search

Azure / azure-powershell

Microsoft Azure PowerShell
Other
4.23k stars 3.83k forks source link

Get-AzRoleAssignment returns Authorization_RequestDenied; whereas New-AzRoleAssignment and Remove-AzRoleAssignment works #12840

Open rybal06 opened 4 years ago

rybal06 commented 4 years ago

Description

This is similar to https://github.com/Azure/azure-powershell/issues/10550 possibly. I am using a service principal to manage IAM access to azure resources for which that service account is the owner.

Get-AzRoleAssignment returns Authorization_RequestDenied; whereas New-AzRoleAssignment and Remove-AzRoleAssignment work perfectly. The expected behavior is that this service principal can read and write azure AD accounts on applications it owns; but it seems it can only write.

The service principal account has the following access:

Azure Active Directory Graph (2) Type  Description  Admin Consent Required    Status  
  Application.ReadWrite.OwnedBy Application Manage apps that this app creates or owns Yes Granted for "omitted tenant name"  
  Directory.Read.All Delegated Read directory data Yes Granted for "omitted tenant name"

Steps to reproduce

  1. Create an Azure AD service principal, with the permissions above.
  2. Create an azure resource, such as an azure storage account.
  3. Grant the above service principal as an owner of the azure resource using the IAM blade in the azure portal

New-AzRoleAssignment (works)

 New-AzRoleAssignment -Scope /subscriptions/<subscriptionID/resourceGroups/<resourcegroup>/providers/Microsoft.Storage/storageAccounts/<storageaccountname>  -ObjectId <ObjectID> -RoleDefinitionName 'Reader'

Get-AzRoleAssignment (fails)

 Get-AzRoleAssignment -Scope /subscriptions/<subscriptionID/resourceGroups/<resourcegroup>/providers/Microsoft.Storage/storageAccounts/<storageaccountname>

Get-AzRoleAssignment: Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown.

Environment data

Name                           Value
----                           -----
PSVersion                      7.0.3
PSEdition                      Core
GitCommitId                    7.0.3
OS                             Darwin 19.6.0 Darwin Kernel Version 19.6.0: Thu Jun 18 20:49:00 PDT 2020; root:xnu-6153.141.1~1/RELEASE_X86_64
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

