New-AzADServicePrincipal is able to create a new SP even when user has no write permissions

[danybeam]

Description

New-AzADServicePrincipal is able to create a new SP even when user has no write permissions (i.e.: Reader role) This bug doesn't seem to be directly reproduceable from portal.azure.com nor through AzureCLI in bash/cmd

Steps to reproduce

$sp = New-AzADServicePrincipal -DisplayName fooPS1 -Role Contributor -Scope  /subscriptions/<GUID>/resourceGroups/<RG>

it is not subscription or resource group specific

Environment data

Local Terminal:
Name                           Value
----                           -----
PSVersion                      6.2.3
PSEdition                      Core
GitCommitId                    6.2.3
OS                             Microsoft Windows 10.0.18363
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

this is also not OS nor Platform specific, it's also reproduced in the azure portal cloudshell.

Module versions

ModuleType Version    Name                                PSEdition ExportedCommands
---------- -------    ----                                --------- ----------------
Script     3.3.0      Az                                  Core,Desk
Script     1.7.0      Az.Accounts                         Core,Desk {Disable-AzDataCollection, Disable-AzContextAutosave, Enable-AzDataCollection, Enable-AzContextAutosave…}
Script     1.1.1      Az.Advisor                          Core,Desk {Get-AzAdvisorRecommendation, Enable-AzAdvisorRecommendation, Disable-AzAdvisorRecommendation, Get-AzAdvisorConfiguration…}
Script     1.0.3      Az.Aks                              Core,Desk {Get-AzAks, New-AzAks, Remove-AzAks, Import-AzAksCredential…}
Script     1.1.2      Az.AnalysisServices                 Core,Desk {Resume-AzAnalysisServicesServer, Suspend-AzAnalysisServicesServer, Get-AzAnalysisServicesServer, Remove-AzAnalysisServicesServer…}
Script     1.3.3      Az.ApiManagement                    Core,Desk {Add-AzApiManagementApiToProduct, Add-AzApiManagementProductToGroup, Add-AzApiManagementRegion, Add-AzApiManagementUserToGroup…}
Script     1.0.3      Az.ApplicationInsights              Core,Desk {Get-AzApplicationInsights, New-AzApplicationInsights, Remove-AzApplicationInsights, Set-AzApplicationInsightsPricingPlan…}
Script     1.3.5      Az.Automation                       Core,Desk {Get-AzAutomationHybridWorkerGroup, Remove-AzAutomationHybridWorkerGroup, Get-AzAutomationJobOutputRecord, Import-AzAutomationDscNodeConfig… Script     2.0.2      Az.Batch                            Core,Desk {Remove-AzBatchAccount, Get-AzBatchAccount, Get-AzBatchAccountKey, New-AzBatchAccount…}
Script     1.0.2      Az.Billing                          Core,Desk {Get-AzBillingInvoice, Get-AzBillingPeriod, Get-AzEnrollmentAccount, Get-AzConsumptionBudget…}
Script     1.4.2      Az.Cdn                              Core,Desk {Get-AzCdnProfile, Get-AzCdnProfileSsoUrl, New-AzCdnProfile, Remove-AzCdnProfile…}
Script     1.2.2      Az.CognitiveServices                Core,Desk {Get-AzCognitiveServicesAccount, Get-AzCognitiveServicesAccountKey, Get-AzCognitiveServicesAccountSku, Get-AzCognitiveServicesAccountType…}  Script     3.3.0      Az.Compute                          Core,Desk {Remove-AzAvailabilitySet, Get-AzAvailabilitySet, New-AzAvailabilitySet, Update-AzAvailabilitySet…}
Script     1.0.3      Az.ContainerInstance                Core,Desk {New-AzContainerGroup, Get-AzContainerGroup, Remove-AzContainerGroup, Get-AzContainerInstanceLog}
Script     1.1.1      Az.ContainerRegistry                Core,Desk {New-AzContainerRegistry, Get-AzContainerRegistry, Update-AzContainerRegistry, Remove-AzContainerRegistry…}
Script     1.1.0      Az.DataBoxEdge                      Core,Desk {Get-AzDataBoxEdgeJob, Get-AzDataBoxEdgeDevice, Invoke-AzDataBoxEdgeDevice, New-AzDataBoxEdgeDevice…}
Script     1.6.0      Az.DataFactory                      Core,Desk {Set-AzDataFactoryV2, Update-AzDataFactoryV2, Get-AzDataFactoryV2, Remove-AzDataFactoryV2…}
Script     1.0.2      Az.DataLakeAnalytics                Core,Desk {Get-AzDataLakeAnalyticsDataSource, New-AzDataLakeAnalyticsCatalogCredential, Remove-AzDataLakeAnalyticsCatalogCredential, Set-AzDataLakeAn… Script     1.2.6      Az.DataLakeStore                    Core,Desk {Get-AzDataLakeStoreTrustedIdProvider, Remove-AzDataLakeStoreTrustedIdProvider, Remove-AzDataLakeStoreFirewallRule, Set-AzDataLakeStoreTrus… Script     1.0.2      Az.DeploymentManager                Core,Desk {Get-AzDeploymentManagerArtifactSource, New-AzDeploymentManagerArtifactSource, Set-AzDeploymentManagerArtifactSource, Remove-AzDeploymentMa…
Script     1.0.2      Az.DevTestLabs                      Core,Desk {Get-AzDtlAllowedVMSizesPolicy, Get-AzDtlAutoShutdownPolicy, Get-AzDtlAutoStartPolicy, Get-AzDtlVMsPerLabPolicy…}
Script     1.1.2      Az.Dns                              Core,Desk {Get-AzDnsRecordSet, New-AzDnsRecordConfig, Remove-AzDnsRecordSet, Set-AzDnsRecordSet…}
Script     1.2.3      Az.EventGrid                        Core,Desk {New-AzEventGridTopic, Get-AzEventGridTopic, Set-AzEventGridTopic, New-AzEventGridTopicKey…}
Script     1.4.3      Az.EventHub                         Core,Desk {New-AzEventHubNamespace, Get-AzEventHubNamespace, Set-AzEventHubNamespace, Remove-AzEventHubNamespace…}
Script     1.3.0      Az.FrontDoor                        Core,Desk {New-AzFrontDoor, Get-AzFrontDoor, Set-AzFrontDoor, Remove-AzFrontDoor…}
Script     3.0.2      Az.HDInsight                        Core,Desk {Get-AzHDInsightJob, New-AzHDInsightSqoopJobDefinition, Wait-AzHDInsightJob, New-AzHDInsightStreamingMapReduceJobDefinition…}
Script     1.0.1      Az.HealthcareApis                   Core,Desk {New-AzHealthcareApisService, Remove-AzHealthcareApisService, Set-AzHealthcareApisService, Get-AzHealthcareApisService}
Script     2.0.1      Az.IotHub                           Core,Desk {Add-AzIotHubKey, Get-AzIotHubEventHubConsumerGroup, Get-AzIotHubConnectionString, Get-AzIotHubJob…}
Script     1.4.0      Az.KeyVault                         Core,Desk {Add-AzKeyVaultCertificate, Update-AzKeyVaultCertificate, Stop-AzKeyVaultCertificateOperation, Get-AzKeyVaultCertificateOperation…}
Script     1.3.2      Az.LogicApp                         Core,Desk {Get-AzIntegrationAccountAgreement, Get-AzIntegrationAccountAssembly, Get-AzIntegrationAccountBatchConfiguration, Get-AzIntegrationAccountC… Script     1.1.3      Az.MachineLearning                  Core,Desk {Move-AzMlCommitmentAssociation, Get-AzMlCommitmentAssociation, Get-AzMlCommitmentPlanUsageHistory, Remove-AzMlCommitmentPlan…}
Script     1.0.2      Az.ManagedServices                  Core,Desk {Get-AzManagedServicesAssignment, New-AzManagedServicesAssignment, Remove-AzManagedServicesAssignment, Get-AzManagedServicesDefinition…}
Script     1.0.2      Az.MarketplaceOrdering              Core,Desk {Get-AzMarketplaceTerms, Set-AzMarketplaceTerms}
Script     1.1.1      Az.Media                            Core,Desk {Sync-AzMediaServiceStorageKey, Set-AzMediaServiceKey, Get-AzMediaServiceKey, Get-AzMediaServiceNameAvailability…}
Script     1.5.0      Az.Monitor                          Core,Desk {Get-AzMetricDefinition, Get-AzMetric, Remove-AzLogProfile, Get-AzLogProfile…}
Script     2.2.1      Az.Network                          Core,Desk {Add-AzApplicationGatewayAuthenticationCertificate, Get-AzApplicationGatewayAuthenticationCertificate, New-AzApplicationGatewayAuthenticati…
Script     1.1.1      Az.NotificationHubs                 Core,Desk {Get-AzNotificationHub, Get-AzNotificationHubAuthorizationRule, Get-AzNotificationHubListKey, Get-AzNotificationHubPNSCredential…}
Script     1.3.4      Az.OperationalInsights              Core,Desk {New-AzOperationalInsightsAzureActivityLogDataSource, New-AzOperationalInsightsCustomLogDataSource, Disable-AzOperationalInsightsLinuxCusto… Script     1.1.4      Az.PolicyInsights                   Core,Desk {Get-AzPolicyEvent, Get-AzPolicyState, Get-AzPolicyStateSummary, Get-AzPolicyRemediation…}
Script     1.1.1      Az.PowerBIEmbedded                  Core,Desk {Remove-AzPowerBIWorkspaceCollection, Get-AzPowerBIWorkspaceCollection, Get-AzPowerBIWorkspaceCollectionAccessKey, Get-AzPowerBIWorkspace…}  Script     1.0.2      Az.PrivateDns                       Core,Desk {Get-AzPrivateDnsZone, Remove-AzPrivateDnsZone, Set-AzPrivateDnsZone, New-AzPrivateDnsZone…}
Script     2.4.0      Az.RecoveryServices                 Core,Desk {Get-AzRecoveryServicesBackupProperty, Get-AzRecoveryServicesVault, Get-AzRecoveryServicesVaultSettingsFile, New-AzRecoveryServicesVault…}   Script     1.2.1      Az.RedisCache                       Core,Desk {Remove-AzRedisCachePatchSchedule, New-AzRedisCacheScheduleEntry, Get-AzRedisCachePatchSchedule, New-AzRedisCachePatchSchedule…}
Script     1.0.3      Az.Relay                            Core,Desk {New-AzRelayNamespace, Get-AzRelayNamespace, Set-AzRelayNamespace, Remove-AzRelayNamespace…}
Script     1.9.1      Az.Resources                        Core,Desk {Get-AzProviderOperation, Remove-AzRoleAssignment, Get-AzRoleAssignment, New-AzRoleAssignment…}
Script     1.4.1      Az.ServiceBus                       Core,Desk {New-AzServiceBusNamespace, Get-AzServiceBusNamespace, Set-AzServiceBusNamespace, Remove-AzServiceBusNamespace…}
Script     2.0.1      Az.ServiceFabric                    Core,Desk {Add-AzServiceFabricClientCertificate, Add-AzServiceFabricClusterCertificate, Add-AzServiceFabricNode, Add-AzServiceFabricNodeType…}
Script     1.1.1      Az.SignalR                          Core,Desk {New-AzSignalR, Get-AzSignalR, Get-AzSignalRKey, New-AzSignalRKey…}
Script     2.1.2      Az.Sql                              Core,Desk {Get-AzSqlDatabaseTransparentDataEncryption, Get-AzSqlDatabaseTransparentDataEncryptionActivity, Set-AzSqlDatabaseTransparentDataEncryption… Script     1.0.2      Az.SqlVirtualMachine                Core,Desk {New-AzSqlVM, Get-AzSqlVM, Update-AzSqlVM, Remove-AzSqlVM…}
Script     1.11.0     Az.Storage                          Core,Desk {Get-AzStorageAccount, Get-AzStorageAccountKey, New-AzStorageAccount, New-AzStorageAccountKey…}
Script     1.2.2      Az.StorageSync                      Core,Desk {Invoke-AzStorageSyncCompatibilityCheck, New-AzStorageSyncService, Get-AzStorageSyncService, Remove-AzStorageSyncService…}
Script     1.0.1      Az.StreamAnalytics                  Core,Desk {Get-AzStreamAnalyticsFunction, Get-AzStreamAnalyticsDefaultFunctionDefinition, New-AzStreamAnalyticsFunction, Remove-AzStreamAnalyticsFunc… Script     1.0.3      Az.TrafficManager                   Core,Desk {Add-AzTrafficManagerCustomHeaderToEndpoint, Remove-AzTrafficManagerCustomHeaderFromEndpoint, Add-AzTrafficManagerCustomHeaderToProfile, Re… Script     1.5.1      Az.Websites                         Core,Desk {Get-AzAppServicePlan, Set-AzAppServicePlan, New-AzAppServicePlan, Remove-AzAppServicePlan…}

