Open
Description
Description
This is similar to #10550 possibly. I am using a service principal to manage IAM access to azure resources for which that service account is the owner.
Get-AzRoleAssignment returns Authorization_RequestDenied; whereas New-AzRoleAssignment and Remove-AzRoleAssignment work perfectly. The expected behavior is that this service principal can read and write azure AD accounts on applications it owns; but it seems it can only write.
The service principal account has the following access:
| Azure Active Directory Graph (2) | Type | Description | Admin Consent Required | Status | |
|---|---|---|---|---|---|
| Application.ReadWrite.OwnedBy | Application | Manage apps that this app creates or owns | Yes | Granted for "omitted tenant name" | |
| Directory.Read.All | Delegated | Read directory data | Yes | Granted for "omitted tenant name" |
Steps to reproduce
- Create an Azure AD service principal, with the permissions above.
- Create an azure resource, such as an azure storage account.
- Grant the above service principal as an owner of the azure resource using the IAM blade in the azure portal
New-AzRoleAssignment (works)
New-AzRoleAssignment -Scope /subscriptions/<subscriptionID/resourceGroups/<resourcegroup>/providers/Microsoft.Storage/storageAccounts/<storageaccountname> -ObjectId <ObjectID> -RoleDefinitionName 'Reader'
Get-AzRoleAssignment (fails)
Get-AzRoleAssignment -Scope /subscriptions/<subscriptionID/resourceGroups/<resourcegroup>/providers/Microsoft.Storage/storageAccounts/<storageaccountname>
Get-AzRoleAssignment: Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown.Environment data
Name Value
---- -----
PSVersion 7.0.3
PSEdition Core
GitCommitId 7.0.3
OS Darwin 19.6.0 Darwin Kernel Version 19.6.0: Thu Jun 18 20:49:00 PDT 2020; root:xnu-6153.141.1~1/RELEASE_X86_64
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
## Module versions
```powershell
Get-Module -ListAvailable | where name -eq Az
Directory: /Users/<my username>/.local/share/powershell/Modules
ModuleType Version PreRelease Name PSEdition ExportedCommands
---------- ------- ---------- ---- --------- ----------------
Script 4.6.1 Az Core,Desk
Debug output
Body:
{
"odata.error": {
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
},
"requestId": "c6906c6a-13dd-4368-8c7d-c3383e75302e",
"date": "2020-09-02T22:48:46"
}
}
Get-AzRoleAssignment: Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown.Note, if more than this is needed please reach out and I will supply it privately.
Error output
Resolve-AzError -Last
WARNING: Breaking changes in the cmdlet 'Resolve-AzError' :
WARNING: - The `Resolve-Error` alias will be removed in a future release. Please change any scripts that use this alias to use `Resolve-AzError` instead.
WARNING: NOTE : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.
HistoryId: 449
RequestId :
Message : Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown.
ServerMessage : : (System.Collections.Generic.List`1[Microsoft.Rest.Azure.CloudError])
ServerResponse : {Forbidden}
RequestMessage : {POST https://graph.windows.net/<omitted>/getObjectsByObjectIds?api-version=1.6}
InvocationInfo : {Get-AzRoleAssignment}
Line : Get-AzRoleAssignment -Scope /subscriptions/<mysubscriptionId>/resourceGroups/datasvc-dev-rg/providers/Microsoft.Storage/storageAccounts/<mystorageaccount>
Position : At line:1 char:1
+ Get-AzRoleAssignment -Scope /subscriptions<mysubscriptionId> …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
StackTrace : at Microsoft.Azure.Graph.RBAC.ObjectsOperations.GetObjectsByObjectIdsWithHttpMessagesAsync(GetObjectsParameters parameters, Dictionary`2 customHeaders, CancellationToken cancellationToken)
at Microsoft.Azure.Graph.RBAC.ObjectsOperationsExtensions.GetObjectsByObjectIdsAsync(IObjectsOperations operations, GetObjectsParameters parameters, CancellationToken cancellationToken)
at Microsoft.Azure.Graph.RBAC.ObjectsOperationsExtensions.GetObjectsByObjectIds(IObjectsOperations operations, GetObjectsParameters parameters)
at Microsoft.Azure.Commands.ActiveDirectory.ActiveDirectoryClient.GetObjectsByObjectId(List`1 objectIds)
at Microsoft.Azure.Commands.Resources.Models.Authorization.AuthorizationClientExtensions.ToPSRoleAssignments(IEnumerable`1 assignments, IEnumerable`1 roleDefinitions, AuthorizationClient policyClient,
ActiveDirectoryClient activeDirectoryClient, Boolean excludeAssignmentsForDeletedPrincipals)
at Microsoft.Azure.Commands.Resources.Models.Authorization.AuthorizationClient.FilterRoleAssignments(FilterRoleAssignmentsOptions options, String currentSubscription, UInt64 first, UInt64 skip)
at Microsoft.Azure.Commands.Resources.GetAzureRoleAssignmentCommand.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
HistoryId : 449
The Azure PowerShell team is listening, please let us know how we are doing: https://aka.ms/azpssurvey?Q_CHL=ERROR.