.Desktop with assembly version '4.39.0.0'. CorrelationId(
af01d8a5-854e-4e60-aa0c-27cdf07f0be3)
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3] LoginHint provided: False
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3] Account provided: True
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3] ForceRefresh: False
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3]
=== Request Data ===
Authority Provided? - True
Scopes - https://vault.azure.net/.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - af01d8a5-854e-4e60-aa0c-27cdf07f0be3
UserAssertion set: False
LongRunningOboCacheKey set: False
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3] === Token Acquisition (SilentRequest) started:
Scopes: https://vault.azure.net/.default
Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.89 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.89 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3] Access token is not expired. Returning the found cache entry. [Cur
rent time (09/20/2022 23:20:10) - Expiration Time (09/21/2022 00:32:45 +00:00) - Extended Expiration Time (09/21/2022 00:32:45 +00:00)]
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.89 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.89 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.89 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3] Fetched access token from host login.microsoftonline.com.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.89 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3]
=== Token Acquisition finished successfully:
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.89 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3] AT expiration time: 21/09/2022 12:32:45 AM +00:00, scopes https:/
/vault.azure.net/user_impersonation https://vault.azure.net/.default source Cache from login.microsoftonline.com appHashCode 34311014
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: ExpiresOn: 2022-09-21T00:32:45.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '943e6074-9b1a-46fs-9h61-6ccbf404ebr1', UserId: '[email protected]'
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://mykvt01.vault.azure.net//certificates/contacts?api-version=7.0
Headers:
x-ms-client-request-id : 7c6db135-411f-4d53-be5e-936911d98356
accept-language : en-US
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Forbidden
Headers:
Pragma : no-cache
x-ms-keyvault-region : Australia East
x-ms-client-request-id : 7c6db135-411f-4d53-be5e-936911d98356
x-ms-request-id : e804065f-1feb-4c3d-9e00-aac131c9eb62
x-ms-keyvault-service-version : 1.9.538.1
x-ms-keyvault-network-info : conn_type=Ipv4;addr=10.10.10.10;act_addr_fam=InterNetwork;
X-Content-Type-Options : nosniff
Strict-Transport-Security : max-age=31536000;includeSubDomains
Cache-Control : no-cache
Date : Tue, 20 Sep 2022 23:20:10 GMT
Body:
{
"error": {
"code": "Forbidden",
"message": "The user, group or application 'appid=1950a258-227b-4e31-a9cf-717495945fc2;oid=f960e666-c8ba-44f9-807f-cbab773b9047;numgroups=10;iss=https://sts.windows.net/943e6074-9b1a-4623-9
f91-6ccbf959ebd1/' does not have certificates managecontacts permission on key vault 'mykvt01;location=AustraliaEast'. For help resolving this issue, please see https://go.microsoft.com/f
wlink/?linkid=2125287",
"innererror": {
"code": "AccessDenied"
}
}
}
DEBUG: 9:20:11 AM - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
Add-AzKeyVaultCertificateContact : Object reference not set to an instance of an object.
At line:1 char:1
+ Add-AzKeyVaultCertificateContact -VaultName mykvt01
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Add-AzKeyVaultCertificateContact], NullReferenceException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.AddAzureKeyVaultCertificateContact
DEBUG: 9:20:11 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent: Module: Az.KeyVault:4.7.0; CommandName: Add-AzKeyVaultCertificateContact; PSVersion: 5.1.19041.1682; IsSuccess: False; Duration: 00:00:00.3332798; Exception: Object refere
nce not set to an instance of an object.;
DEBUG: Finish sending metric.
DEBUG: 9:20:11 AM - AddAzureKeyVaultCertificateContact end processing.
PS C:\Users\david> Get-AzKeyVaultCertificateContact -VaultName mykvt01
DEBUG: 9:20:18 AM - GetAzureKeyVaultCertificateContact begin processing with ParameterSet 'VaultName'.
DEBUG: 9:20:18 AM - using account id '[email protected]'...