Debug output

DEBUG: 3:06:27 PM - NewAzureADServicePrincipalCommand begin processing with ParameterSet 'SimpleParameterSet'.
DEBUG: 3:06:27 PM - using account id 'daorozco_testuser@rbacclitest.onmicrosoft.com'...
DEBUG: [Common.Authentication]: Authenticating using Account: 'daorozco_testuser@rbacclitest.onmicrosoft.com', environment: 'AzureCloud', tenant: '1273adef-00a3-4086-a51a-dbcce1857d36'
DEBUG: [Common.Authentication]: Authenticating using configuration values: Domain: '1273adef-00a3-4086-a51a-dbcce1857d36', Endpoint: 'https://login.microsoftonline.com/', ClientId: '1950a258-227b-4e31-a9cf-717495945fc2', ClientRedirect: 'urn:ietf:wg:oauth:2.0:oob', ResourceClientUri: 'https://graph.windows.net/', ValidateAuthority: 'True'
DEBUG: [Common.Authentication]: Acquiring token using context with Authority 'https://login.microsoftonline.com/1273adef-00a3-4086-a51a-dbcce1857d36/', CorrelationId: '00000000-0000-0000-0000-000000000000', ValidateAuthority: 'True'
DEBUG: [Common.Authentication]: Acquiring token using AdalConfiguration with Domain: '1273adef-00a3-4086-a51a-dbcce1857d36', AdEndpoint: 'https://login.microsoftonline.com/', ClientId: '1950a258-227b-4e31-a9cf-717495945fc2', ClientRedirectUri: urn:ietf:wg:oauth:2.0:oob
DEBUG: [ADAL]: Information: 2020-01-16T23:06:27.4572984Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: ADAL PCL.CoreCLR with assembly version '3.19.2.6005', file version '3.19.50302.0130' and informational version '2a8bec6c4c76d0c1ef819b55bdc3cda2d2605056' is running...

