search

Azure / azure-cli

Azure Command-Line Interface
MIT License
4.02k stars 2.99k forks source link

Can't add managed identity to aad group with error "ServicePrincipal cannot be added to Unified Groups." #29097

Closed dylanw-oss closed 5 months ago

dylanw-oss commented 5 months ago

Describe the bug

I created AAD group with Azure CLI: az ad group create --display-name mygroup --mail-nickname mygroup

Trying to add a managed identity to it (managed identity's principal (object) id), got error message: az ad group member add --group mygroup --member-id xxxxx-xxxx-... Directory object type: ServicePrincipal cannot be added to Unified Groups. paramName: Members, paramValue: , objectType: Microsoft.Online.DirectoryServices.Group

What's "unified group"? how can I add a managed identity to AAD group?

Related command

az ad group member add

Errors

Directory object type: ServicePrincipal cannot be added to Unified Groups. paramName: Members, paramValue: , objectType: Microsoft.Online.DirectoryServices.Group

Issue script & Debug output

az ad group member add --group mygroup --member-id xxxxx-xxxx-... ... cli.azure.cli.core.util: Response content: cli.azure.cli.core.util: {"error":{"code":"Request_BadRequest","message":"Directory object type: ServicePrincipal cannot be added to Unified Groups. paramName: Members, paramValue: , objectType: Microsoft.Online.DirectoryServices.Group","details":[{"code":"InvalidValue","message":"Directory object type: ServicePrincipal cannot be added to Unified Groups. paramName: Members, paramValue: , objectType: Microsoft.Online.DirectoryServices.Group","target":"membersWithLicenseErrors.members"}],"innerError":{"date":"2024-06-05T04:41:49","request-id":"dd1910ea-e1c1-4099-9598-b93ab91293a8","client-request-id":"dd1910ea-e1c1-4099-9598-b93ab91293a8"}}} cli.azure.cli.core.azclierror: Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 52, in _send File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/util.py", line 1007, in send_raw_request azure.cli.core.azclierror.HTTPError: Bad Request({"error":{"code":"Request_BadRequest","message":"Directory object type: ServicePrincipal cannot be added to Unified Groups. paramName: Members, paramValue: , objectType: Microsoft.Online.DirectoryServices.Group","details":[{"code":"InvalidValue","message":"Directory object type: ServicePrincipal cannot be added to Unified Groups. paramName: Members, paramValue: , objectType: Microsoft.Online.DirectoryServices.Group","target":"membersWithLicenseErrors.members"}],"innerError":{"date":"2024-06-05T04:41:49","request-id":"dd1910ea-e1c1-4099-9598-b93ab91293a8","client-request-id":"dd1910ea-e1c1-4099-9598-b93ab91293a8"}}})

The above exception was the direct cause of the following exception:

Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 701, in _run_job File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 334, in call File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 1969, in add_group_member File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 284, in group_member_add File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 55, in _send azure.cli.command_modules.role._msgrpah._graph_client.GraphError: Directory object type: ServicePrincipal cannot be added to Unified Groups. paramName: Members, paramValue: , objectType: Microsoft.Online.DirectoryServices.Group

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 664, in execute File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 731, in _run_jobs_serially File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 723, in _run_job File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/commands.py", line 50, in graph_err_handler knack.util.CLIError: Directory object type: ServicePrincipal cannot be added to Unified Groups. paramName: Members, paramValue: , objectType: Microsoft.Online.DirectoryServices.Group

cli.azure.cli.core.azclierror: Directory object type: ServicePrincipal cannot be added to Unified Groups. paramName: Members, paramValue: , objectType: Microsoft.Online.DirectoryServices.Group az_command_data_logger: Directory object type: ServicePrincipal cannot be added to Unified Groups. paramName: Members, paramValue: , objectType: Microsoft.Online.DirectoryServices.Group cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x03F71938>] az_command_data_logger: exit code: 1 cli.main: Command ran in 2.276 seconds (init: 0.616, invoke: 1.660) telemetry.main: Begin splitting cli events and extra events, total events: 1 telemetry.client: Accumulated 0 events. Flush the clients. telemetry.main: Finish splitting cli events and extra events, cli events: 1 telemetry.save: Save telemetry record of length 3788 in cache telemetry.main: Begin creating telemetry upload process. telemetry.process: Creating upload process: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry__init__.pyc C:\Users\haiwa.azure" telemetry.process: Return from creating process telemetry.main: Finish creating telemetry upload process.

Expected behavior

The managed identity can be successfully added to AAD group or the output can give more details about the error and solutions.

Environment Summary

azure-cli 2.58.0 *

core 2.58.0 * telemetry 1.1.0

Dependencies: msal 1.26.0 azure-mgmt-resource 23.1.0b2

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe' Extensions directory 'C:\Users\haiwa.azure\cliextensions'

Python (Windows) 3.11.7 (tags/v3.11.7:fa7a6f2, Dec 4 2023, 19:13:08) [MSC v.1937 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal

Additional context

No response

azure-client-tools-bot-prd[bot] commented 5 months ago

Hi @dylanw-oss,

2.58.0 is not the latest Azure CLI(2.61.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

yonzhan commented 5 months ago

Thank you for opening this issue, we will look into it.

dylanw-oss commented 5 months ago

I'm not sure how Luke did it: https://github.com/MicrosoftDocs/azure-docs/issues/63602#issuecomment-705484246

dylanw-oss commented 5 months ago

Hi @dylanw-oss,

2.58.0 is not the latest Azure CLI(2.61.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli. same error after upgrade

jiasli commented 5 months ago

az ad group member add command internally calls Add members API. For Microsoft Graph service questions, it is recommended to contact Microsoft Graph customer support.