DEBUG: 9:20:18 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: [Common.Authentication]: Authenticating using Account: '[email protected]', environment: 'AzureCloud', tenant: '943e6074-9b1a-46fs-9h61-6ccbf404ebr1'
DEBUG: 9:20:18 AM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'943e6074-9b1a-46fs-9h61-6ccbf404ebr1', Scopes:'https://vault.azure.net/.default', Authorit
yHost:'https://login.microsoftonline.com/', UserId:'[email protected]'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId:
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - d3e4623b-2e0a-4a1a-8714-6244e166ba29] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - d3e4623b-2e0a-4a1a-8714-6244e166ba29] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - d3e4623b-2e0a-4a1a-8714-6244e166ba29] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - d3e4623b-2e0a-4a1a-8714-6244e166ba29] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - d3e4623b-2e0a-4a1a-8714-6244e166ba29] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - d3e4623b-2e0a-4a1a-8714-6244e166ba29] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - d3e4623b-2e0a-4a1a-8714-6244e166ba29] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - d3e4623b-2e0a-4a1a-8714-6244e166ba29] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - d3e4623b-2e0a-4a1a-8714-6244e166ba29] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23] Found 5 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23] Returning 5 accounts
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d] MSAL MSAL.Desktop with assembly version '4.39.0.0'. CorrelationId(
e758ed88-c377-492a-b7c4-7e555425f06d)
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d] LoginHint provided: False
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d] Account provided: True
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d] ForceRefresh: False
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d]
=== Request Data ===
Authority Provided? - True
Scopes - https://vault.azure.net/.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - e758ed88-c377-492a-b7c4-7e555425f06d
UserAssertion set: False
LongRunningOboCacheKey set: False
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d] === Token Acquisition (SilentRequest) started:
Scopes: https://vault.azure.net/.default
Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d] Access token is not expired. Returning the found cache entry. [Cur
rent time (09/20/2022 23:20:18) - Expiration Time (09/21/2022 00:32:45 +00:00) - Extended Expiration Time (09/21/2022 00:32:45 +00:00)]
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d] Fetched access token from host login.microsoftonline.com.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d]
=== Token Acquisition finished successfully:
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d] AT expiration time: 21/09/2022 12:32:45 AM +00:00, scopes https:/
/vault.azure.net/user_impersonation https://vault.azure.net/.default source Cache from login.microsoftonline.com appHashCode 44880374
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: ExpiresOn: 2022-09-21T00:32:45.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '943e6074-9b1a-46fs-9h61-6ccbf404ebr1', UserId: '[email protected]'
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://mykvt01.vault.azure.net//certificates/contacts?api-version=7.0
Headers:
x-ms-client-request-id : 05635e96-057b-47a7-aj30-5dd35g0lc9dc
accept-language : en-US
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Forbidden
Headers:
Pragma : no-cache
x-ms-keyvault-region : Australia East
x-ms-client-request-id : 05635e96-057b-47a7-aj30-5dd35g0lc9dc
x-ms-request-id : 6019c7c7-88c4-49f9-ac43-bc7bj7j2c243
x-ms-keyvault-service-version : 1.9.538.1
x-ms-keyvault-network-info : conn_type=Ipv4;addr=10.10.10.10;act_addr_fam=InterNetwork;
X-Content-Type-Options : nosniff
Strict-Transport-Security : max-age=31536000;includeSubDomains
Cache-Control : no-cache
Date : Tue, 20 Sep 2022 23:20:18 GMT
Body:
{
"error": {
"code": "Forbidden",
"message": "The user, group or application 'appid=1950a258-227b-4e31-a9cf-717495945fc2;oid=f960e666-c8ba-44f9-807f-cbab773b9047;numgroups=10;iss=https://sts.windows.net/943e6074-9b1a-4623-9
f91-6ccbf959ebd1/' does not have certificates managecontacts permission on key vault 'mykvt01;location=AustraliaEast'. For help resolving this issue, please see https://go.microsoft.com/f
wlink/?linkid=2125287",
"innererror": {
"code": "AccessDenied"
}
}
}
DEBUG: 9:20:18 AM - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
Get-AzKeyVaultCertificateContact : Object reference not set to an instance of an object.
