Get-AzPolicyExemption doesn't work

[kongou-ae]

Description

Get-AzPolicyExemption doesn't show any output even if exemptions is configured in Azure Policy.

If I directly access the following "Absolute Uri" which I found in debug, I can get exemptions. So I guess that the processing off Get-AzPolicyExemption may contains a bug.

$res = Invoke-AzRest -Uri "https://management.azure.com/Subscriptions//providers/Microsoft.Authorization/policyexemptions?$filter=atScope()&api-version=2020-07-01-preview"
($res.Content | ConvertFrom-Json).value.count
4

Issue script & Debug output

PS C:\Users\ymatsumoto> Get-AzPolicyExemption
DEBUG: 19:03:17 - GetAzurePolicyExemptionCmdlet begin processing with ParameterSet 'NameParameterSet'.
DEBUG: 19:03:17 - using account id '<MY ACCOUNT>'...
DEBUG: 19:03:17 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: [Common.Authentication]: Authenticating using Account: '<MY ACCOUNT>', environment: 'AzureCloud', tenant: '<MY TENANT ID>'
DEBUG: 19:03:17 - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'<MY TENANT ID>', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:'<MY ACCOUNT>'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - 238b8e2c-6b75-45f9-b36d-8bc63523bb13] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - 238b8e2c-6b75-45f9-b36d-8bc63523bb13] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - 238b8e2c-6b75-45f9-b36d-8bc63523bb13] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - 238b8e2c-6b75-45f9-b36d-8bc63523bb13] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - 238b8e2c-6b75-45f9-b36d-8bc63523bb13] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - 238b8e2c-6b75-45f9-b36d-8bc63523bb13] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - 238b8e2c-6b75-45f9-b36d-8bc63523bb13] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z] [WamBroker] WAM supported OS.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z] [WamBroker] ListWindowsWorkAndSchoolAccounts option was not enabled.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - 955d7419-87eb-4904-aa72-29fb73b4892c] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z] Found 3 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z] Returning 3 accounts
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - bab39831-9e28-47d1-a596-7a66078d0991] MSAL MSAL.NetCore with assembly version '4.49.1.0'. CorrelationId(bab39831-9e28-47d1-a596-7a66078d0991)
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - bab39831-9e28-47d1-a596-7a66078d0991] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - bab39831-9e28-47d1-a596-7a66078d0991] LoginHint provided: False
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - bab39831-9e28-47d1-a596-7a66078d0991] Account provided: True
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - bab39831-9e28-47d1-a596-7a66078d0991] ForceRefresh: False
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - bab39831-9e28-47d1-a596-7a66078d0991]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - True
HomeAccountId - False
CorrelationId - bab39831-9e28-47d1-a596-7a66078d0991
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:

DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - bab39831-9e28-47d1-a596-7a66078d0991] === Token Acquisition (SilentRequest) started:
         Scopes: https://management.core.windows.net//.default
        Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - bab39831-9e28-47d1-a596-7a66078d0991] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - bab39831-9e28-47d1-a596-7a66078d0991] Access token is not expired. Returning the found cache entry. [Current time (01/13/2023 10:03:17) - Expiration Time (01/13/2023 11:19:30 +00:00) - Extended Expiration Time (01/13/2023 11:19:30 +00:00)]
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - bab39831-9e28-47d1-a596-7a66078d0991] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - bab39831-9e28-47d1-a596-7a66078d0991] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - bab39831-9e28-47d1-a596-7a66078d0991]
        === Token Acquisition finished successfully:
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - bab39831-9e28-47d1-a596-7a66078d0991]  AT expiration time: 2023/01/13 11:19:30 +00:00, scopes: https://management.core.windows.net//user_impersonation https://management.core.windows.net//.default. source: Cache
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  ExpiresOn: 2023-01-13T11:19:30.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '<MY TENANT ID>', UserId: '<MY ACCOUNT>'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/Subscriptions/<MY SUB ID>/providers/Microsoft.Authorization/policyexemptions?$filter=atScope()&api-version=2020-07-01-preview

