Role 'Directory readers' doesn't exist.

Azure / azure-cli

Azure Command-Line Interface

MIT License

4.02k stars 2.99k forks source link

Role 'Directory readers' doesn't exist. #21961

Open SSPJ opened 2 years ago

SSPJ commented 2 years ago

Describe the bug

Unable to create role assignment for Directory Readers via CLI. Was able to create via Portal.

Command Name az role assignment create

Errors:

The specified role definition with ID '88d8e3e38f554a1e953a9b9898b8876b' does not exist.

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

az role assignment create --assignee {} --role 88d8e3e38f554a1e953a9b9898b8876b

Expected Behavior

Role assignment is created.

Environment Summary

Linux-5.4.0-1074-azure-x86_64-with-glibc2.28 (Cloud Shell), Common Base Linux Delridge (quinault)
Python 3.8.12
Installer: DEB

azure-cli 2.35.0

Extensions:
ai-examples 0.2.5
ssh 1.0.1

Dependencies:
msal 1.17.0
azure-mgmt-resource 20.0.0

Additional Context

This happens whether I put the ID or the name, e.g. "Directory Readers".

yonzhan commented 2 years ago

@jiasli for awareness

mjfara commented 2 years ago

Any updates on this? Having the same problem.

albernhagen commented 2 years ago

I'm also encountering the same issues when using Bicep/ARM templates.

lprichar commented 1 year ago

Getting the same problem:

az role assignment create --role "Directory Readers" --assignee "[Application ID]"

Produces

Role 'Directory Readers' doesn't exist.

Same thing if I specify by id "88d8e3e3-8f55-4a1e-953a-9b9898b8876b".

Incidentally the Directory Readers build in role also fails to show up when I az role definition list. Yet it shows up and works fine in the Portal.

bradj commented 1 year ago

Any update? I'm currently forced to go into the Portal to manually create these assignments.

mootalk commented 1 year ago

I'm also having this issue, unfortunately I'm not able to create this assignment via the Portal (even though I'm owner).

Any update on this? This seems to be open quite some time already.

simon-pearson commented 11 months ago

I assume this 'bug' applies to all Microsoft Entra built-in roles and not just Directory Readers?

simon-pearson commented 11 months ago

I'm also having this issue, unfortunately I'm not able to create this assignment via the Portal (even though I'm owner).

Any update on this? This seems to be open quite some time already.

Having the role Owner won't help you here, you need either Privileged Role Administrator or Global Administrator.

NWessel commented 4 months ago

This is still an issue in bicep, trying to add sql server identity to Directory Reader, but .. The specified role definition with ID '88d8e3e38f554a1e953a9b9898b8876b' does not exist.