DEBUG: [ADAL]: Information: 2020-01-16T23:06:27.4574082Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: ADAL PCL.CoreCLR with assembly version '3.19.2.6005', file version '3.19.50302.0130' and informational version '2a8bec6c4c76d0c1ef819b55bdc3cda2d2605056' is running...

DEBUG: [ADAL]: Information: 2020-01-16T23:06:27.4574750Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: === Token Acquisition started:
        CacheType: null
        Authentication Target: User
        , Authority Host: login.microsoftonline.com

DEBUG: [ADAL]: Information: 2020-01-16T23:06:27.4575222Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: === Token Acquisition started:
        Authority: https://login.microsoftonline.com/1273adef-00a3-4086-a51a-dbcce1857d36/
        Resource: https://graph.windows.net/
        ClientId: 1950a258-227b-4e31-a9cf-717495945fc2
        CacheType: null
        Authentication Target: User

DEBUG: [ADAL]: Verbose: 2020-01-16T23:06:27.4576866Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: Loading from cache.

DEBUG: [ADAL]: Verbose: 2020-01-16T23:06:27.4577642Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: Loading from cache.

DEBUG: [ADAL]: Information: 2020-01-16T23:06:27.4642048Z: 00000000-0000-0000-0000-000000000000 - LoggerBase.cs: Deserialized 2 items to token cache.

DEBUG: [ADAL]: Verbose: 2020-01-16T23:06:27.4643919Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: Looking up cache for a token...

DEBUG: [ADAL]: Verbose: 2020-01-16T23:06:27.4644671Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: Looking up cache for a token...

DEBUG: [ADAL]: Information: 2020-01-16T23:06:27.4646004Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: An item matching the requested resource was found in the cache

DEBUG: [ADAL]: Information: 2020-01-16T23:06:27.4646526Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: An item matching the requested resource was found in the cache

DEBUG: [ADAL]: Information: 2020-01-16T23:06:27.4647611Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: 37.9850207433333 minutes left until token in cache expires

DEBUG: [ADAL]: Information: 2020-01-16T23:06:27.4648198Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: 37.9850207433333 minutes left until token in cache expires

DEBUG: [ADAL]: Information: 2020-01-16T23:06:27.4648698Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: A matching item (access token or refresh token or both) was found in the cache

DEBUG: [ADAL]: Information: 2020-01-16T23:06:27.4649173Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: A matching item (access token or refresh token or both) was found in the cache

DEBUG: [ADAL]: Information: 2020-01-16T23:06:27.4650195Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 1/16/2020 11:44:26 PM +00:00

DEBUG: [ADAL]: Information: 2020-01-16T23:06:27.4650750Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 1/16/2020 11:44:26 PM +00:00Access Token Hash: YxX7q+O+G4zf6tvSXCdduNzGh4xmGyFxuBJr9HLanms=
         User id: 11b1042e-d5b6-4f65-b308-d69565f16f1e

DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:44:26 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name:  , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:44:26 +00:00' Comparing to '01/16/2020 23:06:27 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:37:59.0880548'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
POST

Absolute Uri:
https://graph.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/applications?api-version=1.6

Headers:
x-ms-client-request-id        : 9111a435-a5ea-44eb-afcf-62fd4f5d04f9
Accept-Language               : en-US

Body:
{
  "availableToOtherTenants": false,
  "displayName": "daorozco_DebugRequest_1",
  "homepage": "http://daorozco_DebugRequest_1",
  "identifierUris": [
    "http://daorozco_DebugRequest_1"
  ],
  "passwordCredentials": [
    {
      "startDate": "2020-01-16T23:06:27.4566428Z",
      "endDate": "2021-01-16T23:06:27.4566428Z",
      "keyId": "e6086993-1af9-4465-99fd-fe3cc36aa622",
      "value": "601cc09d-fbba-4a00-bf37-2977e810b67b"
    }
  ]
}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Created

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
Location                      : https://graph.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/directoryObjects/b6242fd6-4a54-4540-978d-1a080cb41b35/Microsoft.DirectoryServices.Application
ocp-aad-diagnostics-server-name: f7NL0FmTJ8JNWIfqHCIrTaLlqNjkXErDM8C/2jqzM2c=
request-id                    : 5de09276-b3d9-413d-a23d-f010d5bcb73d
client-request-id             : d02c054b-364a-4b15-b528-69c78509cfbc
x-ms-dirapi-data-contract-version: 1.6
ocp-aad-session-key           : tmlbypx9gZ3R5DUcZf4auoQmEPen3nj_SUUJ_qhCHqGXOIsGZ31dcbTP6Jz5sjIKG2TzpW5jmRf5CBzsUtB93Y961tDJ0GmYc2orIbVkAVGDIC9YfMy5J6rUJj7wANnQkCbT4laKH2P6FZEiNkygcw.JVslBlqR5ME7OesxbGQeb6yinbOIrevr0Ez13f-8EX4
DataServiceVersion            : 3.0;
Strict-Transport-Security     : max-age=31536000; includeSubDomains
Access-Control-Allow-Origin   : *
X-AspNet-Version              : 4.0.30319
X-Powered-By                  : ASP.NET
Duration                      : 4666376
Date                          : Thu, 16 Jan 2020 23:06:27 GMT

Body:
{
  "odata.metadata": "https://graph.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/$metadata#directoryObjects/@Element",
  "odata.type": "Microsoft.DirectoryServices.Application",
  "objectType": "Application",
  "objectId": "b6242fd6-4a54-4540-978d-1a080cb41b35",
  "deletionTimestamp": null,
  "acceptMappedClaims": null,
  "addIns": [],
  "appId": "ae172156-5e7d-45e2-95de-68182d05431c",
  "applicationTemplateId": null,
  "appRoles": [],
  "availableToOtherTenants": false,
  "displayName": "daorozco_DebugRequest_1",
  "errorUrl": null,
  "groupMembershipClaims": null,
  "homepage": "http://daorozco_DebugRequest_1",
  "identifierUris": [
    "http://daorozco_DebugRequest_1"
  ],
  "informationalUrls": {
    "termsOfService": null,
    "support": null,
    "privacy": null,
    "marketing": null
  },
  "isDeviceOnlyAuthSupported": null,
  "keyCredentials": [],
  "knownClientApplications": [],
  "logoutUrl": null,
  "logo@odata.mediaEditLink": "directoryObjects/b6242fd6-4a54-4540-978d-1a080cb41b35/Microsoft.DirectoryServices.Application/logo",
  "logo@odata.mediaContentType": "application/json;odata=minimalmetadata; charset=utf-8",
  "logoUrl": null,
  "oauth2AllowIdTokenImplicitFlow": true,
  "oauth2AllowImplicitFlow": false,
  "oauth2AllowUrlPathMatching": false,
  "oauth2Permissions": [
    {
      "adminConsentDescription": "Allow the application to access daorozco_DebugRequest_1 on behalf of the signed-in user.",
      "adminConsentDisplayName": "Access daorozco_DebugRequest_1",
      "id": "5eed8957-949d-4516-a053-aeed0f138e7d",
      "isEnabled": true,
      "type": "User",
      "userConsentDescription": "Allow the application to access daorozco_DebugRequest_1 on your behalf.",
      "userConsentDisplayName": "Access daorozco_DebugRequest_1",
      "value": "user_impersonation"
    }
  ],
  "oauth2RequirePostResponse": false,
  "optionalClaims": null,
  "orgRestrictions": [],
  "parentalControlSettings": {
    "countriesBlockedForMinors": [],
    "legalAgeGroupRule": "Allow"
  },
  "passwordCredentials": [
    {
      "customKeyIdentifier": null,
      "endDate": "2021-01-16T23:06:27.4566428Z",
      "keyId": "e6086993-1af9-4465-99fd-fe3cc36aa622",
      "startDate": "2020-01-16T23:06:27.4566428Z",
      "value": null
    }
  ],
  "publicClient": null,
  "publisherDomain": "rbacCliTest.onmicrosoft.com",
  "recordConsentConditions": null,
  "replyUrls": [],
  "requiredResourceAccess": [],
  "samlMetadataUrl": null,
  "signInAudience": "AzureADMyOrg",
  "tokenEncryptionKeyId": null
}

DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:44:26 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name:  , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:44:26 +00:00' Comparing to '01/16/2020 23:06:28 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:37:58.3161756'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
POST

Absolute Uri:
https://graph.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/servicePrincipals?api-version=1.6

Headers:
x-ms-client-request-id        : bf3de6fa-04ff-4456-bea0-e4ef1606a96c
Accept-Language               : en-US

Body:
{
  "appId": "ae172156-5e7d-45e2-95de-68182d05431c",
  "accountEnabled": true
}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Created

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
Location                      : https://graph.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/directoryObjects/b5bf9607-fd63-4148-b4e9-808772b88cf5/Microsoft.DirectoryServices.ServicePrincipal
ocp-aad-diagnostics-server-name: v9yI3GNQqNXz0aoNCJywTDYIqIKG+Dlb/txFx1mcpdc=
request-id                    : 66c8f749-31ac-4c93-bf03-24c18e142e9f
client-request-id             : d02c054b-364a-4b15-b528-69c78509cfbc
x-ms-dirapi-data-contract-version: 1.6
ocp-aad-session-key           : FmNtc3lCpnS9SRT5ImkEtkwKSFxKUpVtwiUK7QYgNu6kTCnsaNW2BiwOIO-2T6J5ndVsMOEcE-5y9e2-RqfRRG4OVHLMc1eWzrk3_73wjUIPfwtPGexcZaXV2SCJJrDTJEnBNXdnDMZdcZ7aumjliQ.9nmM5MArHMOtqNiZsXLUN091IotQOkLqwdTrUXGW3ao
DataServiceVersion            : 3.0;
Strict-Transport-Security     : max-age=31536000; includeSubDomains
Access-Control-Allow-Origin   : *
X-AspNet-Version              : 4.0.30319
X-Powered-By                  : ASP.NET
Duration                      : 2776265
Date                          : Thu, 16 Jan 2020 23:06:27 GMT

Body:
{
  "odata.metadata": "https://graph.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/$metadata#directoryObjects/@Element",
  "odata.type": "Microsoft.DirectoryServices.ServicePrincipal",
  "objectType": "ServicePrincipal",
  "objectId": "b5bf9607-fd63-4148-b4e9-808772b88cf5",
  "deletionTimestamp": null,
  "accountEnabled": true,
  "addIns": [],
  "alternativeNames": [],
  "appDisplayName": "daorozco_DebugRequest_1",
  "appId": "ae172156-5e7d-45e2-95de-68182d05431c",
  "applicationTemplateId": null,
  "appOwnerTenantId": "1273adef-00a3-4086-a51a-dbcce1857d36",
  "appRoleAssignmentRequired": false,
  "appRoles": [],
  "displayName": "daorozco_DebugRequest_1",
  "errorUrl": null,
  "homepage": "http://daorozco_DebugRequest_1",
  "informationalUrls": {
    "termsOfService": null,
    "support": null,
    "privacy": null,
    "marketing": null
  },
  "keyCredentials": [],
  "logoutUrl": null,
  "notificationEmailAddresses": [],
  "oauth2Permissions": [
    {
      "adminConsentDescription": "Allow the application to access daorozco_DebugRequest_1 on behalf of the signed-in user.",
      "adminConsentDisplayName": "Access daorozco_DebugRequest_1",
      "id": "5eed8957-949d-4516-a053-aeed0f138e7d",
      "isEnabled": true,
      "type": "User",
      "userConsentDescription": "Allow the application to access daorozco_DebugRequest_1 on your behalf.",
      "userConsentDisplayName": "Access daorozco_DebugRequest_1",
      "value": "user_impersonation"
    }
  ],
  "passwordCredentials": [],
  "preferredSingleSignOnMode": null,
  "preferredTokenSigningKeyEndDateTime": null,
  "preferredTokenSigningKeyThumbprint": null,
  "publisherName": "rbacCliTestDirectory",
  "replyUrls": [],
  "samlMetadataUrl": null,
  "samlSingleSignOnSettings": null,
  "servicePrincipalNames": [
    "ae172156-5e7d-45e2-95de-68182d05431c",
    "http://daorozco_DebugRequest_1"
  ],
  "servicePrincipalType": "Application",
  "signInAudience": "AzureADMyOrg",
  "tags": [],
  "tokenEncryptionKeyId": null
}

WARNING: Assigning role 'Contributor' over scope '/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro' to the new service principal.
DEBUG: [Common.Authentication]: Authenticating using Account: 'daorozco_testuser@rbacclitest.onmicrosoft.com', environment: 'AzureCloud', tenant: '1273adef-00a3-4086-a51a-dbcce1857d36'
DEBUG: [Common.Authentication]: Authenticating using configuration values: Domain: '1273adef-00a3-4086-a51a-dbcce1857d36', Endpoint: 'https://login.microsoftonline.com/', ClientId: '1950a258-227b-4e31-a9cf-717495945fc2', ClientRedirect: 'urn:ietf:wg:oauth:2.0:oob', ResourceClientUri: 'https://graph.windows.net/', ValidateAuthority: 'True'
DEBUG: [Common.Authentication]: Acquiring token using context with Authority 'https://login.microsoftonline.com/1273adef-00a3-4086-a51a-dbcce1857d36/', CorrelationId: '00000000-0000-0000-0000-000000000000', ValidateAuthority: 'True'
DEBUG: [Common.Authentication]: Acquiring token using AdalConfiguration with Domain: '1273adef-00a3-4086-a51a-dbcce1857d36', AdEndpoint: 'https://login.microsoftonline.com/', ClientId: '1950a258-227b-4e31-a9cf-717495945fc2', ClientRedirectUri: urn:ietf:wg:oauth:2.0:oob
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6204421Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: ADAL PCL.CoreCLR with assembly version '3.19.2.6005', file version '3.19.50302.0130' and informational version '2a8bec6c4c76d0c1ef819b55bdc3cda2d2605056' is running...

DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6207027Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: ADAL PCL.CoreCLR with assembly version '3.19.2.6005', file version '3.19.50302.0130' and informational version '2a8bec6c4c76d0c1ef819b55bdc3cda2d2605056' is running...

DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6208728Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: === Token Acquisition started:
        CacheType: null
        Authentication Target: User
        , Authority Host: login.microsoftonline.com

DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6210039Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: === Token Acquisition started:
        Authority: https://login.microsoftonline.com/1273adef-00a3-4086-a51a-dbcce1857d36/
        Resource: https://graph.windows.net/
        ClientId: 1950a258-227b-4e31-a9cf-717495945fc2
        CacheType: null
        Authentication Target: User

DEBUG: [ADAL]: Verbose: 2020-01-16T23:06:33.6213253Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: Loading from cache.

DEBUG: [ADAL]: Verbose: 2020-01-16T23:06:33.6214884Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: Loading from cache.

DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6231298Z: 00000000-0000-0000-0000-000000000000 - LoggerBase.cs: Deserialized 2 items to token cache.