## Module versions

```powershell
Get-Module -ListAvailable | where name -eq Az   

    Directory: /Users/<my username>/.local/share/powershell/Modules

ModuleType Version    PreRelease Name                                PSEdition ExportedCommands
---------- -------    ---------- ----                                --------- ----------------
Script     4.6.1                 Az                                  Core,Desk

Debug output

Body:
{
  "odata.error": {
    "code": "Authorization_RequestDenied",
    "message": {
      "lang": "en",
      "value": "Insufficient privileges to complete the operation."
    },
    "requestId": "c6906c6a-13dd-4368-8c7d-c3383e75302e",
    "date": "2020-09-02T22:48:46"
  }
}

Get-AzRoleAssignment: Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown.

Note, if more than this is needed please reach out and I will supply it privately.

Error output

Resolve-AzError -Last                                                                                                                                                   
WARNING: Breaking changes in the cmdlet 'Resolve-AzError' :
WARNING:  - The `Resolve-Error` alias will be removed in a future release.  Please change any scripts that use this alias to use `Resolve-AzError` instead.

WARNING: NOTE : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.

   HistoryId: 449

RequestId      : 
Message        : Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown.
ServerMessage  : :  (System.Collections.Generic.List`1[Microsoft.Rest.Azure.CloudError])
ServerResponse : {Forbidden}
RequestMessage : {POST https://graph.windows.net/<omitted>/getObjectsByObjectIds?api-version=1.6}
InvocationInfo : {Get-AzRoleAssignment}
Line           : Get-AzRoleAssignment -Scope /subscriptions/<mysubscriptionId>/resourceGroups/datasvc-dev-rg/providers/Microsoft.Storage/storageAccounts/<mystorageaccount>
Position       : At line:1 char:1
                 + Get-AzRoleAssignment -Scope /subscriptions<mysubscriptionId> …
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
StackTrace     :    at Microsoft.Azure.Graph.RBAC.ObjectsOperations.GetObjectsByObjectIdsWithHttpMessagesAsync(GetObjectsParameters parameters, Dictionary`2 customHeaders, CancellationToken cancellationToken)
                    at Microsoft.Azure.Graph.RBAC.ObjectsOperationsExtensions.GetObjectsByObjectIdsAsync(IObjectsOperations operations, GetObjectsParameters parameters, CancellationToken cancellationToken)
                    at Microsoft.Azure.Graph.RBAC.ObjectsOperationsExtensions.GetObjectsByObjectIds(IObjectsOperations operations, GetObjectsParameters parameters)
                    at Microsoft.Azure.Commands.ActiveDirectory.ActiveDirectoryClient.GetObjectsByObjectId(List`1 objectIds)
                    at Microsoft.Azure.Commands.Resources.Models.Authorization.AuthorizationClientExtensions.ToPSRoleAssignments(IEnumerable`1 assignments, IEnumerable`1 roleDefinitions, AuthorizationClient policyClient, 
                 ActiveDirectoryClient activeDirectoryClient, Boolean excludeAssignmentsForDeletedPrincipals)
                    at Microsoft.Azure.Commands.Resources.Models.Authorization.AuthorizationClient.FilterRoleAssignments(FilterRoleAssignmentsOptions options, String currentSubscription, UInt64 first, UInt64 skip)
                    at Microsoft.Azure.Commands.Resources.GetAzureRoleAssignmentCommand.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
HistoryId      : 449

The Azure PowerShell team is listening, please let us know how we are doing: https://aka.ms/azpssurvey?Q_CHL=ERROR.
rybal06 commented 4 years ago

I was able to get this working after granting the following To both "azure active directory graph" and "Microsoft Graph" Directory.Read.All - Application Read - directory data

I still believe there is a bug here, as granting the service principal Read/Write to all resources in which it owns should allow it to do so; but instead it is only allowing write, while read gets an access denied.

dingmeng-xue commented 4 years ago

Thanks for reporting. It relies on service behavior change. We will share this information to Identity team.

ghost commented 4 years ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @darshanhs90, @AshishGargMicrosoft.

tarry87 commented 4 years ago

any ETA for fix on above?

tarry87 commented 4 years ago

I was able to get this working after granting the following To both "azure active directory graph" and "Microsoft Graph" Directory.Read.All - Application Read - directory data

I still believe there is a bug here, as granting the service principal Read/Write to all resources in which it owns should allow it to do so; but instead it is only allowing write, while read gets an access denied.

This is not working for me.

shivakumarky commented 3 years ago

Hi Team,

Any update on this ? I am also having similar issue.

davejhahn commented 3 years ago

Having this issue. In my case, using New-AzRoleAssignment, a SP that is admin granted Directory.ReadAll, and I get Authorization_RequestDenied (with -debug enabled on the PS command), BUT it works. e.g. I delete the role through the portal, run, get the error, it is created. However, it does not work every time.

Very frustrating, this is only a small piece to a much more complicated project but it taking more time than anything else to solve.

dagoroz commented 3 years ago

@davejhahn please try adding the permissions as application permissions like mentioned by Petapacket in #10550

if that doesn't work please try: setting $DebugPreference="Continue" then re-running the command with the flag -Debug copy & paste the full output here

davejhahn commented 3 years ago

I gave up on PowerShell, ended up using Rest API with az rest and was able to get it to work without any errors or problems. So I definitely think it's an issue in the PowerShell module.

sawatsky commented 3 years ago

I've been having the same issue with PowerShell.

I switched to Azure CLI and everything worked immediately.

navba-MSFT commented 2 years ago

@rybal06 Apologies for the late reply. This issue is open for quite sometime. Could you please let us know if you need any further assistance on this ? Awaiting your reply.

rybal06 commented 2 years ago

