Get-AzRoleDefinition not always returning Condition and ConditionVersion fields

[andreacardinali]

Description

Get-AzRoleDefinition is not always returning the Condition and ConditionVersion fields. Enabling debug shows that the body with full results is returned from the API. This is happening with the builtin role "Azure Container Storage Owner", while other builtin roles return the Condition fields correctly. This is issue is happening with Az.Resources module version 7.3.0 using both Powershell 5.1 and 7.45.

Issue script & Debug output

PS C:\> $DebugPreference = "Continue"
PS C:\> Get-AzRoleDefinition "Azure Container Storage Owner"
DEBUG: 5:07:18 PM - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 5:07:18 PM - GetAzureRoleDefinitionCommand begin processing with ParameterSet 'RoleDefinitionNameParameterSet'.
DEBUG: 5:07:18 PM - using account id '--REDACTED--'...
DEBUG: 5:07:18 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: [Common.Authentication]: Authenticating using Account: '--REDACTED--', environment: 'AzureCloud', tenant: '--REDACTED--'
DEBUG: 5:07:18 PM - [ConfigManager] Got nothing from [DisableInstanceDiscovery], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: 5:07:18 PM - [ConfigManager] Got [False] from [EnableLoginByWam], Module = [], Cmdlet = [].
DEBUG: 5:07:18 PM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'--REDACTED--', Scopes:'https://graph.microsoft.com//.default',
AuthorityHost:'https://login.microsoftonline.com/', UserId:'--REDACTED--'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://graph.microsoft.com//.default ] ParentRequestId:
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 40f6c249-aff6-43cd-bb4d-897ea079729c] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 40f6c249-aff6-43cd-bb4d-897ea079729c] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 40f6c249-aff6-43cd-bb4d-897ea079729c] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 40f6c249-aff6-43cd-bb4d-897ea079729c] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 40f6c249-aff6-43cd-bb4d-897ea079729c] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z] Found 1 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z] Returning 1 accounts
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 38646510-08fe-49a2-a3c7-de85cc09ba36] MSAL MSAL.CoreCLR with assembly version '4.61.3.0'.
CorrelationId(38646510-08fe-49a2-a3c7-de85cc09ba36)
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 38646510-08fe-49a2-a3c7-de85cc09ba36] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 38646510-08fe-49a2-a3c7-de85cc09ba36] LoginHint provided: False
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 38646510-08fe-49a2-a3c7-de85cc09ba36] Account provided: True
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 38646510-08fe-49a2-a3c7-de85cc09ba36] ForceRefresh: False
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 38646510-08fe-49a2-a3c7-de85cc09ba36]
=== Request Data ===
Authority Provided? - True
Scopes - https://graph.microsoft.com//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 38646510-08fe-49a2-a3c7-de85cc09ba36
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 38646510-08fe-49a2-a3c7-de85cc09ba36] === Token Acquisition (SilentRequest) started:
  Scopes: https://graph.microsoft.com//.default
 Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 38646510-08fe-49a2-a3c7-de85cc09ba36] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 38646510-08fe-49a2-a3c7-de85cc09ba36] Access token is not expired. Returning the found cache entry. [Current time
(08/26/2024 15:07:18) - Expiration Time (08/27/2024 13:15:55 +00:00) - Extended Expiration Time (08/27/2024 13:15:55 +00:00)]
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 38646510-08fe-49a2-a3c7-de85cc09ba36] Returning access token found in cache. RefreshOn exists ? True
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 38646510-08fe-49a2-a3c7-de85cc09ba36] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 38646510-08fe-49a2-a3c7-de85cc09ba36]
 === Token Acquisition finished successfully:
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 38646510-08fe-49a2-a3c7-de85cc09ba36]  AT expiration time: 8/27/2024 1:15:55 PM +00:00, scopes: email
https://graph.microsoft.com//.default https://graph.microsoft.com//AuditLog.Read.All https://graph.microsoft.com//Directory.AccessAsUser.All openid profile. source: Cache
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://graph.microsoft.com//.default ] ParentRequestId:  ExpiresOn: 2024-08-27T13:15:55.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '--REDACTED--', UserId: '--REDACTED--'
DEBUG: [Common.Authentication]: Authenticating using Account: '--REDACTED--', environment: 'AzureCloud', tenant: '--REDACTED--'
DEBUG: 5:07:18 PM - [ConfigManager] Got nothing from [DisableInstanceDiscovery], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: 5:07:18 PM - [ConfigManager] Got [False] from [EnableLoginByWam], Module = [], Cmdlet = [].
DEBUG: 5:07:18 PM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'--REDACTED--', Scopes:'https://management.core.windows.net//.default',
AuthorityHost:'https://login.microsoftonline.com/', UserId:'--REDACTED--'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - cda354c7-d866-4769-a3b8-9a56f6ad9390] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - cda354c7-d866-4769-a3b8-9a56f6ad9390] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - cda354c7-d866-4769-a3b8-9a56f6ad9390] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - cda354c7-d866-4769-a3b8-9a56f6ad9390] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - cda354c7-d866-4769-a3b8-9a56f6ad9390] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z] Found 1 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z] Returning 1 accounts
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 332a06ab-d06b-43f8-b29e-bc9fb65e5038] MSAL MSAL.CoreCLR with assembly version '4.61.3.0'.
CorrelationId(332a06ab-d06b-43f8-b29e-bc9fb65e5038)
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 332a06ab-d06b-43f8-b29e-bc9fb65e5038] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 332a06ab-d06b-43f8-b29e-bc9fb65e5038] LoginHint provided: False
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 332a06ab-d06b-43f8-b29e-bc9fb65e5038] Account provided: True
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 332a06ab-d06b-43f8-b29e-bc9fb65e5038] ForceRefresh: False
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 332a06ab-d06b-43f8-b29e-bc9fb65e5038]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 332a06ab-d06b-43f8-b29e-bc9fb65e5038
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 332a06ab-d06b-43f8-b29e-bc9fb65e5038] === Token Acquisition (SilentRequest) started:
  Scopes: https://management.core.windows.net//.default
 Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 332a06ab-d06b-43f8-b29e-bc9fb65e5038] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 332a06ab-d06b-43f8-b29e-bc9fb65e5038] Access token is not expired. Returning the found cache entry. [Current time
(08/26/2024 15:07:18) - Expiration Time (08/26/2024 16:12:13 +00:00) - Extended Expiration Time (08/26/2024 16:12:13 +00:00)]
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 332a06ab-d06b-43f8-b29e-bc9fb65e5038] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 332a06ab-d06b-43f8-b29e-bc9fb65e5038] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 332a06ab-d06b-43f8-b29e-bc9fb65e5038]
 === Token Acquisition finished successfully:
DEBUG: False MSAL 4.61.3.0 MSAL.CoreCLR .NET Framework 4.8.4739.0 Microsoft Windows 10.0.20348  [2024-08-26 15:07:18Z - 332a06ab-d06b-43f8-b29e-bc9fb65e5038]  AT expiration time: 8/26/2024 4:12:13 PM +00:00, scopes:
https://management.core.windows.net//.default https://management.core.windows.net//user_impersonation. source: Cache
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  ExpiresOn: 2024-08-26T16:12:13.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '--REDACTED--', UserId: '--REDACTED--'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com//subscriptions/--REDACTED--/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName eq 'Azure Container Storage Owner'&api-version=2022-05-01-preview

