New-AzRoleAssignment gets failed to assign "DocumentDB Account Contributor" role due to Azure Policy violation

[andreireznikau]

Description

There is the Azure Policy is set against management group to allow roles granting privileges to SPNs from particular groups only.

We have the release definition task to assign an MSI "DocumentDB Account Contributor" role to CosmosDB account on behalf of SPN which meets the policy criteria on build agent and get the release failed with the below exception:

New-AzRoleAssignment: Resource '********-****-****-****-************' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"Landing-Zone-Default-Subscription","id":"/subscriptions/********-****-****-****-************/providers/Microsoft.Authorization/policyAssignments/83f51c6289085f77b7a36120"},"policyDefinition":{"name":"Allowed principal IDs","id":"/providers/Microsoft.Management/managementGroups/Landing-Zones-v2/providers/Microsoft.Authorization/policyDefinitions/********-****-****-****-************"},"policySetDefinition":{"name":"Landing-Zone-Default-Subscription","id":"/providers/Microsoft.Management/managementGroups/Landing-Zones-v2/providers/Microsoft.Authorization/policySetDefinitions/********-****-****-****-************"}}]'.

We have the same exception running the definition either on Microsoft Azure Pipelines agent pool (windows-2019) or running New-AzRoleAssignment directly from PS session on self-hosted build agent. However it works fine from my local machine. I compared debug output from both session and found the only difference in http request: on the local machine request body contains "principalType": "ServicePrincipal", pair while the request body from the build agent does not.

Local machine:

{
  "properties": {
    "roleDefinitionId": "/subscriptions/********-****-****-****-************/resourceGroups/dt-coredatabase-genome/providers/Microsoft.DocumentDB/databaseAccounts/dt-cmdb-genome/providers/Microsoft.Authorization/roleDefinitions/********-****-****-****-************",
    "principalId": "********-****-****-****-************",
    "principalType": "ServicePrincipal",
    "canDelegate": false
  }
}

Build agent:

{
  "properties": {
    "roleDefinitionId": "/subscriptions/********-****-****-****-************/resourceGroups/dt-coredatabase-genome/providers/Microsoft.DocumentDB/databaseAccounts/dt-cmdb-genome/providers/Microsoft.Authorization/roleDefinitions/********-****-****-****-************",
    "principalId": "********-****-****-****-************",
    "canDelegate": false
  }
}

Steps to reproduce

Login-AzAccount -ServicePrincipal -Credential (Get-Credential)
New-AzRoleAssignment -ObjectId ********-****-****-****-************ -RoleDefinitionName "DocumentDB Account Contributor" -Scope /subscriptions/********-****-****-****-************/resourceGroups/dt-coredatabase-genome/providers/Microsoft.DocumentDB/databaseAccounts/dt-cmdb-genome -Debug

Environment data

Name                           Value
----                           -----
PSVersion                      7.1.3
PSEdition                      Core
GitCommitId                    7.1.3
OS                             Microsoft Windows 10.0.14393
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

mModuleType Version    PreRelease Name                                PSEdition ExportedCommands
---------- -------    ---------- ----                                --------- ----------------
Script     5.1.1                 Pester                              Desk      {Invoke-Pester, Describe, Context, It…}

    Directory: C:\program files\powershell\7\Modules

ModuleType Version    PreRelease Name                                PSEdition ExportedCommands
---------- -------    ---------- ----                                --------- ----------------
Manifest   7.0.0.0               CimCmdlets                          Core      {Get-CimAssociatedInstance, Get-CimClass, Get-CimInstance, Get-CimSession…}
Manifest   1.2.5                 Microsoft.PowerShell.Archive        Desk      {Compress-Archive, Expand-Archive}
Manifest   7.0.0.0               Microsoft.PowerShell.Diagnostics    Core      {Get-WinEvent, New-WinEvent, Get-Counter}
Manifest   7.0.0.0               Microsoft.PowerShell.Host           Core      {Start-Transcript, Stop-Transcript}
Manifest   7.0.0.0               Microsoft.PowerShell.Management     Core      {Add-Content, Clear-Content, Get-Clipboard, Set-Clipboard…}
Manifest   7.0.0.0               Microsoft.PowerShell.Security       Core      {Get-Acl, Set-Acl, Get-PfxCertificate, Get-Credential…}
Manifest   7.0.0.0               Microsoft.PowerShell.Utility        Core      {Export-Alias, Get-Alias, Import-Alias, New-Alias…}
Manifest   7.0.0.0               Microsoft.WSMan.Management          Core      {Disable-WSManCredSSP, Enable-WSManCredSSP, Get-WSManCredSSP, Set-WSManQuickConfig…}
Script     1.4.7                 PackageManagement                   Desk      {Find-Package, Get-Package, Get-PackageProvider, Get-PackageSource…}
Script     2.2.5                 PowerShellGet                       Desk      {Find-Command, Find-DSCResource, Find-Module, Find-RoleCapability…}
Script     2.0.5                 PSDesiredStateConfiguration         Core      {Configuration, New-DscChecksum, Get-DscResource, Invoke-DscResource}
Script     7.0.0.0               PSDiagnostics                       Core      {Disable-PSTrace, Disable-PSWSManCombinedTrace, Disable-WSManTrace, Enable-PSTrace…}
Script     2.1.0                 PSReadLine                          Desk      {Get-PSReadLineKeyHandler, Set-PSReadLineKeyHandler, Remove-PSReadLineKeyHandler, Get-PSReadLineOption…}
Binary     2.0.3                 ThreadJob                           Desk      Start-ThreadJob