DEBUG: [ADAL]: Verbose: 2020-01-16T23:06:33.6234219Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: Looking up cache for a token...

DEBUG: [ADAL]: Verbose: 2020-01-16T23:06:33.6235833Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: Looking up cache for a token...

DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6238295Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: An item matching the requested resource was found in the cache

DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6239536Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: An item matching the requested resource was found in the cache

DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6241818Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: 37.8823637966667 minutes left until token in cache expires

DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6243825Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: 37.8823637966667 minutes left until token in cache expires

DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6245146Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: A matching item (access token or refresh token or both) was found in the cache

DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6246345Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: A matching item (access token or refresh token or both) was found in the cache

DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6248511Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 1/16/2020 11:44:26 PM +00:00

DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6249912Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 1/16/2020 11:44:26 PM +00:00Access Token Hash: YxX7q+O+G4zf6tvSXCdduNzGh4xmGyFxuBJr9HLanms=
         User id: 11b1042e-d5b6-4f65-b308-d69565f16f1e

DEBUG: [Common.Authentication]: Authenticating using Account: 'daorozco_testuser@rbacclitest.onmicrosoft.com', environment: 'AzureCloud', tenant: '1273adef-00a3-4086-a51a-dbcce1857d36'
DEBUG: [Common.Authentication]: Authenticating using configuration values: Domain: '1273adef-00a3-4086-a51a-dbcce1857d36', Endpoint: 'https://login.microsoftonline.com/', ClientId: '1950a258-227b-4e31-a9cf-717495945fc2', ClientRedirect: 'urn:ietf:wg:oauth:2.0:oob', ResourceClientUri: 'https://management.core.windows.net/', ValidateAuthority: 'True'
DEBUG: [Common.Authentication]: Acquiring token using context with Authority 'https://login.microsoftonline.com/1273adef-00a3-4086-a51a-dbcce1857d36/', CorrelationId: '00000000-0000-0000-0000-000000000000', ValidateAuthority: 'True'
DEBUG: [Common.Authentication]: Acquiring token using AdalConfiguration with Domain: '1273adef-00a3-4086-a51a-dbcce1857d36', AdEndpoint: 'https://login.microsoftonline.com/', ClientId: '1950a258-227b-4e31-a9cf-717495945fc2', ClientRedirectUri: urn:ietf:wg:oauth:2.0:oob
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6267855Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: ADAL PCL.CoreCLR with assembly version '3.19.2.6005', file version '3.19.50302.0130' and informational version '2a8bec6c4c76d0c1ef819b55bdc3cda2d2605056' is running...

DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6270257Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: ADAL PCL.CoreCLR with assembly version '3.19.2.6005', file version '3.19.50302.0130' and informational version '2a8bec6c4c76d0c1ef819b55bdc3cda2d2605056' is running...

DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6272203Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: === Token Acquisition started:
        CacheType: null
        Authentication Target: User
        , Authority Host: login.microsoftonline.com

DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6273619Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: === Token Acquisition started:
        Authority: https://login.microsoftonline.com/1273adef-00a3-4086-a51a-dbcce1857d36/
        Resource: https://management.core.windows.net/
        ClientId: 1950a258-227b-4e31-a9cf-717495945fc2
        CacheType: null
        Authentication Target: User

DEBUG: [ADAL]: Verbose: 2020-01-16T23:06:33.6276443Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: Loading from cache.

DEBUG: [ADAL]: Verbose: 2020-01-16T23:06:33.6277899Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: Loading from cache.

DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6290672Z: 00000000-0000-0000-0000-000000000000 - LoggerBase.cs: Deserialized 2 items to token cache.

DEBUG: [ADAL]: Verbose: 2020-01-16T23:06:33.6293280Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: Looking up cache for a token...

DEBUG: [ADAL]: Verbose: 2020-01-16T23:06:33.6294964Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: Looking up cache for a token...

DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6296852Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: An item matching the requested resource was found in the cache

DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6298088Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: An item matching the requested resource was found in the cache

DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6300200Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: 37.37816648 minutes left until token in cache expires

DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6301382Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: 37.37816648 minutes left until token in cache expires

DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6302553Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: A matching item (access token or refresh token or both) was found in the cache

DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6303744Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: A matching item (access token or refresh token or both) was found in the cache

DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6305833Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 1/16/2020 11:43:56 PM +00:00

DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6307084Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 1/16/2020 11:43:56 PM +00:00Access Token Hash: PqP0MBhH7rka8gRXCdFd+aklyGe1p2nmr++GYUsjY44=
         User id: 11b1042e-d5b6-4f65-b308-d69565f16f1e

DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:43:56 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name:  , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:43:56 +00:00' Comparing to '01/16/2020 23:06:33 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:37:22.6864781'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com//subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName eq 'Contributor'&api-version=2018-01-01-preview

Headers:
x-ms-client-request-id        : 6f956002-1048-4847-9fa6-c61f5f5b79af
Accept-Language               : en-US

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
x-ms-request-charge           : 1
x-ms-request-id               : cd853fcd-3eee-447b-8484-75d8486eae34
X-Content-Type-Options        : nosniff
Strict-Transport-Security     : max-age=31536000; includeSubDomains
Set-Cookie                    : x-ms-gateway-slice=Production; path=/; SameSite=None; secure; HttpOnly
x-ms-ratelimit-remaining-subscription-reads: 11997
x-ms-correlation-request-id   : 071ce73a-52de-4f73-a289-aabf0c663a1e
x-ms-routing-request-id       : WESTUS:20200116T230633Z:071ce73a-52de-4f73-a289-aabf0c663a1e
Date                          : Thu, 16 Jan 2020 23:06:33 GMT

Body:
{
  "value": [
    {
      "properties": {
        "roleName": "Contributor",
        "type": "BuiltInRole",
        "description": "Lets you manage everything except access to resources.",
        "assignableScopes": [
          "/"
        ],
        "permissions": [
          {
            "actions": [
              "*"
            ],
            "notActions": [
              "Microsoft.Authorization/*/Delete",
              "Microsoft.Authorization/*/Write",
              "Microsoft.Authorization/elevateAccess/Action",
              "Microsoft.Blueprint/blueprintAssignments/write",
              "Microsoft.Blueprint/blueprintAssignments/delete"
            ],
            "dataActions": [],
            "notDataActions": []
          }
        ],
        "createdOn": "2015-02-02T21:55:09.8806423Z",
        "updatedOn": "2019-02-05T21:24:38.458061Z",
        "createdBy": null,
        "updatedBy": null
      },
      "id": "/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
      "type": "Microsoft.Authorization/roleDefinitions",
      "name": "b24988ac-6180-42a0-ab88-20f7382dd24c"
    }
  ]
}

DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:43:56 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name:  , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:43:56 +00:00' Comparing to '01/16/2020 23:06:33 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:37:22.3464934'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
PUT

Absolute Uri:
https://management.azure.com//subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleAssignments/b5f70368-b0ee-402f-b7a2-d6a9bc3f4d52?api-version=2018-09-01-preview

Headers:
x-ms-client-request-id        : b52ca97b-dfb7-499e-ad30-fad9419cfdae
Accept-Language               : en-US

Body:
{
  "properties": {
    "roleDefinitionId": "/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
    "principalId": "b5bf9607-fd63-4148-b4e9-808772b88cf5",
    "canDelegate": false
  }
}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Forbidden

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
x-ms-failure-cause            : gateway
x-ms-request-id               : 5f965048-c768-4263-b42b-84ca8f373bac
x-ms-correlation-request-id   : 5f965048-c768-4263-b42b-84ca8f373bac
x-ms-routing-request-id       : WESTUS:20200116T230633Z:5f965048-c768-4263-b42b-84ca8f373bac
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Date                          : Thu, 16 Jan 2020 23:06:33 GMT
Connection                    : close

