Describe the bugaz ad sp create-for-rbac does not support scoping to management group and fails with error Subscription 'Microsoft.Management' not found.
To Reproduceaz ad sp create-for-rbac --name "<MANAGEMENT_GROUP_NAME>-Contributor" --role "Contributor" --scopes /providers/Microsoft.Management/managementGroups/<MANAGEMENT_GROUP_NAME> --sdk-auth --debug
After this Azure API Request...
PUT /providers/Microsoft.Management/managementGroups/<MANAGEMENT_GROUP_NAME>/providers/Microsoft.Authorization/roleAssignments/<ROLE_ASSIGNMENT_ID>?api-version=2020-04-01-preview HTTP/1.1
... you will see the following error message:
azure.cli.core.util.handle_exception is called with an exception:
Traceback (most recent call last):
File "/opt/az/lib/python3.6/site-packages/knack/cli.py", line 215, in invoke
cmd_result = self.invocation.execute(args)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 654, in execute
raise ex
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 718, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 709, in _run_job
cmd_copy.exception_handler(ex)
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/role/commands.py", line 69, in graph_err_handler
raise ex
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 688, in _run_job
result = cmd_copy(params)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 325, in __call__
return self.handler(*args, **kwargs)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/__init__.py", line 784, in default_command_handler
return op(**command_args)
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/role/custom.py", line 1507, in create_service_principal_for_rbac
app_id, password, cert_file)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/_profile.py", line 714, in get_sp_auth_info
account = self.get_subscription(subscription_id)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/_profile.py", line 511, in get_subscription
"Check the spelling and casing and try again.".format(subscription))
knack.util.CLIError: Subscription 'Microsoft.Management' not found. Check the spelling and casing and try again.
cli.azure.cli.core.azclierror : Subscription 'Microsoft.Management' not found. Check the spelling and casing and try again.
Subscription 'Microsoft.Management' not found. Check the spelling and casing and try again.
Site note: and masked for security concerns.
Expected behavior
Successful creation and role assignment of service principal to management group incl. output of the JSON with client ID and client secret - just like for subscriptions.
Describe the bug
az ad sp create-for-rbac
does not support scoping to management group and fails with error Subscription 'Microsoft.Management' not found.To Reproduce
az ad sp create-for-rbac --name "<MANAGEMENT_GROUP_NAME>-Contributor" --role "Contributor" --scopes /providers/Microsoft.Management/managementGroups/<MANAGEMENT_GROUP_NAME> --sdk-auth --debug
After this Azure API Request...
PUT /providers/Microsoft.Management/managementGroups/<MANAGEMENT_GROUP_NAME>/providers/Microsoft.Authorization/roleAssignments/<ROLE_ASSIGNMENT_ID>?api-version=2020-04-01-preview HTTP/1.1
... you will see the following error message:
Site note: and masked for security concerns.
Expected behavior Successful creation and role assignment of service principal to management group incl. output of the JSON with client ID and client secret - just like for subscriptions.
Environment summary
Azure Cloud Shell with Azure CLI 2.14.0