    Directory: C:\Program Files\WindowsPowerShell\Modules

ModuleType Version    PreRelease Name                                PSEdition ExportedCommands
---------- -------    ---------- ----                                --------- ----------------
Script     5.6.0                 Az                                  Core,Desk
Script     2.2.6                 Az.Accounts                         Core,Desk {Disable-AzDataCollection, Disable-AzContextAutosave, Enable-AzDataCollection, Enable-AzContextAutosave…}
Script     1.1.1                 Az.Advisor                          Core,Desk {Get-AzAdvisorRecommendation, Enable-AzAdvisorRecommendation, Disable-AzAdvisorRecommendation, Get-AzAdvisorConfiguration…}
Script     2.0.2                 Az.Aks                              Core,Desk {Get-AzAksCluster, New-AzAksCluster, Remove-AzAksCluster, Import-AzAksCredential…}
Script     1.1.4                 Az.AnalysisServices                 Core,Desk {Resume-AzAnalysisServicesServer, Suspend-AzAnalysisServicesServer, Get-AzAnalysisServicesServer, Remove-AzAnalysisServicesServer…}
Script     2.2.0                 Az.ApiManagement                    Core,Desk {Add-AzApiManagementApiToGateway, Add-AzApiManagementApiToProduct, Add-AzApiManagementProductToGroup, Add-AzApiManagementRegion…}
Script     1.0.0                 Az.AppConfiguration                 Core,Desk {Get-AzAppConfigurationStore, Get-AzAppConfigurationStoreKey, New-AzAppConfigurationStore, New-AzAppConfigurationStoreKey…}
Script     1.1.0                 Az.ApplicationInsights              Core,Desk {Get-AzApplicationInsights, New-AzApplicationInsights, Remove-AzApplicationInsights, Update-AzApplicationInsights…}
Script     1.5.0                 Az.Automation                       Core,Desk {Get-AzAutomationHybridWorkerGroup, Remove-AzAutomationHybridWorkerGroup, Get-AzAutomationJobOutputRecord, Import-AzAutomationDscNodeConfiguration…}
Script     3.1.0                 Az.Batch                            Core,Desk {Remove-AzBatchAccount, Get-AzBatchAccount, Get-AzBatchAccountKey, New-AzBatchAccount…}
Script     2.0.0                 Az.Billing                          Core,Desk {Get-AzBillingInvoice, Get-AzBillingPeriod, Get-AzEnrollmentAccount, Get-AzConsumptionBudget…}
Script     1.6.0                 Az.Cdn                              Core,Desk {Get-AzCdnProfile, Get-AzCdnProfileSsoUrl, New-AzCdnProfile, Remove-AzCdnProfile…}
Script     1.8.0                 Az.CognitiveServices                Core,Desk {Get-AzCognitiveServicesAccount, Get-AzCognitiveServicesAccountKey, Get-AzCognitiveServicesAccountSku, Get-AzCognitiveServicesAccountType…}
Script     4.10.0                Az.Compute                          Core,Desk {Remove-AzAvailabilitySet, Get-AzAvailabilitySet, New-AzAvailabilitySet, Update-AzAvailabilitySet…}
Script     1.0.3                 Az.ContainerInstance                Core,Desk {New-AzContainerGroup, Get-AzContainerGroup, Remove-AzContainerGroup, Get-AzContainerInstanceLog}
Script     2.2.1                 Az.ContainerRegistry                Core,Desk {New-AzContainerRegistry, Get-AzContainerRegistry, Update-AzContainerRegistry, Remove-AzContainerRegistry…}
Script     1.1.0                 Az.CosmosDB                         Core,Desk {Get-AzCosmosDBSqlContainer, Get-AzCosmosDBSqlContainerThroughput, Get-AzCosmosDBSqlDatabase, Get-AzCosmosDBSqlDatabaseThroughput…}
Script     1.1.0                 Az.DataBoxEdge                      Core,Desk {Get-AzDataBoxEdgeJob, Get-AzDataBoxEdgeDevice, Invoke-AzDataBoxEdgeDevice, New-AzDataBoxEdgeDevice…}
Script     1.1.0                 Az.Databricks                       Core,Desk {Get-AzDatabricksVNetPeering, Get-AzDatabricksWorkspace, New-AzDatabricksVNetPeering, New-AzDatabricksWorkspace…}
Script     1.11.4                Az.DataFactory                      Core,Desk {Set-AzDataFactoryV2, Update-AzDataFactoryV2, Get-AzDataFactoryV2, Remove-AzDataFactoryV2…}
Script     1.0.2                 Az.DataLakeAnalytics                Core,Desk {Get-AzDataLakeAnalyticsDataSource, New-AzDataLakeAnalyticsCatalogCredential, Remove-AzDataLakeAnalyticsCatalogCredential, Set-AzDataLakeAnalyticsCatalogCre…
Script     1.3.0                 Az.DataLakeStore                    Core,Desk {Get-AzDataLakeStoreTrustedIdProvider, Remove-AzDataLakeStoreTrustedIdProvider, Remove-AzDataLakeStoreFirewallRule, Set-AzDataLakeStoreTrustedIdProvider…}
Script     1.0.0                 Az.DataShare                        Core,Desk {New-AzDataShareAccount, Get-AzDataShareAccount, Remove-AzDataShareAccount, New-AzDataShare…}
Script     1.1.0                 Az.DeploymentManager                Core,Desk {Get-AzDeploymentManagerArtifactSource, New-AzDeploymentManagerArtifactSource, Set-AzDeploymentManagerArtifactSource, Remove-AzDeploymentManagerArtifactSour…
Script     2.1.1                 Az.DesktopVirtualization            Core,Desk {Disconnect-AzWvdUserSession, Expand-AzWvdMsixImage, Get-AzWvdApplication, Get-AzWvdApplicationGroup…}
Script     1.0.2                 Az.DevTestLabs                      Core,Desk {Get-AzDtlAllowedVMSizesPolicy, Get-AzDtlAutoShutdownPolicy, Get-AzDtlAutoStartPolicy, Get-AzDtlVMsPerLabPolicy…}
Script     1.1.2                 Az.Dns                              Core,Desk {Get-AzDnsRecordSet, New-AzDnsRecordConfig, Remove-AzDnsRecordSet, Set-AzDnsRecordSet…}
Script     1.3.0                 Az.EventGrid                        Core,Desk {New-AzEventGridTopic, Get-AzEventGridTopic, Set-AzEventGridTopic, New-AzEventGridTopicKey…}
Script     1.7.1                 Az.EventHub                         Core,Desk {New-AzEventHubNamespace, Get-AzEventHubNamespace, Set-AzEventHubNamespace, Remove-AzEventHubNamespace…}
Script     1.7.0                 Az.FrontDoor                        Core,Desk {New-AzFrontDoor, Get-AzFrontDoor, Set-AzFrontDoor, Remove-AzFrontDoor…}
Script     2.0.0                 Az.Functions                        Core,Desk {Get-AzFunctionApp, Get-AzFunctionAppAvailableLocation, Get-AzFunctionAppPlan, Get-AzFunctionAppSetting…}
Script     4.2.0                 Az.HDInsight                        Core,Desk {Get-AzHDInsightJob, New-AzHDInsightSqoopJobDefinition, Wait-AzHDInsightJob, New-AzHDInsightStreamingMapReduceJobDefinition…}
Script     1.2.0                 Az.HealthcareApis                   Core,Desk {New-AzHealthcareApisService, Remove-AzHealthcareApisService, Set-AzHealthcareApisService, Get-AzHealthcareApisService}
Script     2.7.2                 Az.IotHub                           Core,Desk {Add-AzIotHubKey, Get-AzIotHubEventHubConsumerGroup, Get-AzIotHubConnectionString, Get-AzIotHubJob…}
Script     3.4.0                 Az.KeyVault                         Core,Desk {Add-AzKeyVaultCertificate, Update-AzKeyVaultCertificate, Stop-AzKeyVaultCertificateOperation, Get-AzKeyVaultCertificateOperation…}
Script     1.0.1                 Az.Kusto                            Core,Desk {Add-AzKustoClusterLanguageExtension, Add-AzKustoDatabasePrincipal, Get-AzKustoAttachedDatabaseConfiguration, Get-AzKustoCluster…}
Script     1.5.0                 Az.LogicApp                         Core,Desk {Get-AzIntegrationAccountAgreement, Get-AzIntegrationAccountAssembly, Get-AzIntegrationAccountBatchConfiguration, Get-AzIntegrationAccountCallbackUrl…}
Script     1.1.3                 Az.MachineLearning                  Core,Desk {Move-AzMlCommitmentAssociation, Get-AzMlCommitmentAssociation, Get-AzMlCommitmentPlanUsageHistory, Remove-AzMlCommitmentPlan…}
Script     1.1.0                 Az.Maintenance                      Core,Desk {Get-AzApplyUpdate, Get-AzConfigurationAssignment, Get-AzMaintenanceConfiguration, Get-AzMaintenanceUpdate…}
Script     2.0.0                 Az.ManagedServices                  Core,Desk {Get-AzManagedServicesAssignment, New-AzManagedServicesAssignment, Remove-AzManagedServicesAssignment, Get-AzManagedServicesDefinition…}
Script     1.0.2                 Az.MarketplaceOrdering              Core,Desk {Get-AzMarketplaceTerms, Set-AzMarketplaceTerms}
Script     1.1.1                 Az.Media                            Core,Desk {Sync-AzMediaServiceStorageKey, Set-AzMediaServiceKey, Get-AzMediaServiceKey, Get-AzMediaServiceNameAvailability…}
Script     1.0.0                 Az.Migrate                          Core,Desk {Get-AzMigrateDiscoveredServer, Get-AzMigrateJob, Get-AzMigrateProject, Get-AzMigrateReplicationFabric…}
Script     2.4.0                 Az.Monitor                          Core,Desk {Get-AzMetricDefinition, Get-AzMetric, Remove-AzLogProfile, Get-AzLogProfile…}
Script     4.6.0                 Az.Network                          Core,Desk {Add-AzApplicationGatewayAuthenticationCertificate, Get-AzApplicationGatewayAuthenticationCertificate, New-AzApplicationGatewayAuthenticationCertificate, Re…
Script     1.1.1                 Az.NotificationHubs                 Core,Desk {Get-AzNotificationHub, Get-AzNotificationHubAuthorizationRule, Get-AzNotificationHubListKey, Get-AzNotificationHubPNSCredential…}
Script     2.3.0                 Az.OperationalInsights              Core,Desk {New-AzOperationalInsightsAzureActivityLogDataSource, New-AzOperationalInsightsCustomLogDataSource, Disable-AzOperationalInsightsLinuxCustomLogCollection, D…
Script     1.4.1                 Az.PolicyInsights                   Core,Desk {Get-AzPolicyEvent, Get-AzPolicyState, Get-AzPolicyStateSummary, Get-AzPolicyRemediation…}
Script     1.1.2                 Az.PowerBIEmbedded                  Core,Desk {Remove-AzPowerBIWorkspaceCollection, Get-AzPowerBIWorkspaceCollection, Get-AzPowerBIWorkspaceCollectionAccessKey, Get-AzPowerBIWorkspace…}
Script     1.0.3                 Az.PrivateDns                       Core,Desk {Get-AzPrivateDnsZone, Remove-AzPrivateDnsZone, Set-AzPrivateDnsZone, New-AzPrivateDnsZone…}
Script     3.4.1                 Az.RecoveryServices                 Core,Desk {Get-AzRecoveryServicesBackupProperty, Get-AzRecoveryServicesVault, Get-AzRecoveryServicesVaultSettingsFile, New-AzRecoveryServicesVault…}
Script     1.4.0                 Az.RedisCache                       Core,Desk {Remove-AzRedisCachePatchSchedule, New-AzRedisCacheScheduleEntry, Get-AzRedisCachePatchSchedule, New-AzRedisCachePatchSchedule…}
Script     1.0.3                 Az.Relay                            Core,Desk {New-AzRelayNamespace, Get-AzRelayNamespace, Set-AzRelayNamespace, Remove-AzRelayNamespace…}
Script     3.3.0                 Az.Resources                        Core,Desk {Get-AzProviderOperation, Remove-AzRoleAssignment, Get-AzRoleAssignment, New-AzRoleAssignment…}
Script     1.4.1                 Az.ServiceBus                       Core,Desk {New-AzServiceBusNamespace, Get-AzServiceBusNamespace, Set-AzServiceBusNamespace, Remove-AzServiceBusNamespace…}
Script     2.2.2                 Az.ServiceFabric                    Core,Desk {Add-AzServiceFabricClientCertificate, Add-AzServiceFabricClusterCertificate, Add-AzServiceFabricNode, Add-AzServiceFabricNodeType…}
Script     1.2.0                 Az.SignalR                          Core,Desk {New-AzSignalR, Get-AzSignalR, Get-AzSignalRKey, New-AzSignalRKey…}
Script     2.16.0                Az.Sql                              Core,Desk {Get-AzSqlDatabaseTransparentDataEncryption, Get-AzSqlDatabaseTransparentDataEncryptionActivity, Set-AzSqlDatabaseTransparentDataEncryption, Get-AzSqlDataba…
Script     1.1.0                 Az.SqlVirtualMachine                Core,Desk {New-AzSqlVM, Get-AzSqlVM, Update-AzSqlVM, Remove-AzSqlVM…}
Script     3.4.0                 Az.Storage                          Core,Desk {Get-AzStorageAccount, Get-AzStorageAccountKey, New-AzStorageAccount, New-AzStorageAccountKey…}
Script     1.4.0                 Az.StorageSync                      Core,Desk {Invoke-AzStorageSyncCompatibilityCheck, New-AzStorageSyncService, Get-AzStorageSyncService, Set-AzStorageSyncService…}
Script     1.0.1                 Az.StreamAnalytics                  Core,Desk {Get-AzStreamAnalyticsFunction, Get-AzStreamAnalyticsDefaultFunctionDefinition, New-AzStreamAnalyticsFunction, Remove-AzStreamAnalyticsFunction…}
Script     1.0.0                 Az.Support                          Core,Desk {Get-AzSupportService, Get-AzSupportProblemClassification, Get-AzSupportTicket, Get-AzSupportTicketCommunication…}
Script     1.0.4                 Az.TrafficManager                   Core,Desk {Add-AzTrafficManagerCustomHeaderToEndpoint, Remove-AzTrafficManagerCustomHeaderFromEndpoint, Add-AzTrafficManagerCustomHeaderToProfile, Remove-AzTrafficMan…
Script     2.4.0                 Az.Websites                         Core,Desk {Get-AzAppServicePlan, Set-AzAppServicePlan, New-AzAppServicePlan, Remove-AzAppServicePlan…}
Script     1.0.1                 Microsoft.PowerShell.Operation.Val… Desk      {Get-OperationValidation, Invoke-OperationValidation}
Script     1.4.7                 PackageManagement                   Desk      {Find-Package, Get-Package, Get-PackageProvider, Get-PackageSource…}
Binary     1.0.0.1               PackageManagement                   Desk      {Find-Package, Get-Package, Get-PackageProvider, Get-PackageSource…}
Script     3.4.0                 Pester                              Desk      {Describe, Context, It, Should…}
Script     2.2.4.1               PowerShellGet                       Desk      {Find-Command, Find-DSCResource, Find-Module, Find-RoleCapability…}
Script     1.0.0.1               PowerShellGet                       Desk      {Install-Module, Find-Module, Save-Module, Update-Module…}
Script     1.2                   PSReadline                          Desk      {Get-PSReadlineKeyHandler, Set-PSReadlineKeyHandler, Remove-PSReadlineKeyHandler, Get-PSReadlineOption…}

