You should follow the documentation here. However, one thing is missing. When you use the Azure CLI to generate a service account you are not provided with the accurate ObjectId for the Active Directory Service Principal.

As a result, if you put the wrong value in the “object_id” field in the packer variables file you will invariably run into this error:

“ERROR: -> Forbidden : Access denied”

“…failed to get certificate URL, retry(0)”

“…failed to get certificate URL, retry(1)”

“…failed to get certificate URL, retry(2)”

“…failed to get certificate URL, retry(3)”

Until it finally bombs out.

I haven’t figured out how to get this value from the Azure CLI but I have using PowerShell.

First login.

Then display a list of the Azure AD Service Principals:

Find the Service Principal with an ApplicationId that matches the field found in the Azure Portal highlighted below:

Your packer variables file should have the following:

1. client_id: Service Principal’s Application ID
2. client_secret: Password you setup for this Service Principal
3. tenant_id: Azure Active Directory tenant ID
4. subscription_id: Azure Subscription ID
5. object_id: Service Principal’s Object ID
6. Resource_group_name: Name of an existing resource group where packer can deploy the machine images to

After grabbing the ObjectId, everything works simply by running this command to build my image in azure:

packer build -var-file=variables-prod.json active-directory-dc.json