Body:
{
  "error": {
    "code": "AuthorizationFailed",
    "message": "The client 'daorozco_testuser@rbacclitest.onmicrosoft.com' with object id '11b1042e-d5b6-4f65-b308-d69565f16f1e' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleAssignments/b5f70368-b0ee-402f-b7a2-d6a9bc3f4d52' or the scope is invalid. If access was recently granted, please refresh your credentials."
  }
}

DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:43:56 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name:  , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:43:56 +00:00' Comparing to '01/16/2020 23:06:39 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:37:17.2925970'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com//subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName eq 'Contributor'&api-version=2018-01-01-preview

Headers:
x-ms-client-request-id        : ac902528-108a-4029-9835-42de6862b895
Accept-Language               : en-US

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
x-ms-request-charge           : 1
x-ms-request-id               : 598093e4-c6c3-4733-943b-2536fd95369e
X-Content-Type-Options        : nosniff
Strict-Transport-Security     : max-age=31536000; includeSubDomains
Set-Cookie                    : x-ms-gateway-slice=Production; path=/; secure; HttpOnly; SameSite=None
x-ms-ratelimit-remaining-subscription-reads: 11999
x-ms-correlation-request-id   : 02d1b06b-094d-4475-a4a7-d6430ead6629
x-ms-routing-request-id       : WESTUS:20200116T230639Z:02d1b06b-094d-4475-a4a7-d6430ead6629
Date                          : Thu, 16 Jan 2020 23:06:38 GMT

Body:
{
  "value": [
    {
      "properties": {
        "roleName": "Contributor",
        "type": "BuiltInRole",
        "description": "Lets you manage everything except access to resources.",
        "assignableScopes": [
          "/"
        ],
        "permissions": [
          {
            "actions": [
              "*"
            ],
            "notActions": [
              "Microsoft.Authorization/*/Delete",
              "Microsoft.Authorization/*/Write",
              "Microsoft.Authorization/elevateAccess/Action",
              "Microsoft.Blueprint/blueprintAssignments/write",
              "Microsoft.Blueprint/blueprintAssignments/delete"
            ],
            "dataActions": [],
            "notDataActions": []
          }
        ],
        "createdOn": "2015-02-02T21:55:09.8806423Z",
        "updatedOn": "2019-02-05T21:24:38.458061Z",
        "createdBy": null,
        "updatedBy": null
      },
      "id": "/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
      "type": "Microsoft.Authorization/roleDefinitions",
      "name": "b24988ac-6180-42a0-ab88-20f7382dd24c"
    }
  ]
}

DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:43:56 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name:  , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:43:56 +00:00' Comparing to '01/16/2020 23:06:39 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:37:16.9981383'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
PUT

Absolute Uri:
https://management.azure.com//subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleAssignments/2917f392-0822-40ba-ab8e-42439a56d321?api-version=2018-09-01-preview

Headers:
x-ms-client-request-id        : 5770efc1-2544-455a-a34e-90c7dcc3871a
Accept-Language               : en-US

Body:
{
  "properties": {
    "roleDefinitionId": "/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
    "principalId": "b5bf9607-fd63-4148-b4e9-808772b88cf5",
    "canDelegate": false
  }
}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Forbidden

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
x-ms-failure-cause            : gateway
x-ms-request-id               : e3f16a29-3c7b-4f57-9a98-9148ecca787f
x-ms-correlation-request-id   : e3f16a29-3c7b-4f57-9a98-9148ecca787f
x-ms-routing-request-id       : WESTUS:20200116T230639Z:e3f16a29-3c7b-4f57-9a98-9148ecca787f
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Date                          : Thu, 16 Jan 2020 23:06:38 GMT
Connection                    : close

Body:
{
  "error": {
    "code": "AuthorizationFailed",
    "message": "The client 'daorozco_testuser@rbacclitest.onmicrosoft.com' with object id '11b1042e-d5b6-4f65-b308-d69565f16f1e' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleAssignments/2917f392-0822-40ba-ab8e-42439a56d321' or the scope is invalid. If access was recently granted, please refresh your credentials."
  }
}

DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:43:56 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name:  , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:43:56 +00:00' Comparing to '01/16/2020 23:06:44 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:37:11.9522994'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com//subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName eq 'Contributor'&api-version=2018-01-01-preview

Headers:
x-ms-client-request-id        : 37509754-67c2-41db-81ba-7f891be86bd0
Accept-Language               : en-US

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
x-ms-request-charge           : 1
x-ms-request-id               : 12240c1b-0a6b-43f7-bbaa-cd5125a58371
X-Content-Type-Options        : nosniff
Strict-Transport-Security     : max-age=31536000; includeSubDomains
Set-Cookie                    : x-ms-gateway-slice=Production; path=/; secure; HttpOnly; SameSite=None
x-ms-ratelimit-remaining-subscription-reads: 11999
x-ms-correlation-request-id   : 9952810b-0f41-4a28-a8b2-b3c986e18f3a
x-ms-routing-request-id       : WESTUS:20200116T230644Z:9952810b-0f41-4a28-a8b2-b3c986e18f3a
Date                          : Thu, 16 Jan 2020 23:06:43 GMT

Body:
{
  "value": [
    {
      "properties": {
        "roleName": "Contributor",
        "type": "BuiltInRole",
        "description": "Lets you manage everything except access to resources.",
        "assignableScopes": [
          "/"
        ],
        "permissions": [
          {
            "actions": [
              "*"
            ],
            "notActions": [
              "Microsoft.Authorization/*/Delete",
              "Microsoft.Authorization/*/Write",
              "Microsoft.Authorization/elevateAccess/Action",
              "Microsoft.Blueprint/blueprintAssignments/write",
              "Microsoft.Blueprint/blueprintAssignments/delete"
            ],
            "dataActions": [],
            "notDataActions": []
          }
        ],
        "createdOn": "2015-02-02T21:55:09.8806423Z",
        "updatedOn": "2019-02-05T21:24:38.458061Z",
        "createdBy": null,
        "updatedBy": null
      },
      "id": "/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
      "type": "Microsoft.Authorization/roleDefinitions",
      "name": "b24988ac-6180-42a0-ab88-20f7382dd24c"
    }
  ]
}

DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:43:56 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name:  , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:43:56 +00:00' Comparing to '01/16/2020 23:06:44 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:37:11.7060263'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
PUT

Absolute Uri:
https://management.azure.com//subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleAssignments/d89fe1e4-c525-4ed3-8eee-62c2ee60f8f3?api-version=2018-09-01-preview

Headers:
x-ms-client-request-id        : 9f7dbb18-5e8e-4fb7-8137-d9e90c4b6485
Accept-Language               : en-US

Body:
{
  "properties": {
    "roleDefinitionId": "/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
    "principalId": "b5bf9607-fd63-4148-b4e9-808772b88cf5",
    "canDelegate": false
  }
}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Forbidden

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
x-ms-failure-cause            : gateway
x-ms-request-id               : c374cf73-61d3-4241-a4bc-2e4a5c1e8ff0
x-ms-correlation-request-id   : c374cf73-61d3-4241-a4bc-2e4a5c1e8ff0
x-ms-routing-request-id       : WESTUS:20200116T230644Z:c374cf73-61d3-4241-a4bc-2e4a5c1e8ff0
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Date                          : Thu, 16 Jan 2020 23:06:43 GMT
Connection                    : close