    Directory: C:\windows\system32\WindowsPowerShell\v1.0\Modules

ModuleType Version    PreRelease Name                                PSEdition ExportedCommands
---------- -------    ---------- ----                                --------- ----------------
Manifest   1.0                   Defender                            Core,Desk {Get-MpPreference, Set-MpPreference, Add-MpPreference, Remove-MpPreference…}

    Directory: C:\Program Files\Microsoft Monitoring Agent\Agent\PowerShell

ModuleType Version    PreRelease Name                                PSEdition ExportedCommands
---------- -------    ---------- ----                                --------- ----------------
Binary     1.0.0.0               Microsoft.MonitoringAgent.PowerShe… Desk

    Directory: C:\Program Files\Microsoft Monitoring Agent\Agent\AzureAutomation\7.3.1095.0

ModuleType Version    PreRelease Name                                PSEdition ExportedCommands
---------- -------    ---------- ----                                --------- ----------------
Binary     1.0                   HybridRegistration                  Desk

    Directory: C:\Program Files\Microsoft Monitoring Agent\Agent\AzureAutomation\7.3.1095.0\HybridAgent\Modules

ModuleType Version    PreRelease Name                                PSEdition ExportedCommands
---------- -------    ---------- ----                                --------- ----------------
Binary     1.0                   Orchestrator.AssetManagement.Cmdle… Desk

Debug output

DEBUG: 11:34:10 AM - NewAzureRoleAssignmentCommand begin processing with ParameterSet 'EmptyParameterSet'.
DEBUG: 11:34:10 AM - using account id '********-****-****-****-************'...
DEBUG: [Common.Authentication]: Authenticating using Account: '********-****-****-****-************', environment: 'AzureCloud', tenant: '********-****-****-****-************'
DEBUG: ClientSecretCredential.GetToken invoked. Scopes: [ https://graph.windows.net//.default ] ParentRequestId:
DEBUG: Request [********-****-****-****-************] POST https://login.microsoftonline.com/********-****-****-****-************/oauth2/v2.0/token
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-OS:REDACTED
x-client-current-telemetry:REDACTED
x-client-last-telemetry:REDACTED
x-ms-PKeyAuth:REDACTED
x-ms-lib-capability:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-app-name:REDACTED
x-app-ver:REDACTED
x-ms-client-request-id:********-****-****-****-************
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.4.0-beta.3,(.NET 5.0.4; Microsoft Windows 10.0.14393)
Content-Type:application/x-www-form-urlencoded
client assembly: Azure.Identity
DEBUG: Response [********-****-****-****-************] 200 OK (00.1s)
Cache-Control:no-store, no-cache
Pragma:no-cache
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
P3P:REDACTED
client-request-id:REDACTED
x-ms-request-id:REDACTED
x-ms-ests-server:REDACTED
x-ms-clitelem:REDACTED
Set-Cookie:REDACTED
Date:Tue, 16 Mar 2021 11:34:10 GMT
Content-Type:application/json; charset=utf-8
Expires:-1
Content-Length:1496

DEBUG: ClientSecretCredential.GetToken succeeded. Scopes: [ https://graph.windows.net//.default ] ParentRequestId:  ExpiresOn: 2021-03-16T12:34:09.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '********-****-****-****-************', UserId: '********-****-****-****-************'
DEBUG: [Common.Authentication]: Authenticating using Account: '********-****-****-****-************', environment: 'AzureCloud', tenant: '********-****-****-****-************'
DEBUG: ClientSecretCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: Request [********-****-****-****-************] POST https://login.microsoftonline.com/********-****-****-****-************/oauth2/v2.0/token
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-OS:REDACTED
x-client-current-telemetry:REDACTED
x-client-last-telemetry:REDACTED
x-ms-PKeyAuth:REDACTED
x-ms-lib-capability:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-app-name:REDACTED
x-app-ver:REDACTED
x-ms-client-request-id:********-****-****-****-************
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.4.0-beta.3,(.NET 5.0.4; Microsoft Windows 10.0.14393)
Content-Type:application/x-www-form-urlencoded
client assembly: Azure.Identity
DEBUG: Response [********-****-****-****-************] 200 OK (00.1s)
Cache-Control:no-store, no-cache
Pragma:no-cache
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
P3P:REDACTED
client-request-id:REDACTED
x-ms-request-id:REDACTED
x-ms-ests-server:REDACTED
x-ms-clitelem:REDACTED
Set-Cookie:REDACTED
Date:Tue, 16 Mar 2021 11:34:10 GMT
Content-Type:application/json; charset=utf-8
Expires:-1
Content-Length:1427

DEBUG: ClientSecretCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  ExpiresOn: 2021-03-16T12:34:09.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '********-****-****-****-************', UserId: '********-****-****-****-************'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com//subscriptions/********-****-****-****-************/resourceGroups/dt-coredatabase-genome/providers/Microsoft.DocumentDB/databaseAccounts/dt-cmdb-genome/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName eq 'DocumentDB Account Contributor'&api-version=2018-01-01-preview

Headers:
x-ms-client-request-id        : ********-****-****-****-************
Accept-Language               : en-US

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
x-ms-request-id               : ********-****-****-****-************
X-Content-Type-Options        : nosniff
Strict-Transport-Security     : max-age=31536000; includeSubDomains
Set-Cookie                    : x-ms-gateway-slice=Production; path=/; secure; samesite=none; httponly
x-ms-ratelimit-remaining-subscription-reads: 11999
x-ms-correlation-request-id   : ********-****-****-****-************
x-ms-routing-request-id       : SOUTHCENTRALUS:20210316T113411Z:********-****-****-****-************
Date                          : Tue, 16 Mar 2021 11:34:10 GMT

Body:
{
  "value": [
    {
      "properties": {
        "roleName": "DocumentDB Account Contributor",
        "type": "BuiltInRole",
        "description": "Lets you manage DocumentDB accounts, but not access to them.",
        "assignableScopes": [
          "/"
        ],
        "permissions": [
          {
            "actions": [
              "Microsoft.Authorization/*/read",
              "Microsoft.DocumentDb/databaseAccounts/*",
              "Microsoft.Insights/alertRules/*",
              "Microsoft.ResourceHealth/availabilityStatuses/read",
              "Microsoft.Resources/deployments/*",
              "Microsoft.Resources/subscriptions/resourceGroups/read",
              "Microsoft.Support/*",
              "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
            ],
            "notActions": [],
            "dataActions": [],
            "notDataActions": []
          }
        ],
        "createdOn": "2015-02-02T21:55:09.8806423Z",
        "updatedOn": "2019-11-21T01:38:32.0948484Z",
        "createdBy": null,
        "updatedBy": null
      },
      "id": "/subscriptions/********-****-****-****-************/providers/Microsoft.Authorization/roleDefinitions/********-****-****-****-************",
      "type": "Microsoft.Authorization/roleDefinitions",
      "name": "********-****-****-****-************"
    }
  ]
}

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
PUT

Absolute Uri:
https://management.azure.com//subscriptions/********-****-****-****-************/resourceGroups/dt-coredatabase-genome/providers/Microsoft.DocumentDB/databaseAccounts/dt-cmdb-genome/providers/Microsoft.Authorization/roleAssignments/********-****-****-****-************?api-version=2020-04-01-preview

Headers:
x-ms-client-request-id        : ********-****-****-****-************
Accept-Language               : en-US

