Closed MouthOfMadness closed 5 years ago
@MouthOfMadness would you mind providing the following:
Az
/ AzureRM
are you using?
Get-Module -Name Az* -ListAvailable
Resolve-AzError
( or Resolve-AzureRmError
if you're using AzureRM
)$DebugPreference = "Continue"
and then running the failed commandSorry, it got away from, I'm still collecting the data.
This is the stack trace of the Resolve-AzureRmError:
DEBUG: Caught exception, type: Microsoft.Azure.Graph.RBAC.Version1_6.Models.GraphErrorException
2018-12-18T22:20:49.8198823Z ********************** resolved -azurermerror
2018-12-18T22:20:49.8198923Z DEBUG: 10:20:49 PM - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
2018-12-18T22:20:49.8199044Z DEBUG: 10:20:49 PM - using account id '***'...
2018-12-18T22:20:49.8199110Z
2018-12-18T22:20:49.8199309Z
2018-12-18T22:20:49.8199350Z HistoryId: 1
2018-12-18T22:20:49.8199383Z
2018-12-18T22:20:49.8199471Z
2018-12-18T22:20:49.8199522Z Message : Insufficient privileges to complete the operation.
2018-12-18T22:20:49.8199590Z StackTrace : at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext
2018-12-18T22:20:49.8199669Z funcContext, Exception exception)
2018-12-18T22:20:49.8199732Z at System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(InterpretedFrame frame)
2018-12-18T22:20:49.8199817Z at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame
2018-12-18T22:20:49.8199885Z frame)
2018-12-18T22:20:49.8199962Z at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame
2018-12-18T22:20:49.8200017Z frame)
2018-12-18T22:20:49.8200092Z at System.Management.Automation.Interpreter.Interpreter.Run(InterpretedFrame frame)
2018-12-18T22:20:49.8200159Z at System.Management.Automation.Interpreter.LightLambda.RunVoid1[T0](T0 arg0)
2018-12-18T22:20:49.8200224Z at System.Management.Automation.ScriptBlock.InvokeWithPipeImpl(ScriptBlockClauseToInvoke
2018-12-18T22:20:49.8200311Z clauseToInvoke, Boolean createLocalScope, Dictionary`2 functionsToDefine, List`1 variablesToDefine,
2018-12-18T22:20:49.8200379Z ErrorHandlingBehavior errorHandlingBehavior, Object dollarUnder, Object input, Object scriptThis,
2018-12-18T22:20:49.8200470Z Pipe outputPipe, InvocationInfo invocationInfo, Object[] args)
2018-12-18T22:20:49.8200536Z at System.Management.Automation.ScriptBlock.<>c__DisplayClass57_0.<InvokeWithPipe>b__0()
2018-12-18T22:20:49.8208420Z at System.Management.Automation.Runspaces.RunspaceBase.RunActionIfNoRunningPipelinesWithThreadCheck
2018-12-18T22:20:49.8210900Z (Action action)
2018-12-18T22:20:49.8214416Z at System.Management.Automation.ScriptBlock.InvokeWithPipe(Boolean useLocalScope,
2018-12-18T22:20:49.8214534Z ErrorHandlingBehavior errorHandlingBehavior, Object dollarUnder, Object input, Object scriptThis,
2018-12-18T22:20:49.8215258Z Pipe outputPipe, InvocationInfo invocationInfo, Boolean propagateAllExceptionsToTop, List`1
2018-12-18T22:20:49.8216365Z variablesToDefine, Dictionary`2 functionsToDefine, Object[] args)
2018-12-18T22:20:49.8219715Z at System.Management.Automation.ScriptBlock.InvokeUsingCmdlet(Cmdlet contextCmdlet, Boolean
2018-12-18T22:20:49.8220099Z useLocalScope, ErrorHandlingBehavior errorHandlingBehavior, Object dollarUnder, Object input, Object
2018-12-18T22:20:49.8220856Z scriptThis, Object[] args)
2018-12-18T22:20:49.8221774Z at Microsoft.PowerShell.Commands.ForEachObjectCommand.ProcessRecord()
2018-12-18T22:20:49.8222462Z at System.Management.Automation.CommandProcessor.ProcessRecord()
2018-12-18T22:20:49.8223590Z at System.Management.Automation.CommandProcessorBase.DoExecute()
