MECM — Adding an Azure Service web app always fails on sign in
While preparing to setup a Cloud Management Gateway (CMG) in a lab environment, I came across an odd scenario where the Azure Services Wizard was unable to properly login to my Azure tenancy and continue with the setup wizard.
Within the MECM Console, I had navigated to Administration > Overview > Cloud Services > Azure Services and started to configure a new Azure Service. When configuring the Web app you are prompted to ‘Sign in…’ using an Azure AD Admin Account. After completing the sign in process successfully on the web window that appears, the following message appeared:
Failed to Create Client App. Server app might not be present in the tenant specified. For More details you can refer to the AdminUILog.
In the above screenshot I was attempting to setup a web app for the Cloud Management service but I found the exact same error occured regardless of the type of Azure Service I was trying to setup (eg: Desktop Analytics).
Following the error message instructions, the SmsAdminUI.log showed these lines:
System.Net.WebException\r\nThe remote server returned an error: (403) Forbidden.\r\n at System.Net.HttpWebRequest.GetResponse()
System.InvalidOperationException\r\nFailed to sign in to Azure.The remote server returned an error: (403) Forbidden.\r\n at Microsoft.ConfigurationManagement.AdminConsole.CloudServicesManagement.AAD.AADDataHandler.RetrieveTenantDetailsFromAzureLoginCredentials()
I verified that my account was both an Azure Global Admin and, just to be sure, was the Owner of at least one Subscription, and that there was a valid live subscription available.
Searching around on the internet, I found one other person who had come across (and shared) this exact same error before. One of the comments in that Reddit thread mentioned creating a new account in Azure AD and using that to sign in instead. It worked perfectly.
I have not been able to work out why I cannot use the original account to sign in to Azure through MECM. Even today I still cannot use that account. The issue appears to be with the Azure side of things, as I have retried in new MECM environments and the issue remains with that account/tenancy.