Body:
{
  "properties": {
    "roleDefinitionId": "/subscriptions/********-****-****-****-************/resourceGroups/dt-coredatabase-genome/providers/Microsoft.DocumentDB/databaseAccounts/dt-cmdb-genome/providers/Microsoft.Authorization/roleDefinitions/********-****-****-****-************",
    "principalId": "********-****-****-****-************",
    "canDelegate": false
  }
}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Forbidden

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
x-ms-failure-cause            : gateway
x-ms-request-id               : ********-****-****-****-************
x-ms-correlation-request-id   : ********-****-****-****-************
x-ms-routing-request-id       : SOUTHCENTRALUS:20210316T113411Z:********-****-****-****-************
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Date                          : Tue, 16 Mar 2021 11:34:10 GMT
Connection                    : close

Body:
{
  "error": {
    "code": "RequestDisallowedByPolicy",
    "target": "********-****-****-****-************",
    "message": "Resource '********-****-****-****-************' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"Landing-Zone-Default-Subscription\",\"id\":\"/subscriptions/********-****-****-****-************/providers/Microsoft.Authorization/policyAssignments/83f51c6289085f77b7a36120\"},\"policyDefinition\":{\"name\":\"Allowed principal IDs\",\"id\":\"/providers/Microsoft.Management/managementGroups/Landing-Zones-v2/providers/Microsoft.Authorization/policyDefinitions/********-****-****-****-************\"},\"policySetDefinition\":{\"name\":\"Landing-Zone-Default-Subscription\",\"id\":\"/providers/Microsoft.Management/managementGroups/Landing-Zones-v2/providers/Microsoft.Authorization/policySetDefinitions/********-****-****-****-************\"}}]'.",
    "additionalInfo": [
      {
        "type": "PolicyViolation",
        "info": {
          "policyDefinitionDisplayName": "Allowed principal IDs",
          "policySetDefinitionDisplayName": "Landing-Zone-Default-Subscription",
          "evaluationDetails": {
            "evaluatedExpressions": [
              {
                "result": "True",
                "expressionKind": "Field",
                "expression": "type",
                "path": "type",
                "expressionValue": "Microsoft.Authorization/roleAssignments",
                "targetValue": "Microsoft.Authorization/roleAssignments",
                "operator": "Equals"
              },
              {
                "result": "False",
                "expressionKind": "Field",
                "expression": "Microsoft.Authorization/roleAssignments/principalId",
                "path": "properties.principalId",
                "expressionValue": "********-****-****-****-************",
                "targetValue": [
                  "********-****-****-****-************",
                  "********-****-****-****-************",
                  "********-****-****-****-************",
                  "********-****-****-****-************",
                  "********-****-****-****-************",
                  "********-****-****-****-************",
                  "********-****-****-****-************",
                  "********-****-****-****-************",
                  "********-****-****-****-************",
                  "********-****-****-****-************",
                  "********-****-****-****-************",
                  "********-****-****-****-************",
                  "********-****-****-****-************",
                  "********-****-****-****-************",
                  "********-****-****-****-************",
                  "********-****-****-****-************",
                  "********-****-****-****-************"
                ],
                "operator": "In"
              },
              {
                "result": "False",
                "expressionKind": "Field",
                "expression": "Microsoft.Authorization/roleAssignments/principalType",
                "path": "properties.principalType",
                "targetValue": "ServicePrincipal",
                "operator": "Equals"
              }
            ]
          },
          "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/Landing-Zones-v2/providers/Microsoft.Authorization/policyDefinitions/********-****-****-****-************",
          "policySetDefinitionId": "/providers/Microsoft.Management/managementGroups/Landing-Zones-v2/providers/Microsoft.Authorization/policySetDefinitions/********-****-****-****-************",
          "policyDefinitionReferenceId": "3378863873727648846",
          "policySetDefinitionName": "********-****-****-****-************",
          "policyDefinitionName": "********-****-****-****-************",
          "policyDefinitionEffect": "Deny",
          "policyAssignmentId": "/subscriptions/********-****-****-****-************/providers/Microsoft.Authorization/policyAssignments/83f51c6289085f77b7a36120",
          "policyAssignmentName": "83f51c6289085f77b7a36120",
          "policyAssignmentDisplayName": "Landing-Zone-Default-Subscription",
          "policyAssignmentScope": "/subscriptions/********-****-****-****-************",
          "policyAssignmentParameters": {
            "requiredTagName": {
              "value": "tr:application-asset-insight-id"
            },
            "requiredTagValue": {
              "value": "205163"
            },
            "allowedPrincipalIdsForIAM": {
              "value": [
                "********-****-****-****-************",
                "********-****-****-****-************",
                "********-****-****-****-************",
                "********-****-****-****-************",
                "********-****-****-****-************",
                "********-****-****-****-************",
                "********-****-****-****-************",
                "********-****-****-****-************",
                "********-****-****-****-************",
                "********-****-****-****-************",
                "********-****-****-****-************",
                "********-****-****-****-************",
                "********-****-****-****-************",
                "********-****-****-****-************",
                "********-****-****-****-************",
                "********-****-****-****-************",
                "********-****-****-****-************"
              ]
            },
            "allowedOwnerRoleDefinitionId": {
              "value": [
                "********-****-****-****-************"
              ]
            },
            "allowedContributorRoleDefinitionId": {
              "value": [
                "********-****-****-****-************"
              ]
            },
            "allowedReaderRoleDefinitionId": {
              "value": [
                "********-****-****-****-************"
              ]
            },
            "targetedPrincipalIdsForOwnerRole": {
              "value": [
                "********-****-****-****-************"
              ]
            },
            "targetedPrincipalIdsForContributorRole": {
              "value": [
                "********-****-****-****-************"
              ]
            },
            "targetedPrincipalIdsForReaderRole": {
              "value": [
                "********-****-****-****-************"
              ]
            },
            "disallowedOwnerRoleDefinitionIds": {
              "value": [
                "********-****-****-****-************"
              ]
            },
            "disallowedUserAccessAdminRoleDefinitionId": {
              "value": [
                "********-****-****-****-************"
              ]
            },
            "exemptPrincipalIDs": {
              "value": [
                "********-****-****-****-************",
                "********-****-****-****-************"
              ]
            },
            "vnetNamingConvention": {
              "value": "VNet-NON-PROD-"
            },
            "additionalDnsZones": {
              "value": []
            },
            "privateDnsZoneDomain": {
              "value": "azure-int.thomsonreuters.com"
            },
            "regionAbbreviationMap": {
              "value": {
                "australiaeast": "aue",
                "australiasoutheast": "ause",
                "brazilsouth": "brs",
                "canadacentral": "cac",
                "canadaeast": "cae",
                "centralus": "usc",
                "eastus2": "use2",
                "northeurope": "eun",
                "southeastasia": "aase",
                "uksouth": "uks",
                "ukwest": "ukw",
                "westeurope": "euw",
                "westus": "usw",
                "disabled": "disabled"
              }
            },
            "exemptUserAccessAdminPrincipalIDs": {
              "value": []
            },
            "effectAllowedRoleDefinitionIds": {
              "value": "Deny"
            },
            "effectAllowedPrincipalIds": {
              "value": "Deny"
            },
            "effectDisallowedRoleDefinitions": {
              "value": "Deny"
            },
            "effectUserAccessAdminDisallowedRoleDefinitions": {
              "value": "Deny"
            },
            "effectDenyCustomRoles": {
              "value": "Deny"
            },
            "effectDenyVNetsOnNamingConvention": {
              "value": "Deny"
            },
            "effectAllowedPrivateDnsZones": {
              "value": "Deny"
            }
          }
        }
      }
    ]
  }
}

New-AzRoleAssignment: Resource '********-****-****-****-************' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"Landing-Zone-Default-Subscription","id":"/subscriptions/********-****-****-****-************/providers/Microsoft.Authorization/policyAssignments/83f51c6289085f77b7a36120"},"policyDefinition":{"name":"Allowed principal IDs","id":"/providers/Microsoft.Management/managementGroups/Landing-Zones-v2/providers/Microsoft.Authorization/policyDefinitions/********-****-****-****-************"},"policySetDefinition":{"name":"Landing-Zone-Default-Subscription","id":"/providers/Microsoft.Management/managementGroups/Landing-Zones-v2/providers/Microsoft.Authorization/policySetDefinitions/********-****-****-****-************"}}]'.
DEBUG: AzureQoSEvent: CommandName - New-AzRoleAssignment; IsSuccess - False; Duration - 00:00:00.8832482; Exception - Microsoft.Rest.Azure.CloudException: Resource '********-****-****-****-************' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"Landing-Zone-Default-Subscription","id":"/subscriptions/********-****-****-****-************/providers/Microsoft.Authorization/policyAssignments/83f51c6289085f77b7a36120"},"policyDefinition":{"name":"Allowed principal IDs","id":"/providers/Microsoft.Management/managementGroups/Landing-Zones-v2/providers/Microsoft.Authorization/policyDefinitions/********-****-****-****-************"},"policySetDefinition":{"name":"Landing-Zone-Default-Subscription","id":"/providers/Microsoft.Management/managementGroups/Landing-Zones-v2/providers/Microsoft.Authorization/policySetDefinitions/********-****-****-****-************"}}]'.
   at Microsoft.Azure.Management.Authorization.RoleAssignmentsOperations.CreateWithHttpMessagesAsync(String scope, String roleAssignmentName, RoleAssignmentCreateParameters parameters, Dictionary`2 customHeaders, CancellationToken cancellationToken)
   at Microsoft.Azure.Management.Authorization.RoleAssignmentsOperationsExtensions.CreateAsync(IRoleAssignmentsOperations operations, String scope, String roleAssignmentName, RoleAssignmentCreateParameters parameters, CancellationToken cancellationToken)
   at Microsoft.Azure.Management.Authorization.RoleAssignmentsOperationsExtensions.Create(IRoleAssignmentsOperations operations, String scope, String roleAssignmentName, RoleAssignmentCreateParameters parameters)
   at Microsoft.Azure.Commands.Resources.Models.Authorization.AuthorizationClient.CreateRoleAssignment(FilterRoleAssignmentsOptions parameters, Guid roleAssignmentId)
   at Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand.ExecuteCmdlet()
   at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.<>c__3`1.<ExecuteSynchronouslyOrAsJob>b__3_0(T c)
   at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet, Action`1 executor)
   at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet)
   at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord();
DEBUG: Finish sending metric.
DEBUG: 11:34:11 AM - NewAzureRoleAssignmentCommand end processing.

