Share via

ManagedIdentityCredential authentication failed for Azure Automation Account with Powershell script

Jane Illarionova 1 Reputation point Microsoft Employee
2025-08-28T22:01:24.1733333+00:00

I have a Powershell runbook set up in an Azure Automation account with a system assigned managed identity. I have given the managed identity Owner, Contributor, and DocumentDB Contributor permissions on the cosmos db account i'm trying to connect to.

The script tries to get a token like this:

Connect-AzAccount -Identity
$AzureContext = Set-AzContext -SubscriptionId <sub-id>
...
$token = $(Get-AzAccessToken -ResourceUrl $Endpoint).Token

And fails with the following error:

Get-AzAccessToken: Line | 18 | $token = $(Get-AzAccessToken -ResourceUrl $Endpoint).Token | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ManagedIdentityCredential authentication failed: Retry failed after 4 tries. Retry settings can be adjusted in ClientOptions.Retry or by configuring a custom retry policy in ClientOptions.RetryPolicy. (The operation was cancelled because it exceeded the configured timeout of 0:01:40. Network timeout can be adjusted in ClientOptions.Retry.NetworkTimeout.) (The operation was cancelled because it exceeded the configured timeout of 0:01:40. Network timeout can be adjusted in ClientOptions.Retry.NetworkTimeout.) (The operation was cancelled because it exceeded the configured timeout of 0:01:40. Network timeout can be adjusted in ClientOptions.Retry.NetworkTimeout.) (The operation was cancelled because it exceeded the configured timeout of 0:01:40. Network timeout can be adjusted in ClientOptions.Retry.NetworkTimeout.) See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Suwarna S Kale 3,956 Reputation points
    2025-08-29T01:50:21.77+00:00

    Hello Jane Illarionova,

    Thank you for posting your question in the Microsoft Q&A forum. 

    This error indicates a failure in the managed identity authentication flow, specifically a timeout when the Get-AzAccessToken cmdlet attempts to retrieve a token for the Cosmos DB endpoint. The issue is not directly related to your RBAC permissions (Owner, Contributor, etc.), as those are correct for data plane access once you have a token. The problem lies in the network connectivity or configuration between your Azure Automation runbook and the managed identity endpoint. 

    The primary cause is likely a network-related timeout when your runbook attempts to contact the local metadata service (169.254.169.254) to retrieve the managed identity token. This often occurs in Azure Automation if the runbook is running in a sandbox that has restricted outbound connectivity or if there are explicit network restrictions on the Cosmos DB account. 

    To resolve this, you may consider the following steps: 

    1. Use Cosmos DB Cmdlets Directly: Instead of manually retrieving a token, use the Az.CosmosDB PowerShell cmdlets (e.g., Get-AzCosmosDBAccount, New-AzCosmosDBAccount) which automatically handle authentication using the managed identity context you established with Connect-AzAccount -Identity. This is the most robust and recommended approach. 
    2. Check Network Restrictions: If your Cosmos DB account has firewall settings enabled, you must allow access from Azure services. Ensure the "Allow access from Azure portal" and "Allow access from my IP" settings are configured appropriately or add the outbound IPs of the Azure Automation service (which can be found in the Automation account's properties under "Outgoing IP Addresses"). 
    3. Use Resource-Specific Endpoint: For Get-AzAccessToken, ensure the -ResourceUrl is the correct Cosmos DB resource endpoint. For Cosmos DB, the resource URL should be https://cosmos.azure.com (the global data plane endpoint) or the specific endpoint for your account if using a national cloud. Using the wrong resource URL will cause authentication failures. 
    4. Leverage Azure Private Link: If your Automation account and Cosmos DB are in a virtual network with strict NSG rules, ensure that the managed identity endpoint is reachable. You may need to use Private Link for Cosmos DB and configure proper DNS resolution to avoid public network timeouts. 

    By addressing these connectivity and configuration issues, you should be able to resolve the timeout and successfully authenticate using the system-assigned managed identity. 

     

    Please, let me know the response helps answer your question? If the above answer helped, please do not forget to "Accept Answer" as this may help other community members to refer the info if facing a similar issue. 🙂 

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.