azure-powershell
azure-powershell copied to clipboard
Azure
Get-AzRoleAssignment returns Authorization_RequestDenied; whereas New-AzRoleAssignment and Remove-AzRoleAssignment works
Description
This is similar to https://github.com/Azure/azure-powershell/issues/10550 possibly. I am using a service principal to manage IAM access to azure resources for which that service account is the owner.
Get-AzRoleAssignment returns Authorization_RequestDenied; whereas New-AzRoleAssignment and Remove-AzRoleAssignment work perfectly. The expected behavior is that this service principal can read and write azure AD accounts on applications it owns; but it seems it can only write.
The service principal account has the following access:
| Azure Active Directory Graph (2) | Type | Description | Admin Consent Required | Status | |
|---|---|---|---|---|---|
| Application.ReadWrite.OwnedBy | Application | Manage apps that this app creates or owns | Yes | Granted for "omitted tenant name" | |
| Directory.Read.All | Delegated | Read directory data | Yes | Granted for "omitted tenant name" |
Steps to reproduce
- Create an Azure AD service principal, with the permissions above.
- Create an azure resource, such as an azure storage account.
- Grant the above service principal as an owner of the azure resource using the IAM blade in the azure portal
New-AzRoleAssignment (works)
New-AzRoleAssignment -Scope /subscriptions/<subscriptionID/resourceGroups/<resourcegroup>/providers/Microsoft.Storage/storageAccounts/<storageaccountname> -ObjectId <ObjectID> -RoleDefinitionName 'Reader'
Get-AzRoleAssignment (fails)
Get-AzRoleAssignment -Scope /subscriptions/<subscriptionID/resourceGroups/<resourcegroup>/providers/Microsoft.Storage/storageAccounts/<storageaccountname>
Get-AzRoleAssignment: Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown.
Environment data
Name Value
---- -----
PSVersion 7.0.3
PSEdition Core
GitCommitId 7.0.3
OS Darwin 19.6.0 Darwin Kernel Version 19.6.0: Thu Jun 18 20:49:00 PDT 2020; root:xnu-6153.141.1~1/RELEASE_X86_64
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
## Module versions
```powershell
Get-Module -ListAvailable | where name -eq Az
Directory: /Users/<my username>/.local/share/powershell/Modules
ModuleType Version PreRelease Name PSEdition ExportedCommands
---------- ------- ---------- ---- --------- ----------------
Script 4.6.1 Az Core,Desk
Debug output
Body:
{
"odata.error": {
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
},
"requestId": "c6906c6a-13dd-4368-8c7d-c3383e75302e",
"date": "2020-09-02T22:48:46"
}
}
Get-AzRoleAssignment: Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown.
Note, if more than this is needed please reach out and I will supply it privately.
Error output
Resolve-AzError -Last
WARNING: Breaking changes in the cmdlet 'Resolve-AzError' :
WARNING: - The `Resolve-Error` alias will be removed in a future release. Please change any scripts that use this alias to use `Resolve-AzError` instead.
WARNING: NOTE : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.
HistoryId: 449
RequestId :
Message : Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown.
ServerMessage : : (System.Collections.Generic.List`1[Microsoft.Rest.Azure.CloudError])
ServerResponse : {Forbidden}
RequestMessage : {POST https://graph.windows.net/<omitted>/getObjectsByObjectIds?api-version=1.6}
InvocationInfo : {Get-AzRoleAssignment}
Line : Get-AzRoleAssignment -Scope /subscriptions/<mysubscriptionId>/resourceGroups/datasvc-dev-rg/providers/Microsoft.Storage/storageAccounts/<mystorageaccount>
Position : At line:1 char:1
+ Get-AzRoleAssignment -Scope /subscriptions<mysubscriptionId> …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
StackTrace : at Microsoft.Azure.Graph.RBAC.ObjectsOperations.GetObjectsByObjectIdsWithHttpMessagesAsync(GetObjectsParameters parameters, Dictionary`2 customHeaders, CancellationToken cancellationToken)
at Microsoft.Azure.Graph.RBAC.ObjectsOperationsExtensions.GetObjectsByObjectIdsAsync(IObjectsOperations operations, GetObjectsParameters parameters, CancellationToken cancellationToken)
at Microsoft.Azure.Graph.RBAC.ObjectsOperationsExtensions.GetObjectsByObjectIds(IObjectsOperations operations, GetObjectsParameters parameters)
at Microsoft.Azure.Commands.ActiveDirectory.ActiveDirectoryClient.GetObjectsByObjectId(List`1 objectIds)
at Microsoft.Azure.Commands.Resources.Models.Authorization.AuthorizationClientExtensions.ToPSRoleAssignments(IEnumerable`1 assignments, IEnumerable`1 roleDefinitions, AuthorizationClient policyClient,
ActiveDirectoryClient activeDirectoryClient, Boolean excludeAssignmentsForDeletedPrincipals)
at Microsoft.Azure.Commands.Resources.Models.Authorization.AuthorizationClient.FilterRoleAssignments(FilterRoleAssignmentsOptions options, String currentSubscription, UInt64 first, UInt64 skip)
at Microsoft.Azure.Commands.Resources.GetAzureRoleAssignmentCommand.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
HistoryId : 449
The Azure PowerShell team is listening, please let us know how we are doing: https://aka.ms/azpssurvey?Q_CHL=ERROR.
I was able to get this working after granting the following To both "azure active directory graph" and "Microsoft Graph" Directory.Read.All - Application Read - directory data
I still believe there is a bug here, as granting the service principal Read/Write to all resources in which it owns should allow it to do so; but instead it is only allowing write, while read gets an access denied.
Thanks for reporting. It relies on service behavior change. We will share this information to Identity team.
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @darshanhs90, @AshishGargMicrosoft.
![msftbot[bot] avatar](https://avatars.githubusercontent.com/in/26612?v=4 "Published by a pub.dev verified publisher"){kind=small}
I was able to get this working after granting the following To both "azure active directory graph" and "Microsoft Graph" Directory.Read.All - Application Read - directory data
I still believe there is a bug here, as granting the service principal Read/Write to all resources in which it owns should allow it to do so; but instead it is only allowing write, while read gets an access denied.
This is not working for me.
Having this issue. In my case, using New-AzRoleAssignment, a SP that is admin granted Directory.ReadAll, and I get Authorization_RequestDenied (with -debug enabled on the PS command), BUT it works. e.g. I delete the role through the portal, run, get the error, it is created. However, it does not work every time.
Very frustrating, this is only a small piece to a much more complicated project but it taking more time than anything else to solve.
@davejhahn please try adding the permissions as application permissions like mentioned by Petapacket in #10550
if that doesn't work please try: setting $DebugPreference="Continue" then re-running the command with the flag -Debug copy & paste the full output here
I gave up on PowerShell, ended up using Rest API with az rest and was able to get it to work without any errors or problems. So I definitely think it's an issue in the PowerShell module.
I've been having the same issue with PowerShell.
- I get "Forbidden" with Get-AzRoleAssignment and nothing is returned.
- I get "Forbidden" with New-AzRoleAssignment but the role assignment is actually created.
- I get "Forbidden" with Remove-AzRoleAssignment and the role assignment is not removed.
I switched to Azure CLI and everything worked immediately.
@rybal06 Apologies for the late reply. This issue is open for quite sometime. Could you please let us know if you need any further assistance on this ? Awaiting your reply.
@navba-MSFT I have noticed that there is a deprecation warning while using the Az module cmdlets which interact with Azure AD that the Az module is being updated to use the newer Graph API rather than the Azure AD Graph API (deprecated). It is likely worth parking this issue until after that change is rolled out, or closing it with details about the ETA of the updated module version.
@navba-MSFT : [https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/end-of-support-for-azure-ad-graph-permission-sign-up-through/ba-p/2464404] I believe Azure Active Directory Graph permissions are deprecating and "Get-AzRoleAssignment" doesn't work without those permissions. Could you please suggest any alternate powershell module/library with which we can work on az role assignments without AD permissions? I am working with RBAC REST APIs now but it would be more convenient with powershell module.
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @darshanhs90, @AshishGargMicrosoft.
Issue Details
Description
This is similar to https://github.com/Azure/azure-powershell/issues/10550 possibly. I am using a service principal to manage IAM access to azure resources for which that service account is the owner.
Get-AzRoleAssignment returns Authorization_RequestDenied; whereas New-AzRoleAssignment and Remove-AzRoleAssignment work perfectly. The expected behavior is that this service principal can read and write azure AD accounts on applications it owns; but it seems it can only write.
The service principal account has the following access:
| Azure Active Directory Graph (2) | Type | Description | Admin Consent Required | Status | |
|---|---|---|---|---|---|
| Application.ReadWrite.OwnedBy | Application | Manage apps that this app creates or owns | Yes | Granted for "omitted tenant name" | |
| Directory.Read.All | Delegated | Read directory data | Yes | Granted for "omitted tenant name" |
Steps to reproduce
- Create an Azure AD service principal, with the permissions above.
- Create an azure resource, such as an azure storage account.
- Grant the above service principal as an owner of the azure resource using the IAM blade in the azure portal
New-AzRoleAssignment (works)
New-AzRoleAssignment -Scope /subscriptions/<subscriptionID/resourceGroups/<resourcegroup>/providers/Microsoft.Storage/storageAccounts/<storageaccountname> -ObjectId <ObjectID> -RoleDefinitionName 'Reader'
Get-AzRoleAssignment (fails)
Get-AzRoleAssignment -Scope /subscriptions/<subscriptionID/resourceGroups/<resourcegroup>/providers/Microsoft.Storage/storageAccounts/<storageaccountname>
Get-AzRoleAssignment: Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown.
Environment data
Name Value
---- -----
PSVersion 7.0.3
PSEdition Core
GitCommitId 7.0.3
OS Darwin 19.6.0 Darwin Kernel Version 19.6.0: Thu Jun 18 20:49:00 PDT 2020; root:xnu-6153.141.1~1/RELEASE_X86_64
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
## Module versions
```powershell
Get-Module -ListAvailable | where name -eq Az
Directory: /Users/<my username>/.local/share/powershell/Modules
ModuleType Version PreRelease Name PSEdition ExportedCommands
---------- ------- ---------- ---- --------- ----------------
Script 4.6.1 Az Core,Desk
Debug output
Body:
{
"odata.error": {
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
},
"requestId": "c6906c6a-13dd-4368-8c7d-c3383e75302e",
"date": "2020-09-02T22:48:46"
}
}
Get-AzRoleAssignment: Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown.
Note, if more than this is needed please reach out and I will supply it privately.
Error output
Resolve-AzError -Last
WARNING: Breaking changes in the cmdlet 'Resolve-AzError' :
WARNING: - The `Resolve-Error` alias will be removed in a future release. Please change any scripts that use this alias to use `Resolve-AzError` instead.
WARNING: NOTE : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.
HistoryId: 449
RequestId :
Message : Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown.
ServerMessage : : (System.Collections.Generic.List`1[Microsoft.Rest.Azure.CloudError])
ServerResponse : {Forbidden}
RequestMessage : {POST https://graph.windows.net/<omitted>/getObjectsByObjectIds?api-version=1.6}
InvocationInfo : {Get-AzRoleAssignment}
Line : Get-AzRoleAssignment -Scope /subscriptions/<mysubscriptionId>/resourceGroups/datasvc-dev-rg/providers/Microsoft.Storage/storageAccounts/<mystorageaccount>
Position : At line:1 char:1
+ Get-AzRoleAssignment -Scope /subscriptions<mysubscriptionId> …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
StackTrace : at Microsoft.Azure.Graph.RBAC.ObjectsOperations.GetObjectsByObjectIdsWithHttpMessagesAsync(GetObjectsParameters parameters, Dictionary`2 customHeaders, CancellationToken cancellationToken)
at Microsoft.Azure.Graph.RBAC.ObjectsOperationsExtensions.GetObjectsByObjectIdsAsync(IObjectsOperations operations, GetObjectsParameters parameters, CancellationToken cancellationToken)
at Microsoft.Azure.Graph.RBAC.ObjectsOperationsExtensions.GetObjectsByObjectIds(IObjectsOperations operations, GetObjectsParameters parameters)
at Microsoft.Azure.Commands.ActiveDirectory.ActiveDirectoryClient.GetObjectsByObjectId(List`1 objectIds)
at Microsoft.Azure.Commands.Resources.Models.Authorization.AuthorizationClientExtensions.ToPSRoleAssignments(IEnumerable`1 assignments, IEnumerable`1 roleDefinitions, AuthorizationClient policyClient,
ActiveDirectoryClient activeDirectoryClient, Boolean excludeAssignmentsForDeletedPrincipals)
at Microsoft.Azure.Commands.Resources.Models.Authorization.AuthorizationClient.FilterRoleAssignments(FilterRoleAssignmentsOptions options, String currentSubscription, UInt64 first, UInt64 skip)
at Microsoft.Azure.Commands.Resources.GetAzureRoleAssignmentCommand.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
HistoryId : 449
The Azure PowerShell team is listening, please let us know how we are doing: https://aka.ms/azpssurvey?Q_CHL=ERROR.
| Author: | rybal06 |
|---|---|
| Assignees: | - |
| Labels: |
|
| Milestone: | - |
@Nagesh29 This is pending on Service Team.
@darshanhs90 @AshishGargMicrosoft Could you please look into this ask and provide an update. Thanks in advance.
@AshishGargMicrosoft @darshanhs90 Can you please help me with the above query?
@AshishGargMicrosoft @darshanhs90 @navba-MSFT Still no updates on my above question?