Body:
{
  "error": {
    "code": "AuthorizationFailed",
    "message": "The client 'daorozco_testuser@rbacclitest.onmicrosoft.com' with object id '11b1042e-d5b6-4f65-b308-d69565f16f1e' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleAssignments/d89fe1e4-c525-4ed3-8eee-62c2ee60f8f3' or the scope is invalid. If access was recently granted, please refresh your credentials."
  }
}

DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:43:56 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name:  , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:43:56 +00:00' Comparing to '01/16/2020 23:06:49 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:37:06.6646613'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com//subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName eq 'Contributor'&api-version=2018-01-01-preview

Headers:
x-ms-client-request-id        : 7752064d-7508-4c67-8d38-5434478e1b2f
Accept-Language               : en-US

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
x-ms-request-charge           : 1
x-ms-request-id               : 40964fb5-2c12-4217-8678-7f7a1de48578
X-Content-Type-Options        : nosniff
Strict-Transport-Security     : max-age=31536000; includeSubDomains
Set-Cookie                    : x-ms-gateway-slice=Production; path=/; secure; HttpOnly; SameSite=None
x-ms-ratelimit-remaining-subscription-reads: 11999
x-ms-correlation-request-id   : 73c9dbd8-c72e-4202-a014-d244cd6db28e
x-ms-routing-request-id       : WESTUS:20200116T230649Z:73c9dbd8-c72e-4202-a014-d244cd6db28e
Date                          : Thu, 16 Jan 2020 23:06:49 GMT

Body:
{
  "value": [
    {
      "properties": {
        "roleName": "Contributor",
        "type": "BuiltInRole",
        "description": "Lets you manage everything except access to resources.",
        "assignableScopes": [
          "/"
        ],
        "permissions": [
          {
            "actions": [
              "*"
            ],
            "notActions": [
              "Microsoft.Authorization/*/Delete",
              "Microsoft.Authorization/*/Write",
              "Microsoft.Authorization/elevateAccess/Action",
              "Microsoft.Blueprint/blueprintAssignments/write",
              "Microsoft.Blueprint/blueprintAssignments/delete"
            ],
            "dataActions": [],
            "notDataActions": []
          }
        ],
        "createdOn": "2015-02-02T21:55:09.8806423Z",
        "updatedOn": "2019-02-05T21:24:38.458061Z",
        "createdBy": null,
        "updatedBy": null
      },
      "id": "/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
      "type": "Microsoft.Authorization/roleDefinitions",
      "name": "b24988ac-6180-42a0-ab88-20f7382dd24c"
    }
  ]
}

DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:43:56 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name:  , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:43:56 +00:00' Comparing to '01/16/2020 23:06:50 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:37:06.2963031'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
PUT

Absolute Uri:
https://management.azure.com//subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleAssignments/84e02b06-59b3-481b-a9d8-a3edd216347d?api-version=2018-09-01-preview

Headers:
x-ms-client-request-id        : 8648c879-48a4-44e0-aec6-319e86460212
Accept-Language               : en-US

Body:
{
  "properties": {
    "roleDefinitionId": "/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
    "principalId": "b5bf9607-fd63-4148-b4e9-808772b88cf5",
    "canDelegate": false
  }
}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Forbidden

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
x-ms-failure-cause            : gateway
x-ms-request-id               : 589a32a9-876e-4843-accc-37d6f6c6fcd0
x-ms-correlation-request-id   : 589a32a9-876e-4843-accc-37d6f6c6fcd0
x-ms-routing-request-id       : WESTUS:20200116T230650Z:589a32a9-876e-4843-accc-37d6f6c6fcd0
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Date                          : Thu, 16 Jan 2020 23:06:49 GMT
Connection                    : close

Body:
{
  "error": {
    "code": "AuthorizationFailed",
    "message": "The client 'daorozco_testuser@rbacclitest.onmicrosoft.com' with object id '11b1042e-d5b6-4f65-b308-d69565f16f1e' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleAssignments/84e02b06-59b3-481b-a9d8-a3edd216347d' or the scope is invalid. If access was recently granted, please refresh your credentials."
  }
}

DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:43:56 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name:  , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:43:56 +00:00' Comparing to '01/16/2020 23:06:55 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:37:01.2084970'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com//subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName eq 'Contributor'&api-version=2018-01-01-preview

Headers:
x-ms-client-request-id        : 773f8e6f-d42f-45bd-8b4b-520621eb9e50
Accept-Language               : en-US

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
x-ms-request-charge           : 1
x-ms-request-id               : 960381ee-6c65-4280-84e8-712dd0378b80
X-Content-Type-Options        : nosniff
Strict-Transport-Security     : max-age=31536000; includeSubDomains
Set-Cookie                    : x-ms-gateway-slice=Production; path=/; secure; HttpOnly; SameSite=None
x-ms-ratelimit-remaining-subscription-reads: 11999
x-ms-correlation-request-id   : a071e1e0-9632-42af-aec4-b1581ce8f5c1
x-ms-routing-request-id       : WESTUS:20200116T230655Z:a071e1e0-9632-42af-aec4-b1581ce8f5c1
Date                          : Thu, 16 Jan 2020 23:06:54 GMT

Body:
{
  "value": [
    {
      "properties": {
        "roleName": "Contributor",
        "type": "BuiltInRole",
        "description": "Lets you manage everything except access to resources.",
        "assignableScopes": [
          "/"
        ],
        "permissions": [
          {
            "actions": [
              "*"
            ],
            "notActions": [
              "Microsoft.Authorization/*/Delete",
              "Microsoft.Authorization/*/Write",
              "Microsoft.Authorization/elevateAccess/Action",
              "Microsoft.Blueprint/blueprintAssignments/write",
              "Microsoft.Blueprint/blueprintAssignments/delete"
            ],
            "dataActions": [],
            "notDataActions": []
          }
        ],
        "createdOn": "2015-02-02T21:55:09.8806423Z",
        "updatedOn": "2019-02-05T21:24:38.458061Z",
        "createdBy": null,
        "updatedBy": null
      },
      "id": "/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
      "type": "Microsoft.Authorization/roleDefinitions",
      "name": "b24988ac-6180-42a0-ab88-20f7382dd24c"
    }
  ]
}

DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:43:56 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name:  , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:43:56 +00:00' Comparing to '01/16/2020 23:06:55 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:37:00.9659768'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
PUT

Absolute Uri:
https://management.azure.com//subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleAssignments/ff4ae4aa-e33c-40d5-ac1c-9e2d9c2a662d?api-version=2018-09-01-preview

Headers:
x-ms-client-request-id        : 1760ed42-53b1-4e83-82b0-45d1b59e9076
Accept-Language               : en-US

Body:
{
  "properties": {
    "roleDefinitionId": "/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
    "principalId": "b5bf9607-fd63-4148-b4e9-808772b88cf5",
    "canDelegate": false
  }
}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Forbidden

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
x-ms-failure-cause            : gateway
x-ms-request-id               : 91b81088-698d-4a73-be81-b6196ae51b87
x-ms-correlation-request-id   : 91b81088-698d-4a73-be81-b6196ae51b87
x-ms-routing-request-id       : WESTUS:20200116T230655Z:91b81088-698d-4a73-be81-b6196ae51b87
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Date                          : Thu, 16 Jan 2020 23:06:55 GMT
Connection                    : close

