search

Azure / azure-cli

Azure Command-Line Interface
MIT License
4.01k stars 2.98k forks source link

"az ad sp create-for-rbac" does not support scope management group #15951

Open fawohlsc opened 3 years ago

fawohlsc commented 3 years ago

Describe the bug az ad sp create-for-rbac does not support scoping to management group and fails with error Subscription 'Microsoft.Management' not found.

To Reproduce az ad sp create-for-rbac --name "<MANAGEMENT_GROUP_NAME>-Contributor" --role "Contributor" --scopes /providers/Microsoft.Management/managementGroups/<MANAGEMENT_GROUP_NAME> --sdk-auth --debug

After this Azure API Request...

PUT /providers/Microsoft.Management/managementGroups/<MANAGEMENT_GROUP_NAME>/providers/Microsoft.Authorization/roleAssignments/<ROLE_ASSIGNMENT_ID>?api-version=2020-04-01-preview HTTP/1.1

... you will see the following error message:

azure.cli.core.util.handle_exception is called with an exception:
Traceback (most recent call last):
  File "/opt/az/lib/python3.6/site-packages/knack/cli.py", line 215, in invoke
    cmd_result = self.invocation.execute(args)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 654, in execute
    raise ex
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 718, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 709, in _run_job
    cmd_copy.exception_handler(ex)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/role/commands.py", line 69, in graph_err_handler
    raise ex
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 688, in _run_job
    result = cmd_copy(params)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 325, in __call__
    return self.handler(*args, **kwargs)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/__init__.py", line 784, in default_command_handler
    return op(**command_args)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/role/custom.py", line 1507, in create_service_principal_for_rbac
    app_id, password, cert_file)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/_profile.py", line 714, in get_sp_auth_info
    account = self.get_subscription(subscription_id)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/_profile.py", line 511, in get_subscription
    "Check the spelling and casing and try again.".format(subscription))
knack.util.CLIError: Subscription 'Microsoft.Management' not found. Check the spelling and casing and try again.

cli.azure.cli.core.azclierror : Subscription 'Microsoft.Management' not found. Check the spelling and casing and try again.
Subscription 'Microsoft.Management' not found. Check the spelling and casing and try again.

Site note: and masked for security concerns.

Expected behavior Successful creation and role assignment of service principal to management group incl. output of the JSON with client ID and client secret - just like for subscriptions.

Environment summary

Azure Cloud Shell with Azure CLI 2.14.0

yonzhan commented 3 years ago

az ad

the-chad-at-ms commented 2 years ago

This issue is still open and I have come across it today with a customer. Any plans to resolve this issue or is it still in the backlog ?