Azure Powershell throws "Unknown User Type"

Question

I'm trying to authenticate Powershell script against the AD Account (as per this guide):

$userName = "username@mydomain.com"
$securePassword = ConvertTo-SecureString -String "myPassword1" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential($userName, $securePassword)
Add-AzureAccount -Credential $cred

However I'm getting error:

Add-AzureAccount : unknown_user_type: Unknown User Type
At line:2 char:1
+ Add-AzureAccount -Credential $cred
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Add-AzureAccount], AadAuthenticationFailedException
    + FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.Profile.AddAzureAccount

And it does not matter what I type into the username/password, even "adsfasdf" for both username and password give me the same result.

Anybody had and fixed this problem before?

Is `mydomain.com` configured as a federated domain in Azure AD? Also, can you log into the [portal](https://portal.azure.com) with `username@mydomain.com`? — BenV, Mar 03 '15 at 14:28
Yes, I can login with the provided credentials. And if I go for `Add-UserAccount` and wait for the popup asking for credentials, same username/pass pair works there. — trailmax, Mar 03 '15 at 14:32
I get the error "unknown_user_type: Unknown User Type" if I specify an invalid domain. Are you sure the domain is valid? Does the username contains any special characters? — Martin Brandl, Mar 04 '15 at 12:34
@jisaak yes, domain is valid 100% I copy-paste username/password from the script into interactive window and it authenticates me. — trailmax, Mar 09 '15 at 16:01
@techmike2kx no luck - the script requires secure string: `Cannot convert the "MyPassword" value of type "System.String" to type "System.Security.SecureString".` — trailmax, Mar 09 '15 at 16:03
I get this same error when I use my MSaccount against a subscription that was created by someone with an OrgID. It is possible that your email address is associated with both an OrdID and a LiveID? When you attempt to login using Powershell it may default to the LiveID and your account is rejected. Sad to say, but you may need to associate your LiveID with an email address that is different than your OrgID to do this with Powershell; I have not had any luck (even with Premier support help) in getting a dual-associated email address to work against an OrgID subscription via Powershell. — JonnyG, Apr 28 '15 at 13:38
In my case I needed OrgId, but I was trying to work with a personal account. — trailmax, Apr 28 '15 at 15:02
@RaviG. Sorry, I did not find a solution, I abandoned this and found a completely different work-around. But MS support claimed that this was because I used LiveID, not user created inside Azure AD - that might help. — trailmax, Jan 04 '16 at 11:38
@trailmax I've also used my company ID but getting "Unknown User Type" error. — Nullpointer, Jan 04 '16 at 13:10
@RaviG. Sorry, can't help with that - I never solved this problem. — trailmax, Jan 04 '16 at 14:31

score 1 · Answer 1 · answered Apr 22 '16 at 19:58

For anyone coming to this question, I am providing my analysis which resolved the similar issue in my environment. I am also considering very helpful comments from the original question in the response below.

Do check if you are able to use these credentials and manually log into the Azure portal
Ensure that the account you are using is an Organizational account. Microsoft has security restriction where you can't log in using your Microsoft Account (earlier known as live id) which you use for various purposes and sites. This organizational account must be separate from Microsoft account.

Read more about the requirement regarding Organization account here on official Microsoft published document: Windows Azure Organizational Accounts FAQ

There is also an issue open to improve the error message when #2 occurs. [Azure PoweShell issue](https://github.com/Azure/azure-powershell/issues/2915) — TravisEz13, Jan 09 '17 at 23:55

Jeisson delgado cuentas · Answer 2 · 2017-02-27T15:35:18.320

I was trying to change the password for a B2C user.

I was using a .NET solution that uses the GraphAPI library

But when I did the password change tests I got the message "Unknown User Type"

For fix the error I changed the value of the username in the information to change the password with the value in the property "userPrincipalName" instead of using the "username". This property can be seen in the portal of Azure clasico or with GraphApi:

{ "odata.type": "Microsoft.DirectoryServices.User", "objectType": "User", "objectId": "xxxxxxxxxxxxxxxxxxxx", "deletionTimestamp": null, "accountEnabled": true, "signInNames": [ { "type": "userName", "value": "joeconsumer" } ], "userPrincipalName": "123c89f2-002d-40e9-934e-065f171b3ca5@xxxxxx.onmicrosoft.com", "userType": "Member" }

I hope this helps you

score 0 · Answer 3 · answered Aug 31 '20 at 15:59

To elaborate on the UPN issue in this post, I just started using Azure AD myself and was receiving this error. What they mean by "Using the userPrincipalName" is actually as silly and easy as it sounds. I was trying to use connect-azuread with stored credentials and receiving this same error. What I found was the connection was failing when using as the login. Once I changed it to username@tenantdomain.com I was able to automate the connection.

I hope this is helpful as it solved my issue right away!

What do you mean, can you elaborate more? The user of the question already tried "$userName = "username@mydomain.com"" as username, so how does that differ from your approach? — Patric, Sep 30 '20 at 09:26

Larry Golding · Answer 4 · 2021-04-18T19:03:47.163

When I encountered this error, the problem was that the account I was logging in with (my Windows Live account) requires two-factor authentication. The documentation describes three ways to log in:

Interactively, with Connect-AzureAD -Confirm. This pops a dialog, so can't be used for unattended scripts.
With a variable, as the OP and I attempted. But the docs say:

If multi-factor authentication is enabled for your credentials, you must log in using the interactive option or use service principal authentication.

As a service principal, using a self-signed certificate -- which was more work than I was willing to do, and fortunately I didn't need unattended operation, so I could use option #1.

Azure Powershell throws "Unknown User Type"

4 Answers4