Open rybal06 opened 4 years ago
I was able to get this working after granting the following To both "azure active directory graph" and "Microsoft Graph" Directory.Read.All - Application Read - directory data
I still believe there is a bug here, as granting the service principal Read/Write to all resources in which it owns should allow it to do so; but instead it is only allowing write, while read gets an access denied.
Thanks for reporting. It relies on service behavior change. We will share this information to Identity team.
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @darshanhs90, @AshishGargMicrosoft.
any ETA for fix on above?
I was able to get this working after granting the following To both "azure active directory graph" and "Microsoft Graph" Directory.Read.All - Application Read - directory data
I still believe there is a bug here, as granting the service principal Read/Write to all resources in which it owns should allow it to do so; but instead it is only allowing write, while read gets an access denied.
This is not working for me.
Hi Team,
Any update on this ? I am also having similar issue.
Having this issue. In my case, using New-AzRoleAssignment, a SP that is admin granted Directory.ReadAll, and I get Authorization_RequestDenied (with -debug enabled on the PS command), BUT it works. e.g. I delete the role through the portal, run, get the error, it is created. However, it does not work every time.
Very frustrating, this is only a small piece to a much more complicated project but it taking more time than anything else to solve.
@davejhahn please try adding the permissions as application permissions like mentioned by Petapacket in #10550
if that doesn't work please try: setting $DebugPreference="Continue" then re-running the command with the flag -Debug copy & paste the full output here
I gave up on PowerShell, ended up using Rest API with az rest and was able to get it to work without any errors or problems. So I definitely think it's an issue in the PowerShell module.
I've been having the same issue with PowerShell.
I switched to Azure CLI and everything worked immediately.
@rybal06 Apologies for the late reply. This issue is open for quite sometime. Could you please let us know if you need any further assistance on this ? Awaiting your reply.
@navba-MSFT I have noticed that there is a deprecation warning while using the Az module cmdlets which interact with Azure AD that the Az module is being updated to use the newer Graph API rather than the Azure AD Graph API (deprecated). It is likely worth parking this issue until after that change is rolled out, or closing it with details about the ETA of the updated module version.
@navba-MSFT : [https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/end-of-support-for-azure-ad-graph-permission-sign-up-through/ba-p/2464404] I believe Azure Active Directory Graph permissions are deprecating and "Get-AzRoleAssignment" doesn't work without those permissions. Could you please suggest any alternate powershell module/library with which we can work on az role assignments without AD permissions? I am working with RBAC REST APIs now but it would be more convenient with powershell module.
@navba-MSFT Any updates on the above?
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @darshanhs90, @AshishGargMicrosoft.
Author: | rybal06 |
---|---|
Assignees: | - |
Labels: | `feature-request`, `Authorization`, `Service Attention`, `question`, `customer-reported`, `needs-team-attention` |
Milestone: | - |
@Nagesh29 This is pending on Service Team.
@darshanhs90 @AshishGargMicrosoft Could you please look into this ask and provide an update. Thanks in advance.
@AshishGargMicrosoft @darshanhs90 Can you please help me with the above query?
@AshishGargMicrosoft @darshanhs90 @navba-MSFT Still no updates on my above question?
Description
This is similar to https://github.com/Azure/azure-powershell/issues/10550 possibly. I am using a service principal to manage IAM access to azure resources for which that service account is the owner.
Get-AzRoleAssignment returns Authorization_RequestDenied; whereas New-AzRoleAssignment and Remove-AzRoleAssignment work perfectly. The expected behavior is that this service principal can read and write azure AD accounts on applications it owns; but it seems it can only write.
The service principal account has the following access:
Steps to reproduce
New-AzRoleAssignment (works)
Get-AzRoleAssignment (fails)
Environment data
Debug output
Note, if more than this is needed please reach out and I will supply it privately.
Error output