At line:1 char:1
+ Get-AzKeyVaultCertificateContact -VaultName mykvt01
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Get-AzKeyVaultCertificateContact], NullReferenceException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultCertificateContact
DEBUG: 9:20:18 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent: Module: Az.KeyVault:4.7.0; CommandName: Get-AzKeyVaultCertificateContact; PSVersion: 5.1.19041.1682; IsSuccess: False; Duration: 00:00:00.2130717; Exception: Object refere
nce not set to an instance of an object.;
DEBUG: Finish sending metric.
DEBUG: 9:20:18 AM - GetAzureKeyVaultCertificateContact end processing.
PS C:\Users\david> Remove-AzKeyVaultCertificateContact -VaultName mykvt01 -EmailAddress [email protected]
DEBUG: 9:20:23 AM - RemoveAzureKeyVaultCertificateContact begin processing with ParameterSet 'ByName'.
DEBUG: 9:20:23 AM - using account id '[email protected]'...
DEBUG: 9:20:23 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: [Common.Authentication]: Authenticating using Account: '[email protected]', environment: 'AzureCloud', tenant: '943e6074-9b1a-46fs-9h61-6ccbf404ebr1'
DEBUG: 9:20:23 AM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'943e6074-9b1a-46fs-9h61-6ccbf404ebr1', Scopes:'https://vault.azure.net/.default', Authorit
yHost:'https://login.microsoftonline.com/', UserId:'[email protected]'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId:
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - debe4087-2d1e-4f97-b4ab-0238ad3a7a1e] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - debe4087-2d1e-4f97-b4ab-0238ad3a7a1e] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - debe4087-2d1e-4f97-b4ab-0238ad3a7a1e] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - debe4087-2d1e-4f97-b4ab-0238ad3a7a1e] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - debe4087-2d1e-4f97-b4ab-0238ad3a7a1e] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - debe4087-2d1e-4f97-b4ab-0238ad3a7a1e] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - debe4087-2d1e-4f97-b4ab-0238ad3a7a1e] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - debe4087-2d1e-4f97-b4ab-0238ad3a7a1e] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - debe4087-2d1e-4f97-b4ab-0238ad3a7a1e] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48] Found 5 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48] Returning 5 accounts
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - 23b9190b-2909-4224-8dfb-c738237fdd97] MSAL MSAL.Desktop with assembly version '4.39.0.0'. CorrelationId(
23b9190b-2909-4224-8dfb-c738237fdd97)
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - 23b9190b-2909-4224-8dfb-c738237fdd97] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - 23b9190b-2909-4224-8dfb-c738237fdd97] LoginHint provided: False
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - 23b9190b-2909-4224-8dfb-c738237fdd97] Account provided: True
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - 23b9190b-2909-4224-8dfb-c738237fdd97] ForceRefresh: False
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - 23b9190b-2909-4224-8dfb-c738237fdd97]
=== Request Data ===
Authority Provided? - True
Scopes - https://vault.azure.net/.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 23b9190b-2909-4224-8dfb-c738237fdd97
UserAssertion set: False
LongRunningOboCacheKey set: False
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - 23b9190b-2909-4224-8dfb-c738237fdd97] === Token Acquisition (SilentRequest) started:
Scopes: https://vault.azure.net/.default
Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.49 - 23b9190b-2909-4224-8dfb-c738237fdd97] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.49 - 23b9190b-2909-4224-8dfb-c738237fdd97] Access token is not expired. Returning the found cache entry. [Cur
rent time (09/20/2022 23:20:23) - Expiration Time (09/21/2022 00:32:45 +00:00) - Extended Expiration Time (09/21/2022 00:32:45 +00:00)]
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.49 - 23b9190b-2909-4224-8dfb-c738237fdd97] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.49 - 23b9190b-2909-4224-8dfb-c738237fdd97] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.49 - 23b9190b-2909-4224-8dfb-c738237fdd97] Fetched access token from host login.microsoftonline.com.