Headers:
User-Agent                    : PSVersion/v7.2.8,AzurePowershell/v9.3.0,Az.Resources/6.5.1
ParameterSetName              : NameParameterSet
CommandName                   : Get-AzPolicyExemption

Body:



DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
Strict-Transport-Security     : max-age=31536000; includeSubDomains
Server                        : Kestrel
x-ms-ratelimit-remaining-subscription-reads: 11995
x-ms-request-id               : d3db392f-3f31-415d-9613-e17bc093bb89
x-ms-correlation-request-id   : d3db392f-3f31-415d-9613-e17bc093bb89
x-ms-routing-request-id       : JAPANEAST:20230113T100317Z:d3db392f-3f31-415d-9613-e17bc093bb89
X-Content-Type-Options        : nosniff
Date                          : Fri, 13 Jan 2023 10:03:17 GMT

Body:
{
  "value": []
}


DEBUG: AzureQoSEvent:  Module: Az.Resources:6.5.1; CommandName: Get-AzPolicyExemption; PSVersion: 7.2.8; IsSuccess: True; Duration: 00:00:00.1625973
DEBUG: 19:03:17 - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
DEBUG: 19:03:17 - GetAzurePolicyExemptionCmdlet end processing.

Environment data

Name                           Value
----                           -----
PSVersion                      7.2.8
PSEdition                      Core
GitCommitId                    7.2.8
OS                             Microsoft Windows 10.0.22621
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.11.0                Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzConte…
Script     6.5.1                 Az.Resources                        {Export-AzResourceGroup, Export-AzTemplateSpec, G…

Error output

No response

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @aperezcloud, @kenieva.

Issue Details

---

Description

Get-AzPolicyExemption doesn't show any output even if exemptions is configured in Azure Policy.

If I directly access the following "Absolute Uri" which I found in debug, I can get exemptions. So I guess that the processing off Get-AzPolicyExemption may contains a bug.

$res = Invoke-AzRest -Uri "https://management.azure.com/Subscriptions//providers/Microsoft.Authorization/policyexemptions?$filter=atScope()&api-version=2020-07-01-preview"
($res.Content | ConvertFrom-Json).value.count
4

Issue script & Debug output

PS C:\Users\ymatsumoto> Get-AzPolicyExemption
DEBUG: 19:03:17 - GetAzurePolicyExemptionCmdlet begin processing with ParameterSet 'NameParameterSet'.
DEBUG: 19:03:17 - using account id '<MY ACCOUNT>'...
DEBUG: 19:03:17 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: [Common.Authentication]: Authenticating using Account: '<MY ACCOUNT>', environment: 'AzureCloud', tenant: '<MY TENANT ID>'
DEBUG: 19:03:17 - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'<MY TENANT ID>', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:'<MY ACCOUNT>'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - 238b8e2c-6b75-45f9-b36d-8bc63523bb13] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - 238b8e2c-6b75-45f9-b36d-8bc63523bb13] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - 238b8e2c-6b75-45f9-b36d-8bc63523bb13] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - 238b8e2c-6b75-45f9-b36d-8bc63523bb13] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - 238b8e2c-6b75-45f9-b36d-8bc63523bb13] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - 238b8e2c-6b75-45f9-b36d-8bc63523bb13] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - 238b8e2c-6b75-45f9-b36d-8bc63523bb13] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z] [WamBroker] WAM supported OS.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z] [WamBroker] ListWindowsWorkAndSchoolAccounts option was not enabled.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - 955d7419-87eb-4904-aa72-29fb73b4892c] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z] Found 3 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z] Returning 3 accounts
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - bab39831-9e28-47d1-a596-7a66078d0991] MSAL MSAL.NetCore with assembly version '4.49.1.0'. CorrelationId(bab39831-9e28-47d1-a596-7a66078d0991)
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - bab39831-9e28-47d1-a596-7a66078d0991] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - bab39831-9e28-47d1-a596-7a66078d0991] LoginHint provided: False
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - bab39831-9e28-47d1-a596-7a66078d0991] Account provided: True
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - bab39831-9e28-47d1-a596-7a66078d0991] ForceRefresh: False
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - bab39831-9e28-47d1-a596-7a66078d0991]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - True
HomeAccountId - False
CorrelationId - bab39831-9e28-47d1-a596-7a66078d0991
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:

DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - bab39831-9e28-47d1-a596-7a66078d0991] === Token Acquisition (SilentRequest) started:
         Scopes: https://management.core.windows.net//.default
        Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - bab39831-9e28-47d1-a596-7a66078d0991] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - bab39831-9e28-47d1-a596-7a66078d0991] Access token is not expired. Returning the found cache entry. [Current time (01/13/2023 10:03:17) - Expiration Time (01/13/2023 11:19:30 +00:00) - Extended Expiration Time (01/13/2023 11:19:30 +00:00)]
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - bab39831-9e28-47d1-a596-7a66078d0991] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - bab39831-9e28-47d1-a596-7a66078d0991] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - bab39831-9e28-47d1-a596-7a66078d0991]
        === Token Acquisition finished successfully:
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.11 Microsoft Windows 10.0.22621 [2023-01-13 10:03:17Z - bab39831-9e28-47d1-a596-7a66078d0991]  AT expiration time: 2023/01/13 11:19:30 +00:00, scopes: https://management.core.windows.net//user_impersonation https://management.core.windows.net//.default. source: Cache
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  ExpiresOn: 2023-01-13T11:19:30.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '<MY TENANT ID>', UserId: '<MY ACCOUNT>'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/Subscriptions/<MY SUB ID>/providers/Microsoft.Authorization/policyexemptions?$filter=atScope()&api-version=2020-07-01-preview

Headers:
User-Agent                    : PSVersion/v7.2.8,AzurePowershell/v9.3.0,Az.Resources/6.5.1
ParameterSetName              : NameParameterSet
CommandName                   : Get-AzPolicyExemption

Body:



DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
Strict-Transport-Security     : max-age=31536000; includeSubDomains
Server                        : Kestrel
x-ms-ratelimit-remaining-subscription-reads: 11995
x-ms-request-id               : d3db392f-3f31-415d-9613-e17bc093bb89
x-ms-correlation-request-id   : d3db392f-3f31-415d-9613-e17bc093bb89
x-ms-routing-request-id       : JAPANEAST:20230113T100317Z:d3db392f-3f31-415d-9613-e17bc093bb89
X-Content-Type-Options        : nosniff
Date                          : Fri, 13 Jan 2023 10:03:17 GMT

Body:
{
  "value": []
}


DEBUG: AzureQoSEvent:  Module: Az.Resources:6.5.1; CommandName: Get-AzPolicyExemption; PSVersion: 7.2.8; IsSuccess: True; Duration: 00:00:00.1625973
DEBUG: 19:03:17 - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
DEBUG: 19:03:17 - GetAzurePolicyExemptionCmdlet end processing.

Environment data

Name                           Value
----                           -----
PSVersion                      7.2.8
PSEdition                      Core
GitCommitId                    7.2.8
OS                             Microsoft Windows 10.0.22621
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.11.0                Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzConte…
Script     6.5.1                 Az.Resources                        {Export-AzResourceGroup, Export-AzTemplateSpec, G…

Error output

No response

Author:	kongou-ae
Assignees:	-
Labels:	Policy, Service Attention, bug, customer-reported
Milestone:	-

Thank you for your feedback. This has been routed to the support team for assistance.

[dingmeng-xue]

@kongou-ae , I tried the same script in my environment but cannot reproduce it. If uri is the same, it should have the same result. Please check you send the request to the same subscription and use the same account.

[navba-MSFT]

@kongou-ae Thanks for reaching out to us and reporting this issue. I tried with the same command and same module version [Az.Resources](https://www.powershellgallery.com/packages/Az.Resources/6.5.1), it works fine at my end.

Could you please ensure that the right subscription is selected before running the above command ?

Select-AzSubscription -SubscriptionId 'xxxx-xxx-xxxx-xxx-xxxx'

[dingmeng-xue]

This one can be resolved @navba-MSFT . I had a talk with @kongou-ae and it seems service latency. Kongou-ae will contact service team.