Error output

Resolve-AzError: Input string was not in a correct format.

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Wmengmsft, @MehaKaushik, @shurd, @anfeldma-ms

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @armleads-azure.

Issue Details

---

## Description There is the Azure Policy is set against management group to allow roles granting privileges to SPNs from particular groups only. We have the release definition task to assign an MSI "DocumentDB Account Contributor" role to CosmosDB account on behalf of SPN which meets the policy criteria on build agent and get the release failed with the below exception: ``` New-AzRoleAssignment: Resource '********-****-****-****-************' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"Landing-Zone-Default-Subscription","id":"/subscriptions/********-****-****-****-************/providers/Microsoft.Authorization/policyAssignments/83f51c6289085f77b7a36120"},"policyDefinition":{"name":"Allowed principal IDs","id":"/providers/Microsoft.Management/managementGroups/Landing-Zones-v2/providers/Microsoft.Authorization/policyDefinitions/********-****-****-****-************"},"policySetDefinition":{"name":"Landing-Zone-Default-Subscription","id":"/providers/Microsoft.Management/managementGroups/Landing-Zones-v2/providers/Microsoft.Authorization/policySetDefinitions/********-****-****-****-************"}}]'. ``` We have the same exception running the definition either on Microsoft Azure Pipelines agent pool (windows-2019) or running New-AzRoleAssignment directly from PS session on self-hosted build agent. However **it works fine from my local machine**. I compared debug output from both session and found the only difference in http request: on the local machine request body contains **"principalType": "ServicePrincipal",** pair while the request body from the build agent does not. Local machine: ```json { "properties": { "roleDefinitionId": "/subscriptions/********-****-****-****-************/resourceGroups/dt-coredatabase-genome/providers/Microsoft.DocumentDB/databaseAccounts/dt-cmdb-genome/providers/Microsoft.Authorization/roleDefinitions/********-****-****-****-************", "principalId": "********-****-****-****-************", "principalType": "ServicePrincipal", "canDelegate": false } } ``` Build agent: ```json { "properties": { "roleDefinitionId": "/subscriptions/********-****-****-****-************/resourceGroups/dt-coredatabase-genome/providers/Microsoft.DocumentDB/databaseAccounts/dt-cmdb-genome/providers/Microsoft.Authorization/roleDefinitions/********-****-****-****-************", "principalId": "********-****-****-****-************", "canDelegate": false } } ``` ## Steps to reproduce ```powershell Login-AzAccount -ServicePrincipal -Credential (Get-Credential) New-AzRoleAssignment -ObjectId ********-****-****-****-************ -RoleDefinitionName "DocumentDB Account Contributor" -Scope /subscriptions/********-****-****-****-************/resourceGroups/dt-coredatabase-genome/providers/Microsoft.DocumentDB/databaseAccounts/dt-cmdb-genome -Debug ``` ## Environment data ``` Name Value ---- ----- PSVersion 7.1.3 PSEdition Core GitCommitId 7.1.3 OS Microsoft Windows 10.0.14393 Platform Win32NT PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0 ``` ## Module versions ```powershell mModuleType Version PreRelease Name PSEdition ExportedCommands ---------- ------- ---------- ---- --------- ---------------- Script 5.1.1 Pester Desk {Invoke-Pester, Describe, Context, It…} Directory: C:\program files\powershell\7\Modules ModuleType Version PreRelease Name PSEdition ExportedCommands ---------- ------- ---------- ---- --------- ---------------- Manifest 7.0.0.0 CimCmdlets Core {Get-CimAssociatedInstance, Get-CimClass, Get-CimInstance, Get-CimSession…} Manifest 1.2.5 Microsoft.PowerShell.Archive Desk {Compress-Archive, Expand-Archive} Manifest 7.0.0.0 Microsoft.PowerShell.Diagnostics Core {Get-WinEvent, New-WinEvent, Get-Counter} Manifest 7.0.0.0 Microsoft.PowerShell.Host Core {Start-Transcript, Stop-Transcript} Manifest 7.0.0.0 Microsoft.PowerShell.Management Core {Add-Content, Clear-Content, Get-Clipboard, Set-Clipboard…} Manifest 7.0.0.0 Microsoft.PowerShell.Security Core {Get-Acl, Set-Acl, Get-PfxCertificate, Get-Credential…} Manifest 7.0.0.0 Microsoft.PowerShell.Utility Core {Export-Alias, Get-Alias, Import-Alias, New-Alias…} Manifest 7.0.0.0 Microsoft.WSMan.Management Core {Disable-WSManCredSSP, Enable-WSManCredSSP, Get-WSManCredSSP, Set-WSManQuickConfig…} Script 1.4.7 PackageManagement Desk {Find-Package, Get-Package, Get-PackageProvider, Get-PackageSource…} Script 2.2.5 PowerShellGet Desk {Find-Command, Find-DSCResource, Find-Module, Find-RoleCapability…} Script 2.0.5 PSDesiredStateConfiguration Core {Configuration, New-DscChecksum, Get-DscResource, Invoke-DscResource} Script 7.0.0.0 PSDiagnostics Core {Disable-PSTrace, Disable-PSWSManCombinedTrace, Disable-WSManTrace, Enable-PSTrace…} Script 2.1.0 PSReadLine Desk {Get-PSReadLineKeyHandler, Set-PSReadLineKeyHandler, Remove-PSReadLineKeyHandler, Get-PSReadLineOption…} Binary 2.0.3 ThreadJob Desk Start-ThreadJob Directory: C:\Program Files\WindowsPowerShell\Modules ModuleType Version PreRelease Name PSEdition ExportedCommands ---------- ------- ---------- ---- --------- ---------------- Script 5.6.0 Az Core,Desk Script 2.2.6 Az.Accounts Core,Desk {Disable-AzDataCollection, Disable-AzContextAutosave, Enable-AzDataCollection, Enable-AzContextAutosave…} Script 1.1.1 Az.Advisor Core,Desk {Get-AzAdvisorRecommendation, Enable-AzAdvisorRecommendation, Disable-AzAdvisorRecommendation, Get-AzAdvisorConfiguration…} Script 2.0.2 Az.Aks Core,Desk {Get-AzAksCluster, New-AzAksCluster, Remove-AzAksCluster, Import-AzAksCredential…} Script 1.1.4 Az.AnalysisServices Core,Desk {Resume-AzAnalysisServicesServer, Suspend-AzAnalysisServicesServer, Get-AzAnalysisServicesServer, Remove-AzAnalysisServicesServer…} Script 2.2.0 Az.ApiManagement Core,Desk {Add-AzApiManagementApiToGateway, Add-AzApiManagementApiToProduct, Add-AzApiManagementProductToGroup, Add-AzApiManagementRegion…} Script 1.0.0 Az.AppConfiguration Core,Desk {Get-AzAppConfigurationStore, Get-AzAppConfigurationStoreKey, New-AzAppConfigurationStore, New-AzAppConfigurationStoreKey…} Script 1.1.0 Az.ApplicationInsights Core,Desk {Get-AzApplicationInsights, New-AzApplicationInsights, Remove-AzApplicationInsights, Update-AzApplicationInsights…} Script 1.5.0 Az.Automation Core,Desk {Get-AzAutomationHybridWorkerGroup, Remove-AzAutomationHybridWorkerGroup, Get-AzAutomationJobOutputRecord, Import-AzAutomationDscNodeConfiguration…} Script 3.1.0 Az.Batch Core,Desk {Remove-AzBatchAccount, Get-AzBatchAccount, Get-AzBatchAccountKey, New-AzBatchAccount…} Script 2.0.0 Az.Billing Core,Desk {Get-AzBillingInvoice, Get-AzBillingPeriod, Get-AzEnrollmentAccount, Get-AzConsumptionBudget…} Script 1.6.0 Az.Cdn Core,Desk {Get-AzCdnProfile, Get-AzCdnProfileSsoUrl, New-AzCdnProfile, Remove-AzCdnProfile…} Script 1.8.0 Az.CognitiveServices Core,Desk {Get-AzCognitiveServicesAccount, Get-AzCognitiveServicesAccountKey, Get-AzCognitiveServicesAccountSku, Get-AzCognitiveServicesAccountType…} Script 4.10.0 Az.Compute Core,Desk {Remove-AzAvailabilitySet, Get-AzAvailabilitySet, New-AzAvailabilitySet, Update-AzAvailabilitySet…} Script 1.0.3 Az.ContainerInstance Core,Desk {New-AzContainerGroup, Get-AzContainerGroup, Remove-AzContainerGroup, Get-AzContainerInstanceLog} Script 2.2.1 Az.ContainerRegistry Core,Desk {New-AzContainerRegistry, Get-AzContainerRegistry, Update-AzContainerRegistry, Remove-AzContainerRegistry…} Script 1.1.0 Az.CosmosDB Core,Desk {Get-AzCosmosDBSqlContainer, Get-AzCosmosDBSqlContainerThroughput, Get-AzCosmosDBSqlDatabase, Get-AzCosmosDBSqlDatabaseThroughput…} Script 1.1.0 Az.DataBoxEdge Core,Desk {Get-AzDataBoxEdgeJob, Get-AzDataBoxEdgeDevice, Invoke-AzDataBoxEdgeDevice, New-AzDataBoxEdgeDevice…} Script 1.1.0 Az.Databricks Core,Desk {Get-AzDatabricksVNetPeering, Get-AzDatabricksWorkspace, New-AzDatabricksVNetPeering, New-AzDatabricksWorkspace…} Script 1.11.4 Az.DataFactory Core,Desk {Set-AzDataFactoryV2, Update-AzDataFactoryV2, Get-AzDataFactoryV2, Remove-AzDataFactoryV2…} Script 1.0.2 Az.DataLakeAnalytics Core,Desk {Get-AzDataLakeAnalyticsDataSource, New-AzDataLakeAnalyticsCatalogCredential, Remove-AzDataLakeAnalyticsCatalogCredential, Set-AzDataLakeAnalyticsCatalogCre… Script 1.3.0 Az.DataLakeStore Core,Desk {Get-AzDataLakeStoreTrustedIdProvider, Remove-AzDataLakeStoreTrustedIdProvider, Remove-AzDataLakeStoreFirewallRule, Set-AzDataLakeStoreTrustedIdProvider…} Script 1.0.0 Az.DataShare Core,Desk {New-AzDataShareAccount, Get-AzDataShareAccount, Remove-AzDataShareAccount, New-AzDataShare…} Script 1.1.0 Az.DeploymentManager Core,Desk {Get-AzDeploymentManagerArtifactSource, New-AzDeploymentManagerArtifactSource, Set-AzDeploymentManagerArtifactSource, Remove-AzDeploymentManagerArtifactSour… Script 2.1.1 Az.DesktopVirtualization Core,Desk {Disconnect-AzWvdUserSession, Expand-AzWvdMsixImage, Get-AzWvdApplication, Get-AzWvdApplicationGroup…} Script 1.0.2 Az.DevTestLabs Core,Desk {Get-AzDtlAllowedVMSizesPolicy, Get-AzDtlAutoShutdownPolicy, Get-AzDtlAutoStartPolicy, Get-AzDtlVMsPerLabPolicy…} Script 1.1.2 Az.Dns Core,Desk {Get-AzDnsRecordSet, New-AzDnsRecordConfig, Remove-AzDnsRecordSet, Set-AzDnsRecordSet…} Script 1.3.0 Az.EventGrid Core,Desk {New-AzEventGridTopic, Get-AzEventGridTopic, Set-AzEventGridTopic, New-AzEventGridTopicKey…} Script 1.7.1 Az.EventHub Core,Desk {New-AzEventHubNamespace, Get-AzEventHubNamespace, Set-AzEventHubNamespace, Remove-AzEventHubNamespace…} Script 1.7.0 Az.FrontDoor Core,Desk {New-AzFrontDoor, Get-AzFrontDoor, Set-AzFrontDoor, Remove-AzFrontDoor…} Script 2.0.0 Az.Functions Core,Desk {Get-AzFunctionApp, Get-AzFunctionAppAvailableLocation, Get-AzFunctionAppPlan, Get-AzFunctionAppSetting…} Script 4.2.0 Az.HDInsight Core,Desk {Get-AzHDInsightJob, New-AzHDInsightSqoopJobDefinition, Wait-AzHDInsightJob, New-AzHDInsightStreamingMapReduceJobDefinition…} Script 1.2.0 Az.HealthcareApis Core,Desk {New-AzHealthcareApisService, Remove-AzHealthcareApisService, Set-AzHealthcareApisService, Get-AzHealthcareApisService} Script 2.7.2 Az.IotHub Core,Desk {Add-AzIotHubKey, Get-AzIotHubEventHubConsumerGroup, Get-AzIotHubConnectionString, Get-AzIotHubJob…} Script 3.4.0 Az.KeyVault Core,Desk {Add-AzKeyVaultCertificate, Update-AzKeyVaultCertificate, Stop-AzKeyVaultCertificateOperation, Get-AzKeyVaultCertificateOperation…} Script 1.0.1 Az.Kusto Core,Desk {Add-AzKustoClusterLanguageExtension, Add-AzKustoDatabasePrincipal, Get-AzKustoAttachedDatabaseConfiguration, Get-AzKustoCluster…} Script 1.5.0 Az.LogicApp Core,Desk {Get-AzIntegrationAccountAgreement, Get-AzIntegrationAccountAssembly, Get-AzIntegrationAccountBatchConfiguration, Get-AzIntegrationAccountCallbackUrl…} Script 1.1.3 Az.MachineLearning Core,Desk {Move-AzMlCommitmentAssociation, Get-AzMlCommitmentAssociation, Get-AzMlCommitmentPlanUsageHistory, Remove-AzMlCommitmentPlan…} Script 1.1.0 Az.Maintenance Core,Desk {Get-AzApplyUpdate, Get-AzConfigurationAssignment, Get-AzMaintenanceConfiguration, Get-AzMaintenanceUpdate…} Script 2.0.0 Az.ManagedServices Core,Desk {Get-AzManagedServicesAssignment, New-AzManagedServicesAssignment, Remove-AzManagedServicesAssignment, Get-AzManagedServicesDefinition…} Script 1.0.2 Az.MarketplaceOrdering Core,Desk {Get-AzMarketplaceTerms, Set-AzMarketplaceTerms} Script 1.1.1 Az.Media Core,Desk {Sync-AzMediaServiceStorageKey, Set-AzMediaServiceKey, Get-AzMediaServiceKey, Get-AzMediaServiceNameAvailability…} Script 1.0.0 Az.Migrate Core,Desk {Get-AzMigrateDiscoveredServer, Get-AzMigrateJob, Get-AzMigrateProject, Get-AzMigrateReplicationFabric…} Script 2.4.0 Az.Monitor Core,Desk {Get-AzMetricDefinition, Get-AzMetric, Remove-AzLogProfile, Get-AzLogProfile…} Script 4.6.0 Az.Network Core,Desk {Add-AzApplicationGatewayAuthenticationCertificate, Get-AzApplicationGatewayAuthenticationCertificate, New-AzApplicationGatewayAuthenticationCertificate, Re… Script 1.1.1 Az.NotificationHubs Core,Desk {Get-AzNotificationHub, Get-AzNotificationHubAuthorizationRule, Get-AzNotificationHubListKey, Get-AzNotificationHubPNSCredential…} Script 2.3.0 Az.OperationalInsights Core,Desk {New-AzOperationalInsightsAzureActivityLogDataSource, New-AzOperationalInsightsCustomLogDataSource, Disable-AzOperationalInsightsLinuxCustomLogCollection, D… Script 1.4.1 Az.PolicyInsights Core,Desk {Get-AzPolicyEvent, Get-AzPolicyState, Get-AzPolicyStateSummary, Get-AzPolicyRemediation…} Script 1.1.2 Az.PowerBIEmbedded Core,Desk {Remove-AzPowerBIWorkspaceCollection, Get-AzPowerBIWorkspaceCollection, Get-AzPowerBIWorkspaceCollectionAccessKey, Get-AzPowerBIWorkspace…} Script 1.0.3 Az.PrivateDns Core,Desk {Get-AzPrivateDnsZone, Remove-AzPrivateDnsZone, Set-AzPrivateDnsZone, New-AzPrivateDnsZone…} Script 3.4.1 Az.RecoveryServices Core,Desk {Get-AzRecoveryServicesBackupProperty, Get-AzRecoveryServicesVault, Get-AzRecoveryServicesVaultSettingsFile, New-AzRecoveryServicesVault…} Script 1.4.0 Az.RedisCache Core,Desk {Remove-AzRedisCachePatchSchedule, New-AzRedisCacheScheduleEntry, Get-AzRedisCachePatchSchedule, New-AzRedisCachePatchSchedule…} Script 1.0.3 Az.Relay Core,Desk {New-AzRelayNamespace, Get-AzRelayNamespace, Set-AzRelayNamespace, Remove-AzRelayNamespace…} Script 3.3.0 Az.Resources Core,Desk {Get-AzProviderOperation, Remove-AzRoleAssignment, Get-AzRoleAssignment, New-AzRoleAssignment…} Script 1.4.1 Az.ServiceBus Core,Desk {New-AzServiceBusNamespace, Get-AzServiceBusNamespace, Set-AzServiceBusNamespace, Remove-AzServiceBusNamespace…} Script 2.2.2 Az.ServiceFabric Core,Desk {Add-AzServiceFabricClientCertificate, Add-AzServiceFabricClusterCertificate, Add-AzServiceFabricNode, Add-AzServiceFabricNodeType…} Script 1.2.0 Az.SignalR Core,Desk {New-AzSignalR, Get-AzSignalR, Get-AzSignalRKey, New-AzSignalRKey…} Script 2.16.0 Az.Sql Core,Desk {Get-AzSqlDatabaseTransparentDataEncryption, Get-AzSqlDatabaseTransparentDataEncryptionActivity, Set-AzSqlDatabaseTransparentDataEncryption, Get-AzSqlDataba… Script 1.1.0 Az.SqlVirtualMachine Core,Desk {New-AzSqlVM, Get-AzSqlVM, Update-AzSqlVM, Remove-AzSqlVM…} Script 3.4.0 Az.Storage Core,Desk {Get-AzStorageAccount, Get-AzStorageAccountKey, New-AzStorageAccount, New-AzStorageAccountKey…} Script 1.4.0 Az.StorageSync Core,Desk {Invoke-AzStorageSyncCompatibilityCheck, New-AzStorageSyncService, Get-AzStorageSyncService, Set-AzStorageSyncService…} Script 1.0.1 Az.StreamAnalytics Core,Desk {Get-AzStreamAnalyticsFunction, Get-AzStreamAnalyticsDefaultFunctionDefinition, New-AzStreamAnalyticsFunction, Remove-AzStreamAnalyticsFunction…} Script 1.0.0 Az.Support Core,Desk {Get-AzSupportService, Get-AzSupportProblemClassification, Get-AzSupportTicket, Get-AzSupportTicketCommunication…} Script 1.0.4 Az.TrafficManager Core,Desk {Add-AzTrafficManagerCustomHeaderToEndpoint, Remove-AzTrafficManagerCustomHeaderFromEndpoint, Add-AzTrafficManagerCustomHeaderToProfile, Remove-AzTrafficMan… Script 2.4.0 Az.Websites Core,Desk {Get-AzAppServicePlan, Set-AzAppServicePlan, New-AzAppServicePlan, Remove-AzAppServicePlan…} Script 1.0.1 Microsoft.PowerShell.Operation.Val… Desk {Get-OperationValidation, Invoke-OperationValidation} Script 1.4.7 PackageManagement Desk {Find-Package, Get-Package, Get-PackageProvider, Get-PackageSource…} Binary 1.0.0.1 PackageManagement Desk {Find-Package, Get-Package, Get-PackageProvider, Get-PackageSource…} Script 3.4.0 Pester Desk {Describe, Context, It, Should…} Script 2.2.4.1 PowerShellGet Desk {Find-Command, Find-DSCResource, Find-Module, Find-RoleCapability…} Script 1.0.0.1 PowerShellGet Desk {Install-Module, Find-Module, Save-Module, Update-Module…} Script 1.2 PSReadline Desk {Get-PSReadlineKeyHandler, Set-PSReadlineKeyHandler, Remove-PSReadlineKeyHandler, Get-PSReadlineOption…} Directory: C:\windows\system32\WindowsPowerShell\v1.0\Modules ModuleType Version PreRelease Name PSEdition ExportedCommands ---------- ------- ---------- ---- --------- ---------------- Manifest 1.0 Defender Core,Desk {Get-MpPreference, Set-MpPreference, Add-MpPreference, Remove-MpPreference…} Directory: C:\Program Files\Microsoft Monitoring Agent\Agent\PowerShell ModuleType Version PreRelease Name PSEdition ExportedCommands ---------- ------- ---------- ---- --------- ---------------- Binary 1.0.0.0 Microsoft.MonitoringAgent.PowerShe… Desk Directory: C:\Program Files\Microsoft Monitoring Agent\Agent\AzureAutomation\7.3.1095.0 ModuleType Version PreRelease Name PSEdition ExportedCommands ---------- ------- ---------- ---- --------- ---------------- Binary 1.0 HybridRegistration Desk Directory: C:\Program Files\Microsoft Monitoring Agent\Agent\AzureAutomation\7.3.1095.0\HybridAgent\Modules ModuleType Version PreRelease Name PSEdition ExportedCommands ---------- ------- ---------- ---- --------- ---------------- Binary 1.0 Orchestrator.AssetManagement.Cmdle… Desk ``` ## Debug output ``` DEBUG: 11:34:10 AM - NewAzureRoleAssignmentCommand begin processing with ParameterSet 'EmptyParameterSet'. DEBUG: 11:34:10 AM - using account id '********-****-****-****-************'... DEBUG: [Common.Authentication]: Authenticating using Account: '********-****-****-****-************', environment: 'AzureCloud', tenant: '********-****-****-****-************' DEBUG: ClientSecretCredential.GetToken invoked. Scopes: [ https://graph.windows.net//.default ] ParentRequestId: DEBUG: Request [********-****-****-****-************] POST https://login.microsoftonline.com/********-****-****-****-************/oauth2/v2.0/token x-client-SKU:REDACTED x-client-Ver:REDACTED x-client-OS:REDACTED x-client-current-telemetry:REDACTED x-client-last-telemetry:REDACTED x-ms-PKeyAuth:REDACTED x-ms-lib-capability:REDACTED client-request-id:REDACTED return-client-request-id:REDACTED x-app-name:REDACTED x-app-ver:REDACTED x-ms-client-request-id:********-****-****-****-************ x-ms-return-client-request-id:true User-Agent:azsdk-net-Identity/1.4.0-beta.3,(.NET 5.0.4; Microsoft Windows 10.0.14393) Content-Type:application/x-www-form-urlencoded client assembly: Azure.Identity DEBUG: Response [********-****-****-****-************] 200 OK (00.1s) Cache-Control:no-store, no-cache Pragma:no-cache Strict-Transport-Security:REDACTED X-Content-Type-Options:REDACTED P3P:REDACTED client-request-id:REDACTED x-ms-request-id:REDACTED x-ms-ests-server:REDACTED x-ms-clitelem:REDACTED Set-Cookie:REDACTED Date:Tue, 16 Mar 2021 11:34:10 GMT Content-Type:application/json; charset=utf-8 Expires:-1 Content-Length:1496 DEBUG: ClientSecretCredential.GetToken succeeded. Scopes: [ https://graph.windows.net//.default ] ParentRequestId: ExpiresOn: 2021-03-16T12:34:09.0000000+00:00 DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '********-****-****-****-************', UserId: '********-****-****-****-************' DEBUG: [Common.Authentication]: Authenticating using Account: '********-****-****-****-************', environment: 'AzureCloud', tenant: '********-****-****-****-************' DEBUG: ClientSecretCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: DEBUG: Request [********-****-****-****-************] POST https://login.microsoftonline.com/********-****-****-****-************/oauth2/v2.0/token x-client-SKU:REDACTED x-client-Ver:REDACTED x-client-OS:REDACTED x-client-current-telemetry:REDACTED x-client-last-telemetry:REDACTED x-ms-PKeyAuth:REDACTED x-ms-lib-capability:REDACTED client-request-id:REDACTED return-client-request-id:REDACTED x-app-name:REDACTED x-app-ver:REDACTED x-ms-client-request-id:********-****-****-****-************ x-ms-return-client-request-id:true User-Agent:azsdk-net-Identity/1.4.0-beta.3,(.NET 5.0.4; Microsoft Windows 10.0.14393) Content-Type:application/x-www-form-urlencoded client assembly: Azure.Identity DEBUG: Response [********-****-****-****-************] 200 OK (00.1s) Cache-Control:no-store, no-cache Pragma:no-cache Strict-Transport-Security:REDACTED X-Content-Type-Options:REDACTED P3P:REDACTED client-request-id:REDACTED x-ms-request-id:REDACTED x-ms-ests-server:REDACTED x-ms-clitelem:REDACTED Set-Cookie:REDACTED Date:Tue, 16 Mar 2021 11:34:10 GMT Content-Type:application/json; charset=utf-8 Expires:-1 Content-Length:1427 DEBUG: ClientSecretCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: ExpiresOn: 2021-03-16T12:34:09.0000000+00:00 DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '********-****-****-****-************', UserId: '********-****-****-****-************' DEBUG: ============================ HTTP REQUEST ============================ HTTP Method: GET Absolute Uri: https://management.azure.com//subscriptions/********-****-****-****-************/resourceGroups/dt-coredatabase-genome/providers/Microsoft.DocumentDB/databaseAccounts/dt-cmdb-genome/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName eq 'DocumentDB Account Contributor'&api-version=2018-01-01-preview Headers: x-ms-client-request-id : ********-****-****-****-************ Accept-Language : en-US Body: DEBUG: ============================ HTTP RESPONSE ============================ Status Code: OK Headers: Cache-Control : no-cache Pragma : no-cache x-ms-request-id : ********-****-****-****-************ X-Content-Type-Options : nosniff Strict-Transport-Security : max-age=31536000; includeSubDomains Set-Cookie : x-ms-gateway-slice=Production; path=/; secure; samesite=none; httponly x-ms-ratelimit-remaining-subscription-reads: 11999 x-ms-correlation-request-id : ********-****-****-****-************ x-ms-routing-request-id : SOUTHCENTRALUS:20210316T113411Z:********-****-****-****-************ Date : Tue, 16 Mar 2021 11:34:10 GMT Body: { "value": [ { "properties": { "roleName": "DocumentDB Account Contributor", "type": "BuiltInRole", "description": "Lets you manage DocumentDB accounts, but not access to them.", "assignableScopes": [ "/" ], "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.DocumentDb/databaseAccounts/*", "Microsoft.Insights/alertRules/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "createdOn": "2015-02-02T21:55:09.8806423Z", "updatedOn": "2019-11-21T01:38:32.0948484Z", "createdBy": null, "updatedBy": null }, "id": "/subscriptions/********-****-****-****-************/providers/Microsoft.Authorization/roleDefinitions/********-****-****-****-************", "type": "Microsoft.Authorization/roleDefinitions", "name": "********-****-****-****-************" } ] } DEBUG: ============================ HTTP REQUEST ============================ HTTP Method: PUT Absolute Uri: https://management.azure.com//subscriptions/********-****-****-****-************/resourceGroups/dt-coredatabase-genome/providers/Microsoft.DocumentDB/databaseAccounts/dt-cmdb-genome/providers/Microsoft.Authorization/roleAssignments/********-****-****-****-************?api-version=2020-04-01-preview Headers: x-ms-client-request-id : ********-****-****-****-************ Accept-Language : en-US Body: { "properties": { "roleDefinitionId": "/subscriptions/********-****-****-****-************/resourceGroups/dt-coredatabase-genome/providers/Microsoft.DocumentDB/databaseAccounts/dt-cmdb-genome/providers/Microsoft.Authorization/roleDefinitions/********-****-****-****-************", "principalId": "********-****-****-****-************", "canDelegate": false } } DEBUG: ============================ HTTP RESPONSE ============================ Status Code: Forbidden Headers: Cache-Control : no-cache Pragma : no-cache x-ms-failure-cause : gateway x-ms-request-id : ********-****-****-****-************ x-ms-correlation-request-id : ********-****-****-****-************ x-ms-routing-request-id : SOUTHCENTRALUS:20210316T113411Z:********-****-****-****-************ Strict-Transport-Security : max-age=31536000; includeSubDomains X-Content-Type-Options : nosniff Date : Tue, 16 Mar 2021 11:34:10 GMT Connection : close Body: { "error": { "code": "RequestDisallowedByPolicy", "target": "********-****-****-****-************", "message": "Resource '********-****-****-****-************' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"Landing-Zone-Default-Subscription\",\"id\":\"/subscriptions/********-****-****-****-************/providers/Microsoft.Authorization/policyAssignments/83f51c6289085f77b7a36120\"},\"policyDefinition\":{\"name\":\"Allowed principal