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.49 - 23b9190b-2909-4224-8dfb-c738237fdd97]
=== Token Acquisition finished successfully:
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.49 - 23b9190b-2909-4224-8dfb-c738237fdd97] AT expiration time: 21/09/2022 12:32:45 AM +00:00, scopes https:/
/vault.azure.net/user_impersonation https://vault.azure.net/.default source Cache from login.microsoftonline.com appHashCode 7836102
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: ExpiresOn: 2022-09-21T00:32:45.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '943e6074-9b1a-46fs-9h61-6ccbf404ebr1', UserId: '[email protected]'
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://mykvt01.vault.azure.net//certificates/contacts?api-version=7.0
Headers:
x-ms-client-request-id : ae4cc7a0-8a60-4e99-bdcc-14279b7fb95a
accept-language : en-US
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Forbidden
Headers:
Pragma : no-cache
x-ms-keyvault-region : Australia East
x-ms-client-request-id : ae4cc7a0-8a60-4e99-bdcc-14279b7fb95a
x-ms-request-id : 25158a45-6f0f-4c95-aaac-b35256c56d4d
x-ms-keyvault-service-version : 1.9.538.1
x-ms-keyvault-network-info : conn_type=Ipv4;addr=10.10.10.10;act_addr_fam=InterNetwork;
X-Content-Type-Options : nosniff
Strict-Transport-Security : max-age=31536000;includeSubDomains
Cache-Control : no-cache
Date : Tue, 20 Sep 2022 23:20:23 GMT
Body:
{
"error": {
"code": "Forbidden",
"message": "The user, group or application 'appid=1950a258-227b-4e31-a9cf-717495945fc2;oid=f960e666-c8ba-44f9-807f-cbab773b9047;numgroups=10;iss=https://sts.windows.net/943e6074-9b1a-4623-9
f91-6ccbf959ebd1/' does not have certificates managecontacts permission on key vault 'mykvt01;location=AustraliaEast'. For help resolving this issue, please see https://go.microsoft.com/f
wlink/?linkid=2125287",
"innererror": {
"code": "AccessDenied"
}
}
}
DEBUG: 9:20:23 AM - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
Remove-AzKeyVaultCertificateContact : Object reference not set to an instance of an object.
At line:1 char:1
+ Remove-AzKeyVaultCertificateContact -VaultName mykvt01 -EmailAd ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Remove-AzKeyVaultCertificateContact], NullReferenceException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.RemoveAzureKeyVaultCertificateContact
DEBUG: 9:20:23 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent: Module: Az.KeyVault:4.7.0; CommandName: Remove-AzKeyVaultCertificateContact; PSVersion: 5.1.19041.1682; IsSuccess: False; Duration: 00:00:00.1453243; Exception: Object ref
erence not set to an instance of an object.;
DEBUG: Finish sending metric.
DEBUG: 9:20:23 AM - RemoveAzureKeyVaultCertificateContact end processing.
Environment data
PS C:\Users\david> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.19041.1682
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.19041.1682
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Module versions
PS C:\Users\david> Get-Module Az*
ModuleType Version Name ExportedCommands
---------- ------- ---- ----------------
Script 2.10.0 Az.Accounts {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault...}
Script 4.7.0 Az.KeyVault {Add-AzKeyVaultCertificate, Add-AzKeyVaultCertificateContact, Add-AzKeyVaultKey, Add-AzKeyVaultManagedStorageAccount...}
Error output
PS C:\Users\david> Resolve-AzError
DEBUG: 9:22:00 AM - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 9:22:00 AM - using account id '[email protected]'...
DEBUG: 9:22:00 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
WARNING: Upcoming breaking changes in the cmdlet 'Resolve-AzError' :
The `Resolve-Error` alias will be removed in a future release. Please change any scripts that use this alias to use `Resolve-AzError` instead.
Note : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.
HistoryId: 10
Message : Object reference not set to an instance of an object.
