Import-AzBlueprintWithArtifact fails with "Object reference not set to an instance of an object" if executed for a tenant with no subscriptions (or if no subscription is available in the context)

[mgaufman]

Description

I'm trying to create a blueprint in a fresh tenant with no subscriptions associated with it yet. It works fine in the portal but Az.Blueprint cmdlets fail (not just Import-AzBlueprintWithArtifact but also New-AzBlueprint). Authentication is performed with a service principal though I've tried with a regular user with the same result. The same cmdlets work fine for another tenant with a subscription associated to it.

Steps to reproduce

1. Create or use a tenant with no subscriptions associated to it. Another option is to use a service principal or a user having no role assignments to existing subscriptions within the tenant (Get-AzContext will show no subscription in the output - see below).
2. Authenticate to Azure (e.g. with Login-AzAccount).
3. Run Import-AzBlueprintWithArtifact or New-AzBlueprint (even fake parameter values are sufficient for this repro as the cmdlets fail before verifying that parameters are valid).

Environment data

PS C:\Current\Repro> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.18362.628
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.18362.628
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

PS C:\Current\Repro> Get-AzContext

Name                                     Account                            SubscriptionName                   Environment                        TenantId
----                                     -------                            ----------------                   -----------                        --------
6403b9e7-710d-43cb-a9e9-cb8d446174fa ... df05ee65-2d30-4670-8f08-b118ec9...                                    AzureCloud                         6403b9e7-710d-43cb-a9e9-cb8d44...

Module versions

PS C:\Current\Repro> get-module -listavailable -Name Az.Accounts

    Directory: C:\Users\MGaufman\Documents\WindowsPowerShell\Modules

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     1.7.2      Az.Accounts                         {Disable-AzDataCollection, Disable-AzContextAutosave, Enable-AzDataCollection, Enable-AzContextAutosave...}
Script     1.7.1      Az.Accounts                         {Disable-AzDataCollection, Disable-AzContextAutosave, Enable-AzDataCollection, Enable-AzContextAutosave...}
Script     1.6.4      Az.Accounts                         {Disable-AzDataCollection, Disable-AzContextAutosave, Enable-AzDataCollection, Enable-AzContextAutosave...}
Script     1.3.0      Az.Accounts                         {Disable-AzDataCollection, Disable-AzContextAutosave, Enable-AzDataCollection, Enable-AzContextAutosave...}

PS C:\Current\Repro> get-module -listavailable -Name Az.Blueprint

    Directory: C:\Users\MGaufman\Documents\WindowsPowerShell\Modules

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     0.2.10     Az.Blueprint                        {Get-AzBlueprint, Get-AzBlueprintAssignment, New-AzBlueprintAssignment, Remove-AzBlueprintAssignment...}

PS C:\Current\Repro> get-module

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     1.7.2      Az.Accounts                         {Add-AzEnvironment, Clear-AzContext, Clear-AzDefault, Connect-AzAccount...}
Script     0.2.10     Az.Blueprint                        {Export-AzBlueprintWithArtifact, Get-AzBlueprint, Get-AzBlueprintArtifact, Get-AzBlueprintAssignment...}
Manifest   3.1.0.0    Microsoft.PowerShell.Management     {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Content...}
Manifest   3.0.0.0    Microsoft.PowerShell.Security       {ConvertFrom-SecureString, ConvertTo-SecureString, Get-Acl, Get-AuthenticodeSignature...}
Manifest   3.1.0.0    Microsoft.PowerShell.Utility        {Add-Member, Add-Type, Clear-Variable, Compare-Object...}
Manifest   3.0.0.0    Microsoft.WSMan.Management          {Connect-WSMan, Disable-WSManCredSSP, Disconnect-WSMan, Enable-WSManCredSSP...}
Script     2.0.0      PSReadline                          {Get-PSReadLineKeyHandler, Get-PSReadLineOption, Remove-PSReadLineKeyHandler, Set-PSReadLineKeyHandler...}

Debug output

PS C:\current\Repro> Import-AzBlueprintWithArtifact -Name "bp" -ManagementGroupId "6403b9e7-710d-43cb-a9e9-cb8d446174fa" -InputPath  "bpdef"
DEBUG: 15:20:26 - ImportAzureRmBlueprint begin processing with ParameterSet 'ImportBlueprint'.
DEBUG: 15:20:26 - using account id 'df05ee65-2d30-4670-8f08-b118ec938b04'...
Import-AzBlueprintWithArtifact : Object reference not set to an instance of an object.
At line:1 char:1
+ Import-AzBlueprintWithArtifact -Name "bp" -ManagementGroupId "6403b9e ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Import-AzBlueprintWithArtifact], NullReferenceException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Blueprint.Cmdlets.ImportAzureRmBlueprint

DEBUG: 15:20:27 - ImportAzureRmBlueprint end processing.

Error output

PS C:\current\Repro> Resolve-AzError
DEBUG: 15:20:52 - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 15:20:52 - using account id 'df05ee65-2d30-4670-8f08-b118ec938b04'...
WARNING: Breaking changes in the cmdlet 'Resolve-AzError' :
WARNING:  - The `Resolve-Error` alias will be removed in a future release.  Please change any scripts that use this alias to use `Resolve-AzError` instead.

WARNING: NOTE : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.

   HistoryId: 3

Message        : Object reference not set to an instance of an object.
StackTrace     :    at Microsoft.Azure.Commands.Blueprint.Cmdlets.ImportAzureRmBlueprint.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : System.NullReferenceException
InvocationInfo : {Import-AzBlueprintWithArtifact}
Line           : Import-AzBlueprintWithArtifact -Name "bp" -ManagementGroupId "6403b9e7-710d-43cb-a9e9-cb8d446174fa" -InputPath  "bpdef"
Position       : At line:1 char:1
                 + Import-AzBlueprintWithArtifact -Name "bp" -ManagementGroupId "6403b9e ...
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 3

DEBUG: 15:20:52 - ResolveError end processing.

[dingmeng-xue]

This is a known limitation that subscription is required in Azure PowerShell. We will consider how to support your case.

[mgaufman]

Hi,

Any updates/workarounds please? My customer is going to provision a number of tenants in an automated manner and this limitation is quite annoying as it breaks or complicates the whole provisioning workflow.

Thank you.

[artisticcheese]

It's impossible to use Azure DevOps tasks for blueprint assignments at Management Group Level due to this bug, is it being worked on?