markcowl
commented
6 years ago @rsmccall33 Can you please run Resolve-AzureRmError so we can see a bit mroe about the exception. Also, are you running this inside a runbook?
Closed rsmccall33 closed 6 years ago
markcowl
commented
6 years ago @rsmccall33 Can you please run Resolve-AzureRmError so we can see a bit mroe about the exception. Also, are you running this inside a runbook?
rsmccall33
commented
6 years ago Hi Mark, yes this is running in a runbook. Below is the results of running Resolve-AzureRmError:
Logging in to Azure...
Environments
{[AzureUSGovernment, AzureUSGovernment], [AzureChinaCloud, AzureChinaCloud], [AzureGermanCloud, AzureGermanCloud], [A... Creating this month's report in TEMP directory Get-AzureRmRoleAssignment : Object reference not set to an instance of an object. At line:70 char:1
+ CategoryInfo : CloseError: (:) [Get-AzureRmRoleAssignment], NullReferenceException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.GetAzureRoleAssignmentCommandInnerException : False
Exception : System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.Azure.Commands.Resources.GetAzureRoleAssignmentCommand.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Message : Object reference not set to an instance of an object.
StackTrace : at Microsoft.Azure.Commands.Resources.GetAzureRoleAssignmentCommand.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
HelpLink :
ErrorDetails :
ErrorCategory : CloseError: (:) [Get-AzureRmRoleAssignment], NullReferenceException
InvocationInfo : System.Management.Automation.InvocationInfo
ScriptStackTrace : at
rsmccall33
commented
6 years ago Any more info that I can provide?
markcowl
commented
6 years ago @rsmccall33 I suspect that the problem is here: https://github.com/Azure/azure-powershell/blob/preview/src/Common/Commands.Common.Authentication.Abstractions/AzureEnvironmentConstants.cs#L91 The graph endpoint for government cloud may be incorrectly set, to that this issue is really about being unable to look up the graph object id for role assignments. We will verify in government cloud and then update this issue. If this is the case, there is a simple workaround.
markcowl
commented
6 years ago rsmccall33
commented
6 years ago Hi Mark, is the workaround something that I can try soon to verify?
Thanks!
rsmccall33
commented
6 years ago Hi, do you know of any progress with this? Thank you.
darshanhs90
commented
6 years ago @rsmccall33 the graph endpoint shouldnt be the issue here,can you retry the get-azurermroleassignment with the latest version of azure powershell and let us know if the issue persists,I remember there was a bug earlier related to this issue in an earlier PS release,which was fixed
rsmccall33
commented
6 years ago A MS Graph API Developer found and recommended the following. What I'm uncertain of is why my logged on user account would be the impersonating account when the code is designed to use the Run As Account. The other problem, is that the Enterprise App that it is complaing about is the Azure Portal Fairfax which is being used to facilitate our authentication. I'm not sure what the implications would be if we removed it as an Ent App to add the permissions and add it back to Ent App.
The problem can be seen in Packet 62 with the following call:
Absolute Uri: https://graph.windows.net/f1cd7b9b-4174-4e3a-8ebb-a2a30a6ab279/getObjectsByObjectIds?api-version=1.6
You get the error:
Body: { "odata.error": { "code": "Authorization_RequestDenied", "message": { "lang": "en", "value": "Insufficient privileges to complete the operation." } } }
The problem can be found in the access token being utilized by this call within your Automation. If you decrypt the access token found in the request header in Packet 62 at https://jwt.ms , you will notice that your user account only has one permission, SCP: user_impersonaton .
In order to perform this call to read Directory Objects, I think you will need to have the Delegated Permission of “Directory.Read.All” per Azure Graph API Documentation “Permission scopes | Graph API concepts” - https://msdn.microsoft.com/en-us/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes
You will need to add the “Read directory data” Delegated permission to your Application (c836cbdb-7a5b-44cc-a54f-564b4b486fc6). It is a “Require Admin” permission, which means that a Tenant Admin must consent to this permission (by clicking the “Grant Permissions” button in the “Required Permissions” blade). You can verify that the permission has been successfully added by decrypting the new access token provided.
rsmccall33
commented
6 years ago @darshanhs90 this is powershell in an azure runbook. The AzureRM.Network module is at version 5.1.0. I ran the update modules step twice this morning and ran the runbook and it has failed still.
rsmccall33
commented
6 years ago @darshanhs90 I failed to mention that this is also in Azure Gov.
darshanhs90
commented
6 years ago @rsmccall33 the get-azurermroleassignment is part of the AzureRM.Resources,so can you run by updating it to the latest version and let me know if the issue persists
rsmccall33
commented
6 years ago @darshanhs90 oh yes, my mistake. AzureRM.Resources was also updated. Current version is 5.2.0
markcowl
commented
6 years ago @rsmccall33 So, I think you have the answer on this, right? You need to add the correct permissions to your application in order to read the graph objects that are contained in the role assignments.
rsmccall33
commented
6 years ago @markcowl I opened a MS case too, and was told that apparently there is a random Enterprise App that requires a permission change to allow the Run As account to read it's properties. However, it is the Azure Portal Fairfax app and it appears that it handles logons...? We aren't sure the ramifications of what this action will be i.e. removing it as an Ent App, making the permission change, and make it into an Ent App again.
rsmccall33
commented
6 years ago The problem can be seen in Packet 62 with the following call:
Absolute Uri: https://graph.windows.net/{.......}/getObjectsByObjectIds?api-version=1.6
You get the error:
Body: { "odata.error": { "code": "Authorization_RequestDenied", "message": { "lang": "en", "value": "Insufficient privileges to complete the operation." } } }
The problem can be found in the access token being utilized by this call within your Automation. If you decrypt the access token found in the request header in Packet 62 at https://jwt.ms , you will notice that your user account only has one permission, SCP: user_impersonaton .
In order to perform this call to read Directory Objects, I think you will need to have the Delegated Permission of “Directory.Read.All” per Azure Graph API Documentation “Permission scopes | Graph API concepts” - https://msdn.microsoft.com/en-us/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes
You will need to add the “Read directory data” Delegated permission to your Application ({......}). It is a “Require Admin” permission, which means that a Tenant Admin must consent to this permission (by clicking the “Grant Permissions” button in the “Required Permissions” blade). You can verify that the permission has been successfully added by decrypting the new access token provided.
cormacpayne
commented
6 years ago Closing this issue as it is a permissions issue rather than an issue with the Get-AzureRmRoleAssignment cmdlet. The service principal that gets created can be assigned proper permissions through the portal.
@darshanhs90 we should look into fixing this error message so it is clear what is happening rather than throwing the null-reference error.
Cmdlet(s)
Get-AzureRmRoleAssignment
PowerShell Version
5.1.15063.726
Module Version
AzureRM.Resources 5.1.1
OS Version
10.0.15063.726
Description
System.NullReferenceException: Object reference not set to an instance of an object.
Debug Output
Script/Steps for Reproduction