StackTrace : at Microsoft.Azure.Commands.KeyVault.RemoveAzureKeyVaultCertificateContact.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception : System.NullReferenceException
InvocationInfo : {Remove-AzKeyVaultCertificateContact}
Line : Remove-AzKeyVaultCertificateContact -VaultName mykvt01 -EmailAddress [email protected]
Position : At line:1 char:1
+ Remove-AzKeyVaultCertificateContact -VaultName mykvt01 -EmailAd ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId : 10
HistoryId: 9
Message : Object reference not set to an instance of an object.
StackTrace : at Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultCertificateContact.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception : System.NullReferenceException
InvocationInfo : {Get-AzKeyVaultCertificateContact}
Line : Get-AzKeyVaultCertificateContact -VaultName mykvt01
Position : At line:1 char:1
+ Get-AzKeyVaultCertificateContact -VaultName mykvt01
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId : 9
HistoryId: 8
Message : Object reference not set to an instance of an object.
StackTrace : at Microsoft.Azure.Commands.KeyVault.AddAzureKeyVaultCertificateContact.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception : System.NullReferenceException
InvocationInfo : {Add-AzKeyVaultCertificateContact}
Line : Add-AzKeyVaultCertificateContact -VaultName mykvt01
Position : At line:1 char:1
+ Add-AzKeyVaultCertificateContact -VaultName mykvt01
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId : 8
HistoryId: 4
Message : Object reference not set to an instance of an object.
StackTrace : at Microsoft.Azure.Commands.KeyVault.RemoveAzureKeyVaultCertificateContact.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception : System.NullReferenceException
InvocationInfo : {Remove-AzKeyVaultCertificateContact}
Line : Remove-AzKeyVaultCertificateContact -VaultName mykvt01 -EmailAddress [email protected]
Position : At line:1 char:1
+ Remove-AzKeyVaultCertificateContact -VaultName mykvt01 -EmailAd ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId : 4
HistoryId: 3
Message : Object reference not set to an instance of an object.
StackTrace : at Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultCertificateContact.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception : System.NullReferenceException
InvocationInfo : {Get-AzKeyVaultCertificateContact}
Line : Get-AzKeyVaultCertificateContact -VaultName mykvt01
Position : At line:1 char:1
+ Get-AzKeyVaultCertificateContact -VaultName mykvt01
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId : 3
HistoryId: 2
Message : Object reference not set to an instance of an object.
StackTrace : at Microsoft.Azure.Commands.KeyVault.AddAzureKeyVaultCertificateContact.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception : System.NullReferenceException
InvocationInfo : {Add-AzKeyVaultCertificateContact}
Line : Add-AzKeyVaultCertificateContact -VaultName mykvt01
Position : At line:1 char:1
+ Add-AzKeyVaultCertificateContact -VaultName mykvt01
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId : 2
The Azure PowerShell team is listening, please let us know how we are doing: https://aka.ms/azpssurvey?Q_CHL=ERROR.
DEBUG: 9:22:00 AM - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
DEBUG: AzureQoSEvent: Module: Az.Accounts:2.10.0; CommandName: Resolve-AzError; PSVersion: 5.1.19041.1682; IsSuccess: True; Duration: 00:00:00.1197280
DEBUG: Finish sending metric.
DEBUG: 9:22:01 AM - ResolveError end processing.
According to service return, current user doesn't have sufficient permission to manage contact. However, we need to ensure the error message shows up on console rather than showing null reference error.
Hi @B0na5 , @dingmeng-xue is right, according to the error message from response
"message": "The user, group or application 'appid=1950a258-227b-4e31-a9cf-717495945fc2;oid=f960e666-c8ba-44f9-807f-cbab773b9047;numgroups=10;iss=https://sts.windows.net/943e6074-9b1a-4623-9
f91-6ccbf959ebd1/' does not have certificates managecontacts permission on key vault 'mykvt01;location=AustraliaEast
please add permission Manage Contact for the user, group or application 'appid=1950a258-227b-4e31-a9cf-717495945fc2;oid=f960e666-c8ba-44f9-807f-cbab773b9047 by Set-AzKeyVaultAccessPolicy -PermissionsToCertificates managecontacts -VaultName mykvt01 -ResourceGroupName <rgName> -...
Will investigate a more friend way to show error message in the next step.