@navba-MSFT I have noticed that there is a deprecation warning while using the Az module cmdlets which interact with Azure AD that the Az module is being updated to use the newer Graph API rather than the Azure AD Graph API (deprecated). It is likely worth parking this issue until after that change is rolled out, or closing it with details about the ETA of the updated module version.

Nagesh29 commented 2 years ago

@navba-MSFT : [https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/end-of-support-for-azure-ad-graph-permission-sign-up-through/ba-p/2464404] I believe Azure Active Directory Graph permissions are deprecating and "Get-AzRoleAssignment" doesn't work without those permissions. Could you please suggest any alternate powershell module/library with which we can work on az role assignments without AD permissions? I am working with RBAC REST APIs now but it would be more convenient with powershell module.

Nagesh29 commented 2 years ago

@navba-MSFT Any updates on the above?

ghost commented 2 years ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @darshanhs90, @AshishGargMicrosoft.

Issue Details
# Description This is similar to https://github.com/Azure/azure-powershell/issues/10550 possibly. I am using a service principal to manage IAM access to azure resources for which that service account is the owner. Get-AzRoleAssignment returns Authorization_RequestDenied; whereas New-AzRoleAssignment and Remove-AzRoleAssignment work perfectly. The expected behavior is that this service principal can read and write azure AD accounts on applications it owns; but it seems it can only write. The service principal account has the following access: Azure Active Directory Graph (2) | Type  | Description  |Admin Consent Required   |  Status |   -- | -- | -- | -- | -- | --   | Application.ReadWrite.OwnedBy | Application | Manage apps that this app creates or owns | Yes | Granted for "omitted tenant name" |     | Directory.Read.All | Delegated | Read directory data | Yes | Granted for "omitted tenant name" ## Steps to reproduce 1. Create an Azure AD service principal, with the permissions above. 2. Create an azure resource, such as an azure storage account. 3. Grant the above service principal as an owner of the azure resource using the IAM blade in the azure portal ### New-AzRoleAssignment (works) ```powershell New-AzRoleAssignment -Scope /subscriptions//providers/Microsoft.Storage/storageAccounts/ -ObjectId -RoleDefinitionName 'Reader' ``` ### Get-AzRoleAssignment (fails) ```powershell Get-AzRoleAssignment -Scope /subscriptions//providers/Microsoft.Storage/storageAccounts/ Get-AzRoleAssignment: Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown. ``` ## Environment data ``` Name Value ---- ----- PSVersion 7.0.3 PSEdition Core GitCommitId 7.0.3 OS Darwin 19.6.0 Darwin Kernel Version 19.6.0: Thu Jun 18 20:49:00 PDT 2020; root:xnu-6153.141.1~1/RELEASE_X86_64 Platform Unix PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0 ## Module versions ```powershell Get-Module -ListAvailable | where name -eq Az Directory: /Users//.local/share/powershell/Modules ModuleType Version PreRelease Name PSEdition ExportedCommands ---------- ------- ---------- ---- --------- ---------------- Script 4.6.1 Az Core,Desk ``` ## Debug output ```powershell Body: { "odata.error": { "code": "Authorization_RequestDenied", "message": { "lang": "en", "value": "Insufficient privileges to complete the operation." }, "requestId": "c6906c6a-13dd-4368-8c7d-c3383e75302e", "date": "2020-09-02T22:48:46" } } Get-AzRoleAssignment: Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown. ``` Note, if more than this is needed please reach out and I will supply it privately. ## Error output ``` Resolve-AzError -Last WARNING: Breaking changes in the cmdlet 'Resolve-AzError' : WARNING: - The `Resolve-Error` alias will be removed in a future release. Please change any scripts that use this alias to use `Resolve-AzError` instead. WARNING: NOTE : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell. HistoryId: 449 RequestId : Message : Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown. ServerMessage : : (System.Collections.Generic.List`1[Microsoft.Rest.Azure.CloudError]) ServerResponse : {Forbidden} RequestMessage : {POST https://graph.windows.net//getObjectsByObjectIds?api-version=1.6} InvocationInfo : {Get-AzRoleAssignment} Line : Get-AzRoleAssignment -Scope /subscriptions//resourceGroups/datasvc-dev-rg/providers/Microsoft.Storage/storageAccounts/ Position : At line:1 char:1 + Get-AzRoleAssignment -Scope /subscriptions … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ StackTrace : at Microsoft.Azure.Graph.RBAC.ObjectsOperations.GetObjectsByObjectIdsWithHttpMessagesAsync(GetObjectsParameters parameters, Dictionary`2 customHeaders, CancellationToken cancellationToken) at Microsoft.Azure.Graph.RBAC.ObjectsOperationsExtensions.GetObjectsByObjectIdsAsync(IObjectsOperations operations, GetObjectsParameters parameters, CancellationToken cancellationToken) at Microsoft.Azure.Graph.RBAC.ObjectsOperationsExtensions.GetObjectsByObjectIds(IObjectsOperations operations, GetObjectsParameters parameters) at Microsoft.Azure.Commands.ActiveDirectory.ActiveDirectoryClient.GetObjectsByObjectId(List`1 objectIds) at Microsoft.Azure.Commands.Resources.Models.Authorization.AuthorizationClientExtensions.ToPSRoleAssignments(IEnumerable`1 assignments, IEnumerable`1 roleDefinitions, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, Boolean excludeAssignmentsForDeletedPrincipals) at Microsoft.Azure.Commands.Resources.Models.Authorization.AuthorizationClient.FilterRoleAssignments(FilterRoleAssignmentsOptions options, String currentSubscription, UInt64 first, UInt64 skip) at Microsoft.Azure.Commands.Resources.GetAzureRoleAssignmentCommand.ExecuteCmdlet() at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord() HistoryId : 449 The Azure PowerShell team is listening, please let us know how we are doing: https://aka.ms/azpssurvey?Q_CHL=ERROR. ```
Author: rybal06
Assignees: -
Labels: `feature-request`, `Authorization`, `Service Attention`, `question`, `customer-reported`, `needs-team-attention`
Milestone: -
navba-MSFT commented 2 years ago

@Nagesh29 This is pending on Service Team.

@darshanhs90 @AshishGargMicrosoft Could you please look into this ask and provide an update. Thanks in advance.

Nagesh29 commented 2 years ago

@AshishGargMicrosoft @darshanhs90 Can you please help me with the above query?

Nagesh29 commented 2 years ago

@AshishGargMicrosoft @darshanhs90 @navba-MSFT Still no updates on my above question?