2018-12-18T22:20:49.8224356Z at System.Management.Automation.Internal.Pipe.AddToPipe(Object obj)
2018-12-18T22:20:49.8226209Z at System.Management.Automation.MshCommandRuntime._WriteErrorSkipAllowCheck(ErrorRecord
2018-12-18T22:20:49.8226311Z errorRecord, Nullable`1 actionPreference)
2018-12-18T22:20:49.8227484Z at System.Management.Automation.MshCommandRuntime.DoWriteError(Object obj)
2018-12-18T22:20:49.8229587Z at System.Security.SecurityContext.Run(SecurityContext securityContext, ContextCallback callback,
2018-12-18T22:20:49.8229667Z Object state)
2018-12-18T22:20:49.8231301Z at System.Management.Automation.MshCommandRuntime.WriteError(ErrorRecord errorRecord, Boolean
2018-12-18T22:20:49.8231377Z overrideInquire)
2018-12-18T22:20:49.8232318Z at System.Management.Automation.Cmdlet.WriteError(ErrorRecord errorRecord)
2018-12-18T22:20:49.8240927Z at Microsoft.Azure.Graph.RBAC.Version1_6.ActiveDirectory.ActiveDirectoryBaseCmdlet.HandleException(
2018-12-18T22:20:49.8241006Z Exception exception)
2018-12-18T22:20:49.8242636Z at
2018-12-18T22:20:49.8242741Z Microsoft.Azure.Graph.RBAC.Version1_6.ActiveDirectory.ActiveDirectoryBaseCmdlet.ExecutionBlock(Action
2018-12-18T22:20:49.8243478Z execAction)
2018-12-18T22:20:49.8244477Z at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
2018-12-18T22:20:49.8245377Z Exception : System.Management.Automation.RuntimeException
2018-12-18T22:20:49.8246712Z InvocationInfo : {Get-AzureRmADApplication}
2018-12-18T22:20:49.8247554Z Line : $app = Get-AzureRmADApplication -DisplayNameStartWith $appName
2018-12-18T22:20:49.8248449Z
2018-12-18T22:20:49.8250539Z Position : At D:\a\r1\a\NotificationService-ASP.NET Core (.NET
2018-12-18T22:20:49.8250624Z Framework)-CI\drop\Concentric.Service.Notification.Deploy\set-keyvaultAccess.ps1:32 char:8
2018-12-18T22:20:49.8251559Z + $app = Get-AzureRmADApplication -DisplayNameStartWith $appName
2018-12-18T22:20:49.8252274Z + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2018-12-18T22:20:49.8281886Z HistoryId : 1
2018-12-18T22:20:49.8281955Z
2018-12-18T22:20:49.8283756Z Message : Insufficient privileges to complete the operation.
2018-12-18T22:20:49.8283852Z StackTrace :
2018-12-18T22:20:49.8284824Z Exception : System.Exception
2018-12-18T22:20:49.8285531Z InvocationInfo : {Get-AzureRmADApplication}
2018-12-18T22:20:49.8287191Z Line : $app = Get-AzureRmADApplication -DisplayNameStartWith $appName
2018-12-18T22:20:49.8287301Z
2018-12-18T22:20:49.8289063Z Position : At D:\a\r1\a\NotificationService-ASP.NET Core (.NET
2018-12-18T22:20:49.8289171Z Framework)-CI\drop\Concentric.Service.Notification.Deploy\set-keyvaultAccess.ps1:32 char:8
2018-12-18T22:20:49.8290407Z + $app = Get-AzureRmADApplication -DisplayNameStartWith $appName
2018-12-18T22:20:49.8291132Z + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2018-12-18T22:20:49.8297580Z HistoryId : 1
2018-12-18T22:20:49.8297677Z
2018-12-18T22:20:49.8300229Z Message : Insufficient privileges to complete the operation.
2018-12-18T22:20:49.8300302Z StackTrace :
2018-12-18T22:20:49.8301229Z Exception : System.Exception
2018-12-18T22:20:49.8301923Z InvocationInfo : {Get-AzureRmADApplication}
2018-12-18T22:20:49.8303178Z Line : $app = Get-AzureRmADApplication -DisplayNameStartWith $appName
2018-12-18T22:20:49.8303251Z
2018-12-18T22:20:49.8304677Z Position : At D:\a\r1\a\NotificationService-ASP.NET Core (.NET
2018-12-18T22:20:49.8304782Z Framework)-CI\drop\Concentric.Service.Notification.Deploy\set-keyvaultAccess.ps1:32 char:8
2018-12-18T22:20:49.8306109Z + $app = Get-AzureRmADