azure-powershell
azure-powershell copied to clipboard
Azure
New-AzManagementGroupSubscription fails trying to call Microsoft.Management/register/action
Description
New-AzManagementGroupSubscription first tries to register the Microsoft.Management resource provider in the target subscription (the call to PreregisterSubscription in NewAzureRmManagementGroupSubscription.cs). Once that is successful then it moves the subscription to the target management group.
This is incorrect because Microsoft.Management is a tenant level RP and does not need to be registered on the subscription. If the user calling New-AzManagementGroupSubscription does not have Microsoft.Management/register/action then the operation fails with:
The client '1236b86a-0d38-42a9-82b2-d6b2cf179123' with object id '1236b86a-0d38-42a9-82b2-d6b2cf179123' does not have authorization to perform action 'Microsoft.Management/register/action' over scope '/subscriptions/abccabfc-d380-4546-8c1c-9faa94543abc' or the scope is invalid. If access was recently granted, please refresh your credentials.
The Microsoft.Management/register/action permission is not required to move a subscription to a new management group, and this cmdlet shouldn't fail due to lack of that permission.
Resolution is to remove the PreregisterSubscription function call from NewAzureRmManagementGroupSubscription.cs.
Issue script & Debug output
PS C:\Users\kwill> New-AzManagementGroupSubscription -GroupName $MGID -SubscriptionId $SubId -Debug
DEBUG: 9:24:23 AM - NewAzureRmManagementGroupSubscription begin processing with ParameterSet 'GroupOperations'.
DEBUG: 9:24:25 AM - using account id 'def43d8f-95ad-4872-83be-842a60dc3def'...
DEBUG: 9:24:25 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
WARNING: Upcoming breaking changes in the cmdlet 'New-AzManagementGroupSubscription' :
- The parameter : 'GroupName' is being replaced by parameter : 'GroupId'.
- Change description : We will replace GroupName with GroupId to make it more clear.
Note : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.
DEBUG: [Common.Authentication]: Authenticating using Account: 'def43d8f-95ad-4872-83be-842a60dc3def', environment: 'AzureCloud', tenant: '456988bf-86f1-41af-91ab-2d7cd011d456'
DEBUG: 9:24:25 AM - [ServicePrincipalAuthenticator] Calling ClientSecretCredential.GetTokenAsync - ApplicationId:'def43d8f-95ad-4872-83be-842a60dc3def', TenantId:'456988bf-86f1-41af-91ab-2d7cd011d456', Scopes:'https://management.core.windows.net/
/.default', AuthorityHost:'https://login.microsoftonline.com/'
DEBUG: ClientSecretCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:25Z - 720104aa-a0d0-4879-95b4-c6d3b0f0608a] MSAL MSAL.Desktop with assembly version '4.49.1.0'. CorrelationId(720104aa-a0d0-4879-95b4-c6d3b0f0608a)
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:25Z - 720104aa-a0d0-4879-95b4-c6d3b0f0608a] === AcquireTokenForClientParameters ===
SendX5C: False
ForceRefresh: False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:25Z - 720104aa-a0d0-4879-95b4-c6d3b0f0608a]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenForClient
IsConfidentialClient - True
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 720104aa-a0d0-4879-95b4-c6d3b0f0608a
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:25Z - 720104aa-a0d0-4879-95b4-c6d3b0f0608a] === Token Acquisition (ClientCredentialRequest) started:
Scopes: https://management.core.windows.net//.default
Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:25Z - 720104aa-a0d0-4879-95b4-c6d3b0f0608a] [Instance Discovery] Instance discovery is enabled and will be performed
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:25Z - 720104aa-a0d0-4879-95b4-c6d3b0f0608a] [Region discovery] Not using a regional authority.
DEBUG: Request [d9415b00-511c-42ca-a89a-4fe88099f08a] POST https://login.microsoftonline.com/456988bf-86f1-41af-91ab-2d7cd011d456/oauth2/v2.0/token
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-CPU:REDACTED
x-client-OS:REDACTED
x-client-current-telemetry:REDACTED
x-client-last-telemetry:REDACTED
x-ms-lib-capability:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-app-name:REDACTED
x-app-ver:REDACTED
Content-Type:application/x-www-form-urlencoded
x-ms-client-request-id:d9415b00-511c-42ca-a89a-4fe88099f08a
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.6.1 (.NET Framework 4.8.9167.0; Microsoft Windows 10.0.22621 )
client assembly: Azure.Identity
DEBUG: Response [d9415b00-511c-42ca-a89a-4fe88099f08a] 200 OK (00.2s)
Pragma:no-cache
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
client-request-id:REDACTED
x-ms-request-id:b9f0d527-9ec1-4ef4-8926-01525c509000
x-ms-ests-server:REDACTED
x-ms-clitelem:REDACTED
X-XSS-Protection:REDACTED
Cache-Control:no-store, no-cache
Content-Type:application/json; charset=utf-8
Expires:-1
P3P:REDACTED
Set-Cookie:REDACTED
Date:Fri, 11 Aug 2023 14:24:26 GMT
Content-Length:1400
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - 720104aa-a0d0-4879-95b4-c6d3b0f0608a] ScopeSet was missing from the token response, so using developer provided scopes in the result.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - 720104aa-a0d0-4879-95b4-c6d3b0f0608a] Checking client info returned from the server..
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - 720104aa-a0d0-4879-95b4-c6d3b0f0608a] Saving token response to cache..
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - 720104aa-a0d0-4879-95b4-c6d3b0f0608a] [SaveTokenResponseAsync] ID Token not present in response.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - 720104aa-a0d0-4879-95b4-c6d3b0f0608a] Cannot determine home account id - or id token or no client info and no subject
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - 720104aa-a0d0-4879-95b4-c6d3b0f0608a] [SaveTokenResponseAsync] Saving AT in cache and removing overlapping ATs...
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - 720104aa-a0d0-4879-95b4-c6d3b0f0608a] Looking for scopes for the authority in the cache which intersect with https://management.core.windows.net//.
default
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - 720104aa-a0d0-4879-95b4-c6d3b0f0608a] Intersecting scope entries count - 0
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - 720104aa-a0d0-4879-95b4-c6d3b0f0608a]
=== Token Acquisition finished successfully:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - 720104aa-a0d0-4879-95b4-c6d3b0f0608a] AT expiration time: 8/12/2023 2:24:25 PM +00:00, scopes: https://management.core.windows.net//.default. sour
ce: IdentityProvider
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - 720104aa-a0d0-4879-95b4-c6d3b0f0608a] Fetched access token from host login.microsoftonline.com.
DEBUG: ClientSecretCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: ExpiresOn: 2023-08-12T14:24:25.1818423+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '456988bf-86f1-41af-91ab-2d7cd011d456', UserId: 'def43d8f-95ad-4872-83be-842a60dc3def'
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://management.azure.com/subscriptions/5857f4d2-3dce-4b96-ad95-677f764e7a67/providers/Microsoft.Management?api-version=2016-09-01
Headers:
x-ms-client-request-id : d8aa0d6c-f0ff-43c6-b0e6-500507a72a9c
accept-language : en-US
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Pragma : no-cache
x-ms-ratelimit-remaining-subscription-reads: 11999
x-ms-request-id : 102ec59b-4ca3-4ec3-ae60-a3154dd37420
x-ms-correlation-request-id : 102ec59b-4ca3-4ec3-ae60-a3154dd37420
x-ms-routing-request-id : SOUTHCENTRALUS:20230811T142427Z:102ec59b-4ca3-4ec3-ae60-a3154dd37420
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
Cache-Control : no-cache
Date : Fri, 11 Aug 2023 14:24:26 GMT
Body:
{
"id": "/subscriptions/5857f4d2-3dce-4b96-ad95-677f764e7a67/providers/Microsoft.Management",
"namespace": "Microsoft.Management",
"authorization": {
"applicationId": "f2c304cf-8e7e-4c3f-8164-16299ad9d272",
"roleDefinitionId": "c1cf3708-588a-4647-be7f-f400bbe214cf"
},
"resourceTypes": [
{
"resourceType": "resources",
"locations": [],
"apiVersions": [
"2017-11-01-preview",
"2017-08-31-preview",
"2017-06-30-preview",
"2017-05-31-preview"
]
},
{
"resourceType": "managementGroups",
"locations": [],
"apiVersions": [
"2023-04-01",
"2021-04-01",
"2020-10-01",
"2020-05-01",
"2020-02-01",
"2019-11-01",
"2018-03-01-preview",
"2018-03-01-beta",
"2018-01-01-preview",
"2017-11-01-preview",
"2017-08-31-preview",
"2017-06-30-preview",
"2017-05-31-preview"
]
},
{
"resourceType": "getEntities",
"locations": [],
"apiVersions": [
"2023-04-01",
"2021-04-01",
"2020-10-01",
"2020-05-01",
"2020-02-01",
"2019-11-01",
"2018-03-01-preview",
"2018-03-01-beta",
"2018-01-01-preview"
]
},
{
"resourceType": "checkNameAvailability",
"locations": [],
"apiVersions": [
"2023-04-01",
"2021-04-01",
"2020-10-01",
"2020-05-01",
"2020-02-01",
"2019-11-01",
"2018-03-01-preview",
"2018-03-01-beta",
"2018-01-01-preview"
]
},
{
"resourceType": "operationResults",
"locations": [],
"apiVersions": [
"2023-04-01",
"2021-04-01",
"2020-10-01",
"2020-05-01",
"2020-02-01",
"2019-11-01",
"2018-03-01-preview",
"2018-03-01-beta",
"2018-01-01-preview"
]
},
{
"resourceType": "operationResults/asyncOperation",
"locations": [],
"apiVersions": [
"2023-04-01",
"2021-04-01",
"2020-10-01",
"2020-05-01",
"2020-02-01",
"2019-11-01",
"2018-03-01-preview",
"2018-03-01-beta",
"2018-01-01-preview",
"2017-11-01-preview",
"2017-08-31-preview",
"2017-06-30-preview",
"2017-05-31-preview"
]
},
{
"resourceType": "operations",
"locations": [],
"apiVersions": [
"2023-04-01",
"2021-04-01",
"2020-10-01",
"2020-05-01",
"2020-02-01",
"2019-11-01",
"2018-03-01-preview",
"2018-03-01-beta",
"2018-01-01-preview",
"2017-11-01-preview",
"2017-08-31-preview",
"2017-06-30-preview",
"2017-05-31-preview"
]
},
{
"resourceType": "tenantBackfillStatus",
"locations": [],
"apiVersions": [
"2023-04-01",
"2021-04-01",
"2020-10-01",
"2020-05-01",
"2020-02-01",
"2019-11-01",
"2018-03-01-preview",
"2018-03-01-beta"
]
},
{
"resourceType": "startTenantBackfill",
"locations": [],
"apiVersions": [
"2023-04-01",
"2021-04-01",
"2020-10-01",
"2020-05-01",
"2020-02-01",
"2019-11-01",
"2018-03-01-preview",
"2018-03-01-beta"
]
}
],
"registrationState": "Registered"
}
DEBUG: [Common.Authentication]: Authenticating using Account: 'def43d8f-95ad-4872-83be-842a60dc3def', environment: 'AzureCloud', tenant: '456988bf-86f1-41af-91ab-2d7cd011d456'
DEBUG: 9:24:26 AM - [ServicePrincipalAuthenticator] Calling ClientSecretCredential.GetTokenAsync - ApplicationId:'def43d8f-95ad-4872-83be-842a60dc3def', TenantId:'456988bf-86f1-41af-91ab-2d7cd011d456', Scopes:'https://management.core.windows.net/
/.default', AuthorityHost:'https://login.microsoftonline.com/'
DEBUG: ClientSecretCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - b1beac33-e86c-4e97-aff9-cf8f80d0cef4] MSAL MSAL.Desktop with assembly version '4.49.1.0'. CorrelationId(b1beac33-e86c-4e97-aff9-cf8f80d0cef4)
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - b1beac33-e86c-4e97-aff9-cf8f80d0cef4] === AcquireTokenForClientParameters ===
SendX5C: False
ForceRefresh: False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - b1beac33-e86c-4e97-aff9-cf8f80d0cef4]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenForClient
IsConfidentialClient - True
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - b1beac33-e86c-4e97-aff9-cf8f80d0cef4
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - b1beac33-e86c-4e97-aff9-cf8f80d0cef4] === Token Acquisition (ClientCredentialRequest) started:
Scopes: https://management.core.windows.net//.default
Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - b1beac33-e86c-4e97-aff9-cf8f80d0cef4] [Instance Discovery] Instance discovery is enabled and will be performed
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - b1beac33-e86c-4e97-aff9-cf8f80d0cef4] [Region discovery] Not using a regional authority.
DEBUG: Request [6cc4653d-ff83-4d2e-84b6-41afdaebf8c1] POST https://login.microsoftonline.com/456988bf-86f1-41af-91ab-2d7cd011d456/oauth2/v2.0/token
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-CPU:REDACTED
x-client-OS:REDACTED
x-client-current-telemetry:REDACTED
x-client-last-telemetry:REDACTED
x-ms-lib-capability:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-app-name:REDACTED
x-app-ver:REDACTED
Content-Type:application/x-www-form-urlencoded
x-ms-client-request-id:6cc4653d-ff83-4d2e-84b6-41afdaebf8c1
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.6.1 (.NET Framework 4.8.9167.0; Microsoft Windows 10.0.22621 )
client assembly: Azure.Identity
DEBUG: Response [6cc4653d-ff83-4d2e-84b6-41afdaebf8c1] 200 OK (00.2s)
Pragma:no-cache
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
client-request-id:REDACTED
x-ms-request-id:7a3785e6-bdd0-433d-b4a5-f8a75b789300
x-ms-ests-server:REDACTED
x-ms-clitelem:REDACTED
X-XSS-Protection:REDACTED
Cache-Control:no-store, no-cache
Content-Type:application/json; charset=utf-8
Expires:-1
P3P:REDACTED
Set-Cookie:REDACTED
Date:Fri, 11 Aug 2023 14:24:26 GMT
Content-Length:1400
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - b1beac33-e86c-4e97-aff9-cf8f80d0cef4] ScopeSet was missing from the token response, so using developer provided scopes in the result.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - b1beac33-e86c-4e97-aff9-cf8f80d0cef4] Checking client info returned from the server..
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - b1beac33-e86c-4e97-aff9-cf8f80d0cef4] Saving token response to cache..
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - b1beac33-e86c-4e97-aff9-cf8f80d0cef4] [SaveTokenResponseAsync] ID Token not present in response.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - b1beac33-e86c-4e97-aff9-cf8f80d0cef4] Cannot determine home account id - or id token or no client info and no subject
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - b1beac33-e86c-4e97-aff9-cf8f80d0cef4] [SaveTokenResponseAsync] Saving AT in cache and removing overlapping ATs...
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - b1beac33-e86c-4e97-aff9-cf8f80d0cef4] Looking for scopes for the authority in the cache which intersect with https://management.core.windows.net//.
default
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - b1beac33-e86c-4e97-aff9-cf8f80d0cef4] Intersecting scope entries count - 0
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - b1beac33-e86c-4e97-aff9-cf8f80d0cef4]
=== Token Acquisition finished successfully:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - b1beac33-e86c-4e97-aff9-cf8f80d0cef4] AT expiration time: 8/12/2023 2:24:25 PM +00:00, scopes: https://management.core.windows.net//.default. sour
ce: IdentityProvider
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-08-11 14:24:26Z - b1beac33-e86c-4e97-aff9-cf8f80d0cef4] Fetched access token from host login.microsoftonline.com.
DEBUG: ClientSecretCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: ExpiresOn: 2023-08-12T14:24:25.4837934+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '456988bf-86f1-41af-91ab-2d7cd011d456', UserId: 'def43d8f-95ad-4872-83be-842a60dc3def'
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://management.azure.com/subscriptions/abccabfc-d380-4546-8c1c-9faa94543abc/providers/Microsoft.Management?api-version=2016-09-01
Headers:
x-ms-client-request-id : d8aa0d6c-f0ff-43c6-b0e6-500507a72a9c
accept-language : en-US
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Pragma : no-cache
x-ms-ratelimit-remaining-subscription-reads: 11999
x-ms-request-id : 986806b7-1f70-4d2a-8aea-e8d0e96e940f
x-ms-correlation-request-id : 986806b7-1f70-4d2a-8aea-e8d0e96e940f
x-ms-routing-request-id : SOUTHCENTRALUS:20230811T142427Z:986806b7-1f70-4d2a-8aea-e8d0e96e940f
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
Cache-Control : no-cache
Date : Fri, 11 Aug 2023 14:24:27 GMT
Body:
{
"id": "/subscriptions/abccabfc-d380-4546-8c1c-9faa94543abc/providers/Microsoft.Management",
"namespace": "Microsoft.Management",
"authorization": {
"applicationId": "f2c304cf-8e7e-4c3f-8164-16299ad9d272",
"roleDefinitionId": "c1cf3708-588a-4647-be7f-f400bbe214cf"
},
"resourceTypes": [
{
"resourceType": "resources",
"locations": [],
"apiVersions": [
"2017-11-01-preview",
"2017-08-31-preview",
"2017-06-30-preview",
"2017-05-31-preview"
]
},
{
"resourceType": "managementGroups",
"locations": [],
"apiVersions": [
"2023-04-01",
"2021-04-01",
"2020-10-01",
"2020-05-01",
"2020-02-01",
"2019-11-01",
"2018-03-01-preview",
"2018-03-01-beta",
"2018-01-01-preview",
"2017-11-01-preview",
"2017-08-31-preview",
"2017-06-30-preview",
"2017-05-31-preview"
]
},
{
"resourceType": "getEntities",
"locations": [],
"apiVersions": [
"2023-04-01",
"2021-04-01",
"2020-10-01",
"2020-05-01",
"2020-02-01",
"2019-11-01",
"2018-03-01-preview",
"2018-03-01-beta",
"2018-01-01-preview"
]
},
{
"resourceType": "managementGroups/settings",
"locations": [],
"apiVersions": [
"2023-04-01",
"2021-04-01",
"2020-10-01",
"2020-05-01",
"2020-02-01",
"2018-03-01-beta"
]
},
{
"resourceType": "checkNameAvailability",
"locations": [],
"apiVersions": [
"2023-04-01",
"2021-04-01",
"2020-10-01",
"2020-05-01",
"2020-02-01",
"2019-11-01",
"2018-03-01-preview",
"2018-03-01-beta",
"2018-01-01-preview"
]
},
{
"resourceType": "operationResults",
"locations": [],
"apiVersions": [
"2023-04-01",
"2021-04-01",
"2020-10-01",
"2020-05-01",
"2020-02-01",
"2019-11-01",
"2018-03-01-preview",
"2018-03-01-beta",
"2018-01-01-preview"
]
},
{
"resourceType": "operationResults/asyncOperation",
"locations": [],
"apiVersions": [
"2023-04-01",
"2021-04-01",
"2020-10-01",
"2020-05-01",
"2020-02-01",
"2019-11-01",
"2018-03-01-preview",
"2018-03-01-beta",
"2018-01-01-preview",
"2017-11-01-preview",
"2017-08-31-preview",
"2017-06-30-preview",
"2017-05-31-preview"
]
},
{
"resourceType": "operations",
"locations": [],
"apiVersions": [
"2023-04-01",
"2021-04-01",
"2020-10-01",
"2020-05-01",
"2020-02-01",
"2019-11-01",
"2018-03-01-preview",
"2018-03-01-beta",
"2018-01-01-preview",
"2017-11-01-preview",
"2017-08-31-preview",
"2017-06-30-preview",
"2017-05-31-preview"
]
},
{
"resourceType": "tenantBackfillStatus",
"locations": [],
"apiVersions": [
"2023-04-01",
"2021-04-01",
"2020-10-01",
"2020-05-01",
"2020-02-01",
"2019-11-01",
"2018-03-01-preview",
"2018-03-01-beta"
]
},
{
"resourceType": "startTenantBackfill",
"locations": [],
"apiVersions": [
"2023-04-01",
"2021-04-01",
"2020-10-01",
"2020-05-01",
"2020-02-01",
"2019-11-01",
"2018-03-01-preview",
"2018-03-01-beta"
]
}
],
"registrationState": "NotRegistered"
}
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
POST
Absolute Uri:
https://management.azure.com/subscriptions/abccabfc-d380-4546-8c1c-9faa94543abc/providers/Microsoft.Management/register?api-version=2016-09-01
Headers:
x-ms-client-request-id : d8aa0d6c-f0ff-43c6-b0e6-500507a72a9c
accept-language : en-US
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Forbidden
Headers:
Pragma : no-cache
x-ms-failure-cause : gateway
x-ms-request-id : e594b487-b7bc-4eb3-b0a4-932c58b928f1
x-ms-correlation-request-id : e594b487-b7bc-4eb3-b0a4-932c58b928f1
x-ms-routing-request-id : SOUTHCENTRALUS:20230811T142427Z:e594b487-b7bc-4eb3-b0a4-932c58b928f1
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
Connection : close
Cache-Control : no-cache
Date : Fri, 11 Aug 2023 14:24:27 GMT
Body:
{
"error": {
"code": "AuthorizationFailed",
"message": "The client '1236b86a-0d38-42a9-82b2-d6b2cf179123' with object id '1236b86a-0d38-42a9-82b2-d6b2cf179123' does not have authorization to perform action 'Microsoft.Management/register/action' over scope '/subscriptions/0e0cabfc-d380-
4546-8c1c-9faa9454376d' or the scope is invalid. If access was recently granted, please refresh your credentials."
}
}
DEBUG: 9:24:26 AM - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
New-AzManagementGroupSubscription : The client '1236b86a-0d38-42a9-82b2-d6b2cf179123' with object id '1236b86a-0d38-42a9-82b2-d6b2cf179123' does not have authorization to perform action 'Microsoft.Management/register/action' over scope
'/subscriptions/abccabfc-d380-4546-8c1c-9faa94543abc' or the scope is invalid. If access was recently granted, please refresh your credentials.
At line:1 char:1
+ New-AzManagementGroupSubscription -GroupName $MGID -SubscriptionId $S ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-AzManagementGroupSubscription], CloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.ManagementGroups.NewAzureRmManagementGroupSubscription
DEBUG: 9:24:27 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 9:24:27 AM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent: Module: Az.Resources:6.6.1; CommandName: New-AzManagementGroupSubscription; PSVersion: 5.1.22621.1778; IsSuccess: False; Duration: 00:00:04.8117184; Exception: The client '1236b86a-0d38-42a9-82b2-d6b2cf179123' with object i
d '1236b86a-0d38-42a9-82b2-d6b2cf179123' does not have authorization to perform action 'Microsoft.Management/register/action' over scope '/subscriptions/abccabfc-d380-4546-8c1c-9faa94543abc' or the scope is invalid. If access was recently granted
, please refresh your credentials.;
DEBUG: 9:24:27 AM - NewAzureRmManagementGroupSubscription end processing.
Environment data
PS C:\Users\kwill> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.22621.1778
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.22621.1778
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Module versions
PS C:\Users\kwill> Get-Module Az*
ModuleType Version Name ExportedCommands
---------- ------- ---- ----------------
Script 2.12.2 Az.Accounts {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault...}
Script 4.9.2 Az.KeyVault {Add-AzKeyVaultCertificate, Add-AzKeyVaultCertificateContact, Add-AzKeyVaultKey, Add-AzKeyVaultManagedStorageAccount...}
Script 0.12.0 Az.ResourceGraph {Search-AzGraph, Get-AzResourceGraphQuery, New-AzResourceGraphQuery, Remove-AzResourceGraphQuery...}
Script 6.6.1 Az.Resources {Export-AzResourceGroup, Export-AzTemplateSpec, Get-AzDenyAssignment, Get-AzDeployment...}
Script 1.4.0 Az.Security {Add-AzSecurityAdaptiveNetworkHardening, Add-AzSecuritySqlVulnerabilityAssessmentBaseline, Confirm-AzSecurityAutomation, Disable-AzIotSecurityAnalyticsAggregatedAlert...}
Error output
PS C:\Users\kwill> Resolve-AzError
WARNING: Upcoming breaking changes in the cmdlet 'Resolve-AzError' :
The `Resolve-Error` alias will be removed in a future release. Please change any scripts that use this alias to use `Resolve-AzError` instead.
Note : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.
HistoryId: 10
RequestId :
Message : The client '1416b86a-0d38-42a9-82b2-d6b2cf17954d' with object id '1416b86a-0d38-42a9-82b2-d6b2cf17954d' does not have authorization to perform action 'Microsoft.Management/register/action' over scope
'/subscriptions/0e0cabfc-d380-4546-8c1c-9faa9454376d' or the scope is invalid. If access was recently granted, please refresh your credentials.
ServerMessage :
ServerResponse :
RequestMessage :
InvocationInfo : {New-AzManagementGroupSubscription}
Line : New-AzManagementGroupSubscription -GroupName $MGID -SubscriptionId $SubId -Debug
Position : At line:1 char:1
+ New-AzManagementGroupSubscription -GroupName $MGID -SubscriptionId $S ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
StackTrace : at Microsoft.Azure.Commands.Resources.ManagementGroups.Common.AzureManagementGroupsCmdletBase.PreregisterSubscription(String subscriptionId)
at Microsoft.Azure.Commands.Resources.ManagementGroups.NewAzureRmManagementGroupSubscription.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
HistoryId : 10
This is still the case. The AzManagementGroup commands fail if the current context is set on a subscription where the principal has not sufficient access.
FYI, until this bug is fixed, you can work around it with:
$APIPath = "/providers/Microsoft.Management/managementGroups/$($InputObject.ManagementGroupId)/subscriptions/$($InputObject.SubscriptionId)?api-version=2020-05-01"
Write-Information "Calling REST API $APIPath"
$APIResponse = Invoke-AzRestMethod -Method PUT -Path $APIPath
Looks like this is the same for Get-AzManagementGroup. When will this bug be fixed? this issue is almost a year old
I'm having this issue also with an account that just has reader role to the root tenant group, and just needs to read the management group structure.
How about an ETA on a fix?
