Various cmdlets fail with "Object reference not set to an instance of an object." if no Subscription is set in the profile

[kwill-MSFT]

Description

We are attempting to automate some Azure management operations with an AAD global admin account, but running into issues with the Az cmdlets if this is done with a global admin who does not currently have any RBAC roles in Azure.

The script first elevates the global admin (https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin) then attempts to run other commands such as Get-AzRoleAssignment, but fails with:
Get-AzRoleAssignment: Object reference not set to an instance of an object.

This is because the current Azure context has null for subscription (because Connect-AzAccount was run when the user had no RBAC roles), and cmdlets such as Get-AzRoleAssignment assume a subscription object is populated (ie. they have code like DefaultProfile.DefaultContext.Subscription.Id).

Script to reproduce:

# Connect to user tenant as a global admin. This must be done as a user and not as a service principal, because an SPN can't call the elevateAccess API.
$ctx = Connect-AzAccount -Tenant $TenantId
# Elevate global admin to be able to assign Azure RBAC roles.  This gives the User Access Administrator RBAC assignment at root management group.
Invoke-AzRestMethod -Method POST -Path "/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01" -DefaultProfile $ctx
# Get current role assignments
Get-AzRoleAssignment

The workaround is to call Connect-AzAccount again after the elevateAccess call, so that the context is populated with a subscription, but this is not ideal is it prompts the user to login again.

Issue script & Debug output

PS C:\users\test> $ctx = Connect-AzAccount -Tenant $TenantId
DEBUG: 10:54:37 AM - ConnectAzureRmAccountCommand begin processing with ParameterSet 'UserWithSubscriptionId'.
DEBUG: 10:54:37 AM - Autosave setting from startup session: 'CurrentUser'
DEBUG: 10:54:37 AM - No autosave setting detected in environment variable 'AzContextAutoSave'. 
DEBUG: 10:54:37 AM - Using Autosave scope 'CurrentUser'
DEBUG: 10:54:37 AM - [InteractiveUserAuthenticator] Calling InteractiveBrowserCredential.AuthenticateAsync with TenantId:'1236e2bb-edd6-4a3b-9d9c-f9654c80a04a', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/', RedirectUri:'http://localhost:8400/'
DEBUG: InteractiveBrowserCredential.Authenticate invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: 
DEBUG: Executing interactive authentication workflow inline.
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:37Z - d52cf4c5-a421-4c1b-9505-463b93fea5be] MSAL MSAL.NetCore with assembly version '4.46.0.0'. CorrelationId(d52cf4c5-a421-4c1b-9505-463b93fea5be)
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:37Z - d52cf4c5-a421-4c1b-9505-463b93fea5be] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent: 
Prompt: select_account
HasCustomWebUi: False

DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:37Z - d52cf4c5-a421-4c1b-9505-463b93fea5be] 
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) - 
ApiId - AcquireTokenInteractive
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - d52cf4c5-a421-4c1b-9505-463b93fea5be
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured: 

DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:37Z - d52cf4c5-a421-4c1b-9505-463b93fea5be] === Token Acquisition (InteractiveRequest) started:
         Scopes: https://management.core.windows.net//.default
        Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:37Z - d52cf4c5-a421-4c1b-9505-463b93fea5be] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:37Z - d52cf4c5-a421-4c1b-9505-463b93fea5be] Using system browser.
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:37Z - d52cf4c5-a421-4c1b-9505-463b93fea5be] Listening for authorization code on http://localhost:8400/
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:40Z - d52cf4c5-a421-4c1b-9505-463b93fea5be] Processing a response message to the browser. HttpStatus:OK
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:40Z - d52cf4c5-a421-4c1b-9505-463b93fea5be] An authorization code was retrieved from the /authorize endpoint. 
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:40Z - d52cf4c5-a421-4c1b-9505-463b93fea5be] Exchanging the auth code for tokens. 
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:40Z - d52cf4c5-a421-4c1b-9505-463b93fea5be] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent: 
Prompt: select_account
HasCustomWebUi: False

