Azure Stack subscription validation is part of the Azure Stack Readiness Checker tool known as (AzsReadinessChecker). You can use that tool to validate your Azure subscription before you begin an Azure Stack deployment, so you can make sure that your Azure subscription is ready to use with Azure Stack. The Readiness Checker Tool validates the following:
- The Azure subscription you use is a supported type. Subscriptions must be a Cloud Service Provider (CSP) or Enterprise Agreement (EA).
- The account you use to register your subscription with Azure can sign in to Azure and is a subscription owner.
For more information about Azure Stack registration, please check Register Azure Stack with Azure.
The other day, I was preparing for an Azure Stack Integrated Systems deployment and I am going through all the validation steps before I begin with the actual deployment.
When I ran the Invoke-AzsRegistrationValidation command against my Azure subscription, I received the following error message:
Invoke-AzsRegistrationValidation v1.1811.1101.1 started.
Checking Registration Requirements: Fail
Get-AzureSubscriptionDetail threw an error: A parameter cannot be found that matches parameter name ‘function’.
Additional help URL https://aka.ms/AzsRemediateRegistration
Log location (contains PII): C:\Users\AZURES~1\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log
Report location (contains PII): C:\Users\AZURES~1\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.json
As noted in the error message, I followed all the validation failures as documented by Microsoft here, but none of them addresses my issue.
Finding the cause
As part of the validation, the Azure Stack Readiness Checker tool check the account that you will use to register Azure Stack with Azure that can sign in to Azure and is a subscription owner.
My account has a full owner on the Azure subscription and I can sign to Azure. I also disabled multi-factor authentication (MFA) for that account for testing purposes but still, the validation keeps failing.
After reviewing the role definition for that user by running the following PowerShell script, I find out that the Get-AzureRmRoleAssigment command did not return any results.
$subscriptionId = 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX' Login-AzureRmAccount -Subscription $subscriptionId $context = Get-AzureRmContext Get-AzureRmSubscription Get-AzureRmTenant $objectId = (Get-AzureRmADUser -UserPrincipalName $context.Account.id).id Get-AzureRmRoleAssignment -objectid $objectid.Guid -Scope "/subscriptions/$subscriptionId"
The account I am using to validate Azure subscription is a member of an Azure AD Security Group, and that group is an owner on that subscription!
I ran the Get-AzureRmRoleAssigment against the AAD security group this time and I got the role definition which is Owner as expected. So what is the issue with that account?
Fixing the issue
At the time of this writing, if you encountered this issue, you need to add the account you use to validate Azure Stack registration on the Azure subscription directly as owner, and NOT the Azure AD Security Group as subscription owner. I don’t know why that could be an issue as of today…
After adding that account directly on the Azure subscription as owner, the validation passed as shown in the next screenshot.
Last but eventually not least, Microsoft is actively working and investigating this issue to determine the root cause and find a permanent solution.
Thanks to the Azure Stack team for their help in getting to the bottom of this.
Hope this helps someone out there!
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.