Body:
{
  "error": {
    "code": "AuthorizationFailed",
    "message": "The client 'daorozco_testuser@rbacclitest.onmicrosoft.com' with object id '11b1042e-d5b6-4f65-b308-d69565f16f1e' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleAssignments/ff4ae4aa-e33c-40d5-ac1c-9e2d9c2a662d' or the scope is invalid. If access was recently granted, please refresh your credentials."
  }
}

DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:43:56 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name:  , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:43:56 +00:00' Comparing to '01/16/2020 23:07:00 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:36:55.6879879'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com//subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName eq 'Contributor'&api-version=2018-01-01-preview

Headers:
x-ms-client-request-id        : c48e4a30-fd74-41d7-9245-e36afa6144b3
Accept-Language               : en-US

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
x-ms-request-charge           : 1
x-ms-request-id               : c286d008-a6af-4041-abe2-26e931f7504d
X-Content-Type-Options        : nosniff
Strict-Transport-Security     : max-age=31536000; includeSubDomains
Set-Cookie                    : x-ms-gateway-slice=Production; path=/; secure; HttpOnly; SameSite=None
x-ms-ratelimit-remaining-subscription-reads: 11998
x-ms-correlation-request-id   : 291df1a3-e3c8-4235-8eea-6142c98e1cec
x-ms-routing-request-id       : WESTUS:20200116T230700Z:291df1a3-e3c8-4235-8eea-6142c98e1cec
Date                          : Thu, 16 Jan 2020 23:07:00 GMT

Body:
{
  "value": [
    {
      "properties": {
        "roleName": "Contributor",
        "type": "BuiltInRole",
        "description": "Lets you manage everything except access to resources.",
        "assignableScopes": [
          "/"
        ],
        "permissions": [
          {
            "actions": [
              "*"
            ],
            "notActions": [
              "Microsoft.Authorization/*/Delete",
              "Microsoft.Authorization/*/Write",
              "Microsoft.Authorization/elevateAccess/Action",
              "Microsoft.Blueprint/blueprintAssignments/write",
              "Microsoft.Blueprint/blueprintAssignments/delete"
            ],
            "dataActions": [],
            "notDataActions": []
          }
        ],
        "createdOn": "2015-02-02T21:55:09.8806423Z",
        "updatedOn": "2019-02-05T21:24:38.458061Z",
        "createdBy": null,
        "updatedBy": null
      },
      "id": "/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
      "type": "Microsoft.Authorization/roleDefinitions",
      "name": "b24988ac-6180-42a0-ab88-20f7382dd24c"
    }
  ]
}

DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:43:56 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name:  , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:43:56 +00:00' Comparing to '01/16/2020 23:07:00 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:36:55.4842518'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
PUT

Absolute Uri:
https://management.azure.com//subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleAssignments/4876eedb-097f-48d9-9ae1-2f6938d159f7?api-version=2018-09-01-preview

Headers:
x-ms-client-request-id        : 4eba3377-f66d-4a92-aabc-afa1d3b23c35
Accept-Language               : en-US

Body:
{
  "properties": {
    "roleDefinitionId": "/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
    "principalId": "b5bf9607-fd63-4148-b4e9-808772b88cf5",
    "canDelegate": false
  }
}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Forbidden

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
x-ms-failure-cause            : gateway
x-ms-request-id               : dd3d727d-eedd-47b9-800f-f7657a0eac60
x-ms-correlation-request-id   : dd3d727d-eedd-47b9-800f-f7657a0eac60
x-ms-routing-request-id       : WESTUS:20200116T230700Z:dd3d727d-eedd-47b9-800f-f7657a0eac60
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Date                          : Thu, 16 Jan 2020 23:07:00 GMT
Connection                    : close

Body:
{
  "error": {
    "code": "AuthorizationFailed",
    "message": "The client 'daorozco_testuser@rbacclitest.onmicrosoft.com' with object id '11b1042e-d5b6-4f65-b308-d69565f16f1e' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleAssignments/4876eedb-097f-48d9-9ae1-2f6938d159f7' or the scope is invalid. If access was recently granted, please refresh your credentials."
  }
}

DEBUG: AzureQoSEvent: CommandName - New-AzADServicePrincipal; IsSuccess - True; Duration - 00:00:33.4173972; Exception - ;
DEBUG: Finish sending metric.
DEBUG: 3:07:01 PM - NewAzureADServicePrincipalCommand end processing.
DEBUG: 3:07:01 PM - NewAzureADServicePrincipalCommand end processing.

Error output

DEBUG: 3:09:28 PM - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 3:09:28 PM - using account id 'daorozco_testuser@rbacclitest.onmicrosoft.com'...
WARNING: Breaking changes in the cmdlet 'Resolve-AzError' :
WARNING:  - The `Resolve-Error` alias will be removed in a future release.  Please change any scripts that use this alias to use `Resolve-AzError` instead.

WARNING: NOTE : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.
DEBUG: AzureQoSEvent: CommandName - Resolve-AzError; IsSuccess - True; Duration - 00:00:00.0073924; Exception - ;
DEBUG: Finish sending metric.
DEBUG: 3:09:32 PM - ResolveError end processing.
DEBUG: 3:09:32 PM - ResolveError end processing.

[dingmeng-xue]

@danybeam , could you clarify the user's permission? Or could you create the same user for my test?

[danybeam]

If I run Get-AzureRmRoleAssignment -SignInName daorozco_testuser@rbacclitest.onmicrosoft.com

I get

RoleAssignmentId   : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourcegroups/cloud-shell-storage-westus/providers/Microsoft.Authorization/roleAssignments/5878bd47-0579-490a-9319-14bef14fd927
Scope              : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourcegroups/cloud-shell-storage-westus
DisplayName        : daorozco_testuser
SignInName         : daorozco_testuser@rbacclitest.onmicrosoft.com
RoleDefinitionName : Reader
RoleDefinitionId   : acdd72a7-3385-48ef-bd42-f606fba81ae7
ObjectId           : 11b1042e-d5b6-4f65-b308-d69565f16f1e
ObjectType         : User
CanDelegate        : False

RoleAssignmentId   : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleAssignments/299f0cc1-8d11-4d09-8d6a-ac58fa73fc2c
Scope              : /subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro
DisplayName        : daorozco_testuser
SignInName         : daorozco_testuser@rbacclitest.onmicrosoft.com
RoleDefinitionName : Reader
RoleDefinitionId   : acdd72a7-3385-48ef-bd42-f606fba81ae7
ObjectId           : 11b1042e-d5b6-4f65-b308-d69565f16f1e
ObjectType         : User
CanDelegate        : False

[psignoret]

With the parameters you provided, New-AzADServicePrincipal will:

1. Create an Application object (i.e. an app registration)
2. Create a ServicePrincipal object (i.e. an instance of the app in your tenant)
3. Assign the "Contributor" role to the service principal for a resource in the Azure subscription

Step 1 and step 2 succeeded because by default, all regular users are allowed to create Application objects and their ServicePrincipal objects in Azure AD. (You could also do this in the Azure portal through Azure AD > App registrations). Step 3 failed because you are only "Reader" on the target Azure subscription, so you're not allowed to grant access to it.

A user's authorization in Azure AD (e.g. to register apps) is independent of a user's authorization in an Azure subscription. Get-AzureRmRoleAssignment will only tell you about the user's authorization in Azure subscriptions.

[danybeam]

after much examination from our part we noticed that however there's still some issues with the fact that step 3 fails silently If I need to raise another issue I will but this should not happen as the user would have no clue that they still need to assign a role to the SP

[psignoret]

Agreed, this should not fail silently.

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc