search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.99k stars 2.97k forks source link

Service principal is missing in `az ad group owner list` after upgrade to 2.37 #23951

Open floryut opened 2 years ago

floryut commented 2 years ago

This is autogenerated. Please review and update as needed.

Describe the bug

Command Name az ad group owner list

Errors: Missing service principal as owner after upgrade to azcli 2.37+

$ az ad group owner list --group c40d6c92-ebf1-46ee-9fd1-99685b281394 --out tsv --query '[].[mail,id]'
user1@company.com        7addc286-717c-4590-9ec9-4559d41725f9
user2@company.com        c2ddd1d1-8ae8-42e6-aef4-2d7dd44bce65
user3@company.com        07930e5c-a4fd-4365-a817-1fb436d7c5c3
user4@company.com        aa62e803-6966-4dff-b7f0-0772bf76b0c9
user5@company.com        df2f9469-acc3-4bf9-993e-dfa6872903fe

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

Expected Behavior

Service principal is display as owner before 2.37

$ az ad group owner list --group c40d6c92-ebf1-46ee-9fd1-99685b281394 --out tsv --query '[].[mail,objectId]'
user1@company.com        7addc286-717c-4590-9ec9-4559d41725f9
user2@company.com        c2ddd1d1-8ae8-42e6-aef4-2d7dd44bce65
user3@company.com        07930e5c-a4fd-4365-a817-1fb436d7c5c3
user4@company.com        aa62e803-6966-4dff-b7f0-0772bf76b0c9
user5@company.com        df2f9469-acc3-4bf9-993e-dfa6872903fe
None    1d0bb3be-f638-4b53-ac11-4ddd39e0d990

$ az version
{
  "azure-cli": "2.32.0",
  "azure-cli-core": "2.32.0",
  "azure-cli-telemetry": "1.0.6",
  "extensions": {
    "account": "0.2.2",
    "alertsmanagement": "0.2.2",
    "log-analytics": "0.2.2",
    "monitor-control-service": "0.3.0",
    "resource-graph": "2.1.0",
    "scheduled-query": "0.5.0"
  }
}

Environment Summary

Linux-4.4.0-19041-Microsoft-x86_64-with-glibc2.29, Ubuntu 20.04.4 LTS
Python 3.8.10
Installer: PIP

azure-cli 2.40.0

Extensions:
account 0.2.3
alertsmanagement 0.2.2
log-analytics 0.2.2
monitor-control-service 0.3.0
resource-graph 2.1.0
scheduled-query 0.5.1

Dependencies:
msal 1.18.0b1
azure-mgmt-resource 21.1.0b1

Additional Context

image Group owners as display in azure portal

yonzhan commented 2 years ago

@jiasli for awareness

floryut commented 2 years ago

@jiasli @yonzhan Could you confirm that it's a bug and not something I missed ?

floryut commented 2 years ago

Guys ? Any news, at least an answer if this is a bug or not.

jiasli commented 1 year ago

Similar to

According to List group owners API's documentation:

https://learn.microsoft.com/en-us/graph/api/group-list-owners?view=graph-rest-1.0&tabs=http

Note: Currently, service principals are not listed as group owners due to the staged rollout of service principals to the Microsoft Graph v1.0 endpoint.

This is a feature gap between AD Graph and Microsoft Graph. az ad group owner list internally calls that API.

As a workaround, you may try using az rest to call beta API: https://learn.microsoft.com/en-us/graph/api/group-list-owners?view=graph-rest-beta&tabs=http (though I haven't verified that myself).

floryut commented 1 year ago

@jiasli Thank you for the workaround, it's indeed working fine, I'm going to go with that while the bug is fix 

$ az rest --method get --url https://graph.microsoft.com/beta/groups/c40d6c92-ebf1-46ee-9fd1-99685b281394/owners | jq -r ".value | .[] | [.mail,.id] | @tsv"
user.name1@company.com     7addc286-717c-4590-9ec9-4559d41725f9
user.name2@company.com     c2ddd1d1-8ae8-42e6-aef4-2d7dd44bce65
                           07930e5c-a4fd-4365-a817-1fb436d7c5c3
user.name3@company.com     aa62e803-6966-4dff-b7f0-0772bf76b0c9

versus

$ az ad group owner list -g c40d6c92-ebf1-46ee-9fd1-99685b281394 --out tsv --query '[].[mail,id]'
user.name1@company.com     7addc286-717c-4590-9ec9-4559d41725f9
user.name2@company.com     c2ddd1d1-8ae8-42e6-aef4-2d7dd44bce65
user.name3@company.com     aa62e803-6966-4dff-b7f0-0772bf76b0c9
ncook-hxgn commented 1 year ago

Yup looks like #22664 has regressed somehow