Headers:
x-ms-client-request-id        : 7aa32d82-e028-4378-82f0-c9752c1f49b4
accept-language               : en-US

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Pragma                        : no-cache
x-ms-request-id               : e08c1c98-252a-44ce-9ddd-e8c8beea8073
X-Content-Type-Options        : nosniff
Strict-Transport-Security     : max-age=31536000; includeSubDomains
x-ms-ratelimit-remaining-subscription-reads: 249
x-ms-ratelimit-remaining-subscription-global-reads: 3749
x-ms-correlation-request-id   : 6eb80341-fda8-40c9-ab1a-7b5e3c48296d
x-ms-routing-request-id       : FRANCESOUTH:20240826T150717Z:6eb80341-fda8-40c9-ab1a-7b5e3c48296d
X-Cache                       : CONFIG_NOCACHE
X-MSEdge-Ref                  : Ref A: 814C6F6B10984115B38CA96A813853F1 Ref B: MRS211050315029 Ref C: 2024-08-26T15:07:17Z
Cache-Control                 : no-cache
Date                          : Mon, 26 Aug 2024 15:07:17 GMT
Set-Cookie                    : x-ms-gateway-slice=Production; path=/; secure; samesite=none; httponly

Body:
{
  "value": [
    {
      "properties": {
        "roleName": "Azure Container Storage Owner",
        "type": "BuiltInRole",
        "description": "Lets you install Azure Container Storage and grants access to its storage resources",
        "assignableScopes": [
          "/"
        ],
        "permissions": [
          {
            "actions": [
              "Microsoft.ElasticSan/elasticSans/*",
              "Microsoft.ElasticSan/locations/*",
              "Microsoft.ElasticSan/elasticSans/volumeGroups/*",
              "Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*",
              "Microsoft.ElasticSan/locations/asyncoperations/read",
              "Microsoft.KubernetesConfiguration/extensions/write",
              "Microsoft.KubernetesConfiguration/extensions/read",
              "Microsoft.KubernetesConfiguration/extensions/delete",
              "Microsoft.KubernetesConfiguration/extensions/operations/read",
              "Microsoft.Authorization/*/read",
              "Microsoft.Resources/subscriptions/resourceGroups/read",
              "Microsoft.Resources/subscriptions/read",
              "Microsoft.Management/managementGroups/read",
              "Microsoft.Resources/deployments/*",
              "Microsoft.Support/*"
            ],
            "notActions": [],
            "dataActions": [],
            "notDataActions": []
          },
          {
            "actions": [
              "Microsoft.Authorization/roleAssignments/write",
              "Microsoft.Authorization/roleAssignments/delete"
            ],
            "notActions": [],
            "dataActions": [],
            "notDataActions": [],
            "conditionVersion": "2.0",
            "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND
((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
          }
        ],
        "createdOn": "2024-03-08T18:56:34.4040797Z",
        "updatedOn": "2024-04-01T15:29:19.3176173Z",
        "createdBy": null,
        "updatedBy": null
      },
      "id": "/subscriptions/--REDACTED--/providers/Microsoft.Authorization/roleDefinitions/95de85bd-744d-4664-9dde-11430bc34793",
      "type": "Microsoft.Authorization/roleDefinitions",
      "name": "95de85bd-744d-4664-9dde-11430bc34793"
    }
  ]
}

DEBUG: 5:07:19 PM - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].

Name             : Azure Container Storage Owner
Id               : 95de85bd-744d-4664-9dde-11430bc34793
IsCustom         : False
Description      : Lets you install Azure Container Storage and grants access to its storage resources
Actions          : {Microsoft.ElasticSan/elasticSans/*, Microsoft.ElasticSan/locations/*, Microsoft.ElasticSan/elasticSans/volumeGroups/*, Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*...}
NotActions       : {}
DataActions      : {}
NotDataActions   : {}
AssignableScopes : {/}
Condition        :
ConditionVersion :

DEBUG: 5:07:19 PM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 5:07:19 PM - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Resources:7.3.0; CommandName: Get-AzRoleDefinition; PSVersion: 5.1.20348.2582; IsSuccess: True; Duration: 00:00:01.2506435; SanitizeDuration: 00:00:00.0000043
DEBUG: 5:07:19 PM - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 5:07:19 PM - GetAzureRoleDefinitionCommand end processing.

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.20348.2582
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.20348.2582
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Module versions

PS C:\> get-module Az*

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     3.0.3      Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault...}
Script     1.0.0      Az.ResourceGraph                    {Search-AzGraph, Get-AzResourceGraphQuery, New-AzResourceGraphQuery, Remove-AzResourceGraphQuery...}
Script     7.3.0      Az.Resources                        {Export-AzResourceGroup, Export-AzTemplateSpec, Get-AzDenyAssignment, Get-AzDeployment...}

Error output

No response

[isra-fel]

Looks like there's some case that Condition and ConditionVersion fields are not populated. These fields were introduced by https://github.com/Azure/azure-powershell/pull/23904 (cc @mumoryan ) I'll loop in the RBAC team

[microsoft-github-policy-service[bot]]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @kenieva, @AshishGargMicrosoft.