IDs\",\"id\":\"/providers/Microsoft.Management/managementGroups/Landing-Zones-v2/providers/Microsoft.Authorization/policyDefinitions/********-****-****-****-************\"},\"policySetDefinition\":{\"name\":\"Landing-Zone-Default-Subscription\",\"id\":\"/providers/Microsoft.Management/managementGroups/Landing-Zones-v2/providers/Microsoft.Authorization/policySetDefinitions/********-****-****-****-************\"}}]'.", "additionalInfo": [ { "type": "PolicyViolation", "info": { "policyDefinitionDisplayName": "Allowed principal IDs", "policySetDefinitionDisplayName": "Landing-Zone-Default-Subscription", "evaluationDetails": { "evaluatedExpressions": [ { "result": "True", "expressionKind": "Field", "expression": "type", "path": "type", "expressionValue": "Microsoft.Authorization/roleAssignments", "targetValue": "Microsoft.Authorization/roleAssignments", "operator": "Equals" }, { "result": "False", "expressionKind": "Field", "expression": "Microsoft.Authorization/roleAssignments/principalId", "path": "properties.principalId", "expressionValue": "********-****-****-****-************", "targetValue": [ "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************" ], "operator": "In" }, { "result": "False", "expressionKind": "Field", "expression": "Microsoft.Authorization/roleAssignments/principalType", "path": "properties.principalType", "targetValue": "ServicePrincipal", "operator": "Equals" } ] }, "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/Landing-Zones-v2/providers/Microsoft.Authorization/policyDefinitions/********-****-****-****-************", "policySetDefinitionId": "/providers/Microsoft.Management/managementGroups/Landing-Zones-v2/providers/Microsoft.Authorization/policySetDefinitions/********-****-****-****-************", "policyDefinitionReferenceId": "3378863873727648846", "policySetDefinitionName": "********-****-****-****-************", "policyDefinitionName": "********-****-****-****-************", "policyDefinitionEffect": "Deny", "policyAssignmentId": "/subscriptions/********-****-****-****-************/providers/Microsoft.Authorization/policyAssignments/83f51c6289085f77b7a36120", "policyAssignmentName": "83f51c6289085f77b7a36120", "policyAssignmentDisplayName": "Landing-Zone-Default-Subscription", "policyAssignmentScope": "/subscriptions/********-****-****-****-************", "policyAssignmentParameters": { "requiredTagName": { "value": "tr:application-asset-insight-id" }, "requiredTagValue": { "value": "205163" }, "allowedPrincipalIdsForIAM": { "value": [ "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************", "********-****-****-****-************" ] }, "allowedOwnerRoleDefinitionId": { "value": [ "********-****-****-****-************" ] }, "allowedContributorRoleDefinitionId": { "value": [ "********-****-****-****-************" ] }, "allowedReaderRoleDefinitionId": { "value": [ "********-****-****-****-************" ] }, "targetedPrincipalIdsForOwnerRole": { "value": [ "********-****-****-****-************" ] }, "targetedPrincipalIdsForContributorRole": { "value": [ "********-****-****-****-************" ] }, "targetedPrincipalIdsForReaderRole": { "value": [ "********-****-****-****-************" ] }, "disallowedOwnerRoleDefinitionIds": { "value": [ "********-****-****-****-************" ] }, "disallowedUserAccessAdminRoleDefinitionId": { "value": [ "********-****-****-****-************" ] }, "exemptPrincipalIDs": { "value": [ "********-****-****-****-************", "********-****-****-****-************" ] }, "vnetNamingConvention": { "value": "VNet-NON-PROD-" }, "additionalDnsZones": { "value": [] }, "privateDnsZoneDomain": { "value": "azure-int.thomsonreuters.com" }, "regionAbbreviationMap": { "value": { "australiaeast": "aue", "australiasoutheast": "ause", "brazilsouth": "brs", "canadacentral": "cac", "canadaeast": "cae", "centralus": "usc", "eastus2": "use2", "northeurope": "eun", "southeastasia": "aase", "uksouth": "uks", "ukwest": "ukw", "westeurope": "euw", "westus": "usw", "disabled": "disabled" } }, "exemptUserAccessAdminPrincipalIDs": { "value": [] }, "effectAllowedRoleDefinitionIds": { "value": "Deny" }, "effectAllowedPrincipalIds": { "value": "Deny" }, "effectDisallowedRoleDefinitions": { "value": "Deny" }, "effectUserAccessAdminDisallowedRoleDefinitions": { "value": "Deny" }, "effectDenyCustomRoles": { "value": "Deny" }, "effectDenyVNetsOnNamingConvention": { "value": "Deny" }, "effectAllowedPrivateDnsZones": { "value": "Deny" } } } } ] } } New-AzRoleAssignment: Resource '********-****-****-****-************' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"Landing-Zone-Default-Subscription","id":"/subscriptions/********-****-****-****-************/providers/Microsoft.Authorization/policyAssignments/83f51c6289085f77b7a36120"},"policyDefinition":{"name":"Allowed principal IDs","id":"/providers/Microsoft.Management/managementGroups/Landing-Zones-v2/providers/Microsoft.Authorization/policyDefinitions/********-****-****-****-************"},"policySetDefinition":{"name":"Landing-Zone-Default-Subscription","id":"/providers/Microsoft.Management/managementGroups/Landing-Zones-v2/providers/Microsoft.Authorization/policySetDefinitions/********-****-****-****-************"}}]'. DEBUG: AzureQoSEvent: CommandName - New-AzRoleAssignment; IsSuccess - False; Duration - 00:00:00.8832482; Exception - Microsoft.Rest.Azure.CloudException: Resource '********-****-****-****-************' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"Landing-Zone-Default-Subscription","id":"/subscriptions/********-****-****-****-************/providers/Microsoft.Authorization/policyAssignments/83f51c6289085f77b7a36120"},"policyDefinition":{"name":"Allowed principal IDs","id":"/providers/Microsoft.Management/managementGroups/Landing-Zones-v2/providers/Microsoft.Authorization/policyDefinitions/********-****-****-****-************"},"policySetDefinition":{"name":"Landing-Zone-Default-Subscription","id":"/providers/Microsoft.Management/managementGroups/Landing-Zones-v2/providers/Microsoft.Authorization/policySetDefinitions/********-****-****-****-************"}}]'. at Microsoft.Azure.Management.Authorization.RoleAssignmentsOperations.CreateWithHttpMessagesAsync(String scope, String roleAssignmentName, RoleAssignmentCreateParameters parameters, Dictionary`2 customHeaders, CancellationToken cancellationToken) at Microsoft.Azure.Management.Authorization.RoleAssignmentsOperationsExtensions.CreateAsync(IRoleAssignmentsOperations operations, String scope, String roleAssignmentName, RoleAssignmentCreateParameters parameters, CancellationToken cancellationToken) at Microsoft.Azure.Management.Authorization.RoleAssignmentsOperationsExtensions.Create(IRoleAssignmentsOperations operations, String scope, String roleAssignmentName, RoleAssignmentCreateParameters parameters) at Microsoft.Azure.Commands.Resources.Models.Authorization.AuthorizationClient.CreateRoleAssignment(FilterRoleAssignmentsOptions parameters, Guid roleAssignmentId) at Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand.ExecuteCmdlet() at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.<>c__3`1.b__3_0(T c) at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet, Action`1 executor) at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet) at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord(); DEBUG: Finish sending metric. DEBUG: 11:34:11 AM - NewAzureRoleAssignmentCommand end processing. ``` ## Error output ``` Resolve-AzError: Input string was not in a correct format. ```

Author:	andreireznikau
Assignees:	-
Labels:	`ARM - RBAC`, `Service Attention`, `customer-reported`, `question`
Milestone:	-

[eosfor]

hello @dagoroz, I see it was done very recently. What should we do to make it work?

[dagoroz]

@eosfor if it's possible for you to use Az.Resources 3.0.1 please do that If there is a hard limitant that does not allow you to do that I'm going to have to request a little patience

I'm currently working on a fix to reestablish the 3.0.1 functionality in a way that doesn't break users.

[KranthiPakala-MSFT]

@dagoroz Following up to see if there is any update on this issue? - Thank you

[dagoroz]

this was solved long time ago closing

[KranthiPakala-MSFT]

Thanks for the update @dagoroz