DEBUG: Request [9d965780-3b5c-454b-ac83-d417285c3f1e] POST https://login.microsoftonline.com/1236e2bb-edd6-4a3b-9d9c-f9654c80a04a/oauth2/v2.0/token
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-CPU:REDACTED
x-client-OS:REDACTED
x-anchormailbox:REDACTED
x-client-current-telemetry:REDACTED
x-client-last-telemetry:REDACTED
x-ms-lib-capability:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-app-name:REDACTED
x-app-ver:REDACTED
x-ms-client-request-id:9d965780-3b5c-454b-ac83-d417285c3f1e
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.6.1,(.NET 7.0.2; Microsoft Windows 10.0.22621)
Content-Type:application/x-www-form-urlencoded
client assembly: Azure.Identity
DEBUG: Response [9d965780-3b5c-454b-ac83-d417285c3f1e] 200 OK (00.8s)
Cache-Control:no-store, no-cache
Pragma:no-cache
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
P3P:REDACTED
client-request-id:REDACTED
x-ms-request-id:da5b46fc-d512-4602-afaf-0e1a4b741f00
x-ms-ests-server:REDACTED
x-ms-clitelem:REDACTED
X-XSS-Protection:REDACTED
Set-Cookie:REDACTED
Date:Fri, 03 Mar 2023 16:54:42 GMT
Content-Type:application/json; charset=utf-8
Expires:-1
Content-Length:5068

DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - d52cf4c5-a421-4c1b-9505-463b93fea5be] Checking client info returned from the server..
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - d52cf4c5-a421-4c1b-9505-463b93fea5be] Saving token response to cache..
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - d52cf4c5-a421-4c1b-9505-463b93fea5be] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - d52cf4c5-a421-4c1b-9505-463b93fea5be] Saving AT in cache and removing overlapping ATs...
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - d52cf4c5-a421-4c1b-9505-463b93fea5be] Looking for scopes for the authority in the cache which intersect with https://management.core.windows.net//.default
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - d52cf4c5-a421-4c1b-9505-463b93fea5be] Intersecting scope entries count - 1
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - d52cf4c5-a421-4c1b-9505-463b93fea5be] Matching entries after filtering by user - 1
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - d52cf4c5-a421-4c1b-9505-463b93fea5be] Saving Id Token and Account in cache ...
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - d52cf4c5-a421-4c1b-9505-463b93fea5be] Saving RT in cache...
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - d52cf4c5-a421-4c1b-9505-463b93fea5be] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - d52cf4c5-a421-4c1b-9505-463b93fea5be] Not writing FRT in ADAL legacy cache. 
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - d52cf4c5-a421-4c1b-9505-463b93fea5be] 
        === Token Acquisition finished successfully:
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - d52cf4c5-a421-4c1b-9505-463b93fea5be]  AT expiration time: 3/3/2023 6:11:40 PM +00:00, scopes: https://management.core.windows.net//user_impersonation https://management.core.windows.net//.default. source: IdentityProvider
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - d52cf4c5-a421-4c1b-9505-463b93fea5be] Fetched access token from host login.microsoftonline.com. 
DEBUG: InteractiveBrowserCredential.Authenticate succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  ExpiresOn: 2023-03-03T18:11:40.6658483+00:00
DEBUG: 10:54:41 AM - [MsalAccessToken] Calling InteractiveBrowserCredential.GetTokenAsync - Scopes:'https://management.core.windows.net//.default'
DEBUG: InteractiveBrowserCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: 
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - 5066274a-dd1f-41d8-9055-9572f796d689] MSAL MSAL.NetCore with assembly version '4.46.0.0'. CorrelationId(5066274a-dd1f-41d8-9055-9572f796d689)
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - 5066274a-dd1f-41d8-9055-9572f796d689] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - 5066274a-dd1f-41d8-9055-9572f796d689] LoginHint provided: False
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - 5066274a-dd1f-41d8-9055-9572f796d689] Account provided: True
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - 5066274a-dd1f-41d8-9055-9572f796d689] ForceRefresh: False
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - 5066274a-dd1f-41d8-9055-9572f796d689] 
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) - 
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 5066274a-dd1f-41d8-9055-9572f796d689
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured: 

DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - 5066274a-dd1f-41d8-9055-9572f796d689] === Token Acquisition (SilentRequest) started:
         Scopes: https://management.core.windows.net//.default
        Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - 5066274a-dd1f-41d8-9055-9572f796d689] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - 5066274a-dd1f-41d8-9055-9572f796d689] Access token is not expired. Returning the found cache entry. [Current time (03/03/2023 16:54:41) - Expiration Time (03/03/2023 18:11:40 +00:00) - Extended Expiration Time (03/03/2023 18:11:40 +00:00)]
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - 5066274a-dd1f-41d8-9055-9572f796d689] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - 5066274a-dd1f-41d8-9055-9572f796d689] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - 5066274a-dd1f-41d8-9055-9572f796d689] 
        === Token Acquisition finished successfully:
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:41Z - 5066274a-dd1f-41d8-9055-9572f796d689]  AT expiration time: 3/3/2023 6:11:40 PM +00:00, scopes: https://management.core.windows.net//user_impersonation https://management.core.windows.net//.default. source: Cache
DEBUG: InteractiveBrowserCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  ExpiresOn: 2023-03-03T18:11:40.0000000+00:00
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/subscriptions?api-version=2021-01-01

Headers:
Accept-Language               : en-US
x-ms-client-request-id        : f10e1f77-de8d-4787-9906-b3de5975c08f

Body:



DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
x-ms-ratelimit-remaining-tenant-reads: 11999
x-ms-request-id               : 1b69c283-c8c9-4490-b6e0-be1ab15939ec
x-ms-correlation-request-id   : 1b69c283-c8c9-4490-b6e0-be1ab15939ec
x-ms-routing-request-id       : SOUTHCENTRALUS:20230303T165443Z:1b69c283-c8c9-4490-b6e0-be1ab15939ec
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Date                          : Fri, 03 Mar 2023 16:54:43 GMT

Body:
{
  "value": [],
  "count": {
    "type": "Total",
    "value": 0
  }
}


DEBUG: AzureQoSEvent: Module: Az.Accounts:2.7.5; CommandName: Connect-AzAccount; PSVersion: 7.3.2; IsSuccess: True; Duration: 00:00:04.5379903
DEBUG: Finish sending metric.
DEBUG: 10:54:42 AM - ConnectAzureRmAccountCommand end processing.
PS C:\users\test> Invoke-AzRestMethod -Method POST -Path "/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01" -DefaultProfile $ctx
DEBUG: 10:54:51 AM - InvokeAzRestMethodCommand begin processing with ParameterSet 'ByPath'.
DEBUG: 10:54:51 AM - using account id 'user@testdomain.com'...
DEBUG: [Common.Authentication]: Authenticating using Account: 'user@testdomain.com', environment: 'AzureCloud', tenant: '1236e2bb-edd6-4a3b-9d9c-f9654c80a04a'
DEBUG: 10:54:51 AM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'1236e2bb-edd6-4a3b-9d9c-f9654c80a04a', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:'user@testdomain.com'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: 
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:51Z - d8b59a1c-4344-4c14-9654-cdfc535bfb7e] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:51Z - d8b59a1c-4344-4c14-9654-cdfc535bfb7e] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:51Z - d8b59a1c-4344-4c14-9654-cdfc535bfb7e] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:51Z - d8b59a1c-4344-4c14-9654-cdfc535bfb7e] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:51Z - d8b59a1c-4344-4c14-9654-cdfc535bfb7e] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:51Z] Found 1 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:51Z] Returning 1 accounts
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:51Z - b8251eee-fa25-47a7-adfb-bb5561608ad6] MSAL MSAL.NetCore with assembly version '4.46.0.0'. CorrelationId(b8251eee-fa25-47a7-adfb-bb5561608ad6)
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:51Z - b8251eee-fa25-47a7-adfb-bb5561608ad6] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:51Z - b8251eee-fa25-47a7-adfb-bb5561608ad6] LoginHint provided: False
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:51Z - b8251eee-fa25-47a7-adfb-bb5561608ad6] Account provided: True
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:51Z - b8251eee-fa25-47a7-adfb-bb5561608ad6] ForceRefresh: False
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:51Z - b8251eee-fa25-47a7-adfb-bb5561608ad6] 
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) - 
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - b8251eee-fa25-47a7-adfb-bb5561608ad6
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured: 

DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:51Z - b8251eee-fa25-47a7-adfb-bb5561608ad6] === Token Acquisition (SilentRequest) started:
         Scopes: https://management.core.windows.net//.default
        Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:51Z - b8251eee-fa25-47a7-adfb-bb5561608ad6] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:51Z - b8251eee-fa25-47a7-adfb-bb5561608ad6] Access token is not expired. Returning the found cache entry. [Current time (03/03/2023 16:54:51) - Expiration Time (03/03/2023 18:11:40 +00:00) - Extended Expiration Time (03/03/2023 18:11:40 +00:00)]
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:51Z - b8251eee-fa25-47a7-adfb-bb5561608ad6] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:51Z - b8251eee-fa25-47a7-adfb-bb5561608ad6] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:51Z - b8251eee-fa25-47a7-adfb-bb5561608ad6] 
        === Token Acquisition finished successfully:
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:54:51Z - b8251eee-fa25-47a7-adfb-bb5561608ad6]  AT expiration time: 3/3/2023 6:11:40 PM +00:00, scopes: https://management.core.windows.net//user_impersonation https://management.core.windows.net//.default. source: Cache
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  ExpiresOn: 2023-03-03T18:11:40.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '1236e2bb-edd6-4a3b-9d9c-f9654c80a04a', UserId: 'user@testdomain.com'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
POST

Absolute Uri:
https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01

Headers:
Accept-Language               : en-US
x-ms-client-request-id        : 4cbffadd-663f-4837-a46b-b71b712c2f4e

Body:



DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
x-ms-request-id               : 40fad0f7-778b-496c-846a-5227c7d843eb
X-Content-Type-Options        : nosniff
Strict-Transport-Security     : max-age=31536000; includeSubDomains
Set-Cookie                    : x-ms-gateway-slice=Production; path=/; secure; samesite=none; httponly
x-ms-ratelimit-remaining-tenant-writes: 1199
x-ms-correlation-request-id   : eed62c6a-c913-4cef-9f5f-a45d055038cb
x-ms-routing-request-id       : SOUTHCENTRALUS:20230303T165455Z:eed62c6a-c913-4cef-9f5f-a45d055038cb
Date                          : Fri, 03 Mar 2023 16:54:54 GMT

Body:




Headers    : {[Cache-Control, System.String[]], [Pragma, System.String[]], [x-ms-request-id, System.String[]], [X-Content-Type-Options, System.String[]]…}
Version    : 1.1
StatusCode : 200
Method     : POST
Content    : 

DEBUG: AzureQoSEvent: Module: Az.Accounts:2.7.5; CommandName: Invoke-AzRestMethod; PSVersion: 7.3.2; IsSuccess: True; Duration: 00:00:01.6060260
DEBUG: Finish sending metric.
DEBUG: 10:54:53 AM - InvokeAzRestMethodCommand end processing.

PS C:\users\test> Get-AzRoleAssignment
DEBUG: 10:55:11 AM - GetAzureRoleAssignmentCommand begin processing with ParameterSet 'EmptyParameterSet'.
DEBUG: 10:55:11 AM - using account id 'user@testdomain.com'...
WARNING: We have migrated the API calls for this cmdlet from Azure Active Directory Graph to Microsoft Graph.
Visit https://go.microsoft.com/fwlink/?linkid=2181475 for any permission issues.
DEBUG: [Common.Authentication]: Authenticating using Account: 'user@testdomain.com', environment: 'AzureCloud', tenant: '1236e2bb-edd6-4a3b-9d9c-f9654c80a04a'
DEBUG: 10:55:11 AM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'1236e2bb-edd6-4a3b-9d9c-f9654c80a04a', Scopes:'https://graph.microsoft.com//.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:'user@testdomain.com'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://graph.microsoft.com//.default ] ParentRequestId: 
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - 991de88d-3ce4-43af-8257-3673313beeaa] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - 991de88d-3ce4-43af-8257-3673313beeaa] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - 991de88d-3ce4-43af-8257-3673313beeaa] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - 991de88d-3ce4-43af-8257-3673313beeaa] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - 991de88d-3ce4-43af-8257-3673313beeaa] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z] Found 1 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z] Returning 1 accounts
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - 60545bf7-db33-4dc2-a62b-dff8bcdff70c] MSAL MSAL.NetCore with assembly version '4.46.0.0'. CorrelationId(60545bf7-db33-4dc2-a62b-dff8bcdff70c)
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - 60545bf7-db33-4dc2-a62b-dff8bcdff70c] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - 60545bf7-db33-4dc2-a62b-dff8bcdff70c] LoginHint provided: False
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - 60545bf7-db33-4dc2-a62b-dff8bcdff70c] Account provided: True
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - 60545bf7-db33-4dc2-a62b-dff8bcdff70c] ForceRefresh: False
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - 60545bf7-db33-4dc2-a62b-dff8bcdff70c] 
=== Request Data ===
Authority Provided? - True
Scopes - https://graph.microsoft.com//.default
Extra Query Params Keys (space separated) - 
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 60545bf7-db33-4dc2-a62b-dff8bcdff70c
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured: 

DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - 60545bf7-db33-4dc2-a62b-dff8bcdff70c] === Token Acquisition (SilentRequest) started:
         Scopes: https://graph.microsoft.com//.default
        Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - 60545bf7-db33-4dc2-a62b-dff8bcdff70c] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - 60545bf7-db33-4dc2-a62b-dff8bcdff70c] Access token is not expired. Returning the found cache entry. [Current time (03/03/2023 16:55:11) - Expiration Time (03/03/2023 18:01:48 +00:00) - Extended Expiration Time (03/03/2023 18:01:48 +00:00)]
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - 60545bf7-db33-4dc2-a62b-dff8bcdff70c] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - 60545bf7-db33-4dc2-a62b-dff8bcdff70c] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - 60545bf7-db33-4dc2-a62b-dff8bcdff70c] 
        === Token Acquisition finished successfully:
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - 60545bf7-db33-4dc2-a62b-dff8bcdff70c]  AT expiration time: 3/3/2023 6:01:48 PM +00:00, scopes: email openid profile https://graph.microsoft.com//AuditLog.Read.All https://graph.microsoft.com//Directory.AccessAsUser.All https://graph.microsoft.com//.default. source: Cache
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://graph.microsoft.com//.default ] ParentRequestId:  ExpiresOn: 2023-03-03T18:01:48.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '1236e2bb-edd6-4a3b-9d9c-f9654c80a04a', UserId: 'user@testdomain.com'
DEBUG: [Common.Authentication]: Authenticating using Account: 'user@testdomain.com', environment: 'AzureCloud', tenant: '1236e2bb-edd6-4a3b-9d9c-f9654c80a04a'
DEBUG: 10:55:11 AM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'1236e2bb-edd6-4a3b-9d9c-f9654c80a04a', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:'user@testdomain.com'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: 
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - 0e9cd90a-b8ef-45ec-8267-591ee442c9b4] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - 0e9cd90a-b8ef-45ec-8267-591ee442c9b4] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - 0e9cd90a-b8ef-45ec-8267-591ee442c9b4] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - 0e9cd90a-b8ef-45ec-8267-591ee442c9b4] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - 0e9cd90a-b8ef-45ec-8267-591ee442c9b4] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z] Found 1 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z] Returning 1 accounts
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - c9ee46fb-3039-44e6-9029-9739ca105714] MSAL MSAL.NetCore with assembly version '4.46.0.0'. CorrelationId(c9ee46fb-3039-44e6-9029-9739ca105714)
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - c9ee46fb-3039-44e6-9029-9739ca105714] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - c9ee46fb-3039-44e6-9029-9739ca105714] LoginHint provided: False
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - c9ee46fb-3039-44e6-9029-9739ca105714] Account provided: True
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - c9ee46fb-3039-44e6-9029-9739ca105714] ForceRefresh: False
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - c9ee46fb-3039-44e6-9029-9739ca105714] 
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) - 
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - c9ee46fb-3039-44e6-9029-9739ca105714
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured: 

DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - c9ee46fb-3039-44e6-9029-9739ca105714] === Token Acquisition (SilentRequest) started:
         Scopes: https://management.core.windows.net//.default
        Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - c9ee46fb-3039-44e6-9029-9739ca105714] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - c9ee46fb-3039-44e6-9029-9739ca105714] Access token is not expired. Returning the found cache entry. [Current time (03/03/2023 16:55:11) - Expiration Time (03/03/2023 18:11:40 +00:00) - Extended Expiration Time (03/03/2023 18:11:40 +00:00)]
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - c9ee46fb-3039-44e6-9029-9739ca105714] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - c9ee46fb-3039-44e6-9029-9739ca105714] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - c9ee46fb-3039-44e6-9029-9739ca105714] 
        === Token Acquisition finished successfully:
DEBUG: False MSAL 4.46.0.0 MSAL.NetCore .NET 7.0.2 Microsoft Windows 10.0.22621 [2023-03-03 16:55:11Z - c9ee46fb-3039-44e6-9029-9739ca105714]  AT expiration time: 3/3/2023 6:11:40 PM +00:00, scopes: https://management.core.windows.net//user_impersonation https://management.core.windows.net//.default. source: Cache
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  ExpiresOn: 2023-03-03T18:11:40.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '1236e2bb-edd6-4a3b-9d9c-f9654c80a04a', UserId: 'user@testdomain.com'
Get-AzRoleAssignment: Object reference not set to an instance of an object.
DEBUG: AzureQoSEvent: Module: Az.Resources:5.5.0; CommandName: Get-AzRoleAssignment; PSVersion: 7.3.2; IsSuccess: False; Duration: 00:00:02.4646170; Exception: Object reference not set to an instance of an object.;
DEBUG: Finish sending metric.
DEBUG: 10:55:14 AM - GetAzureRoleAssignmentCommand end processing.

Environment data

PS C:\Users\test> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.3.2
PSEdition                      Core
GitCommitId                    7.3.2
OS                             Microsoft Windows 10.0.22621
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

PS C:\Users\test> Get-Module Az*

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.7.5                 Az.Accounts                         {Add-AzEnvironment, Clear-AzContext, Clear-AzDefault, Connect-AzAccount…}
Script     4.3.1                 Az.KeyVault                         {Add-AzKeyVaultCertificate, Add-AzKeyVaultCertificateContact, Add-AzKeyVaultKey, Add-AzKeyVaultManagedStorageAccount…}
Script     5.5.0                 Az.Resources                        {Export-AzResourceGroup, Export-AzTemplateSpec, Get-AzDenyAssignment, Get-AzDeployment…}

Error output

PS C:\Users\test> Resolve-AzError     
WARNING: Upcoming breaking changes in the cmdlet 'Resolve-AzError' :
The `Resolve-Error` alias will be removed in a future release.  Please change any scripts that use this alias to use `Resolve-AzError` instead.
Note : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.

   HistoryId: 139

Message        : Object reference not set to an instance of an object.
StackTrace     :    at Microsoft.Azure.Commands.Resources.GetAzureRoleAssignmentCommand.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : System.NullReferenceException
InvocationInfo : {Get-AzRoleAssignment}
Line           : Get-AzRoleAssignment
Position       : At line:1 char:1
                 + Get-AzRoleAssignment
                 + ~~~~~~~~~~~~~~~~~~~~
HistoryId      : 139

[isra-fel]

Thanks for the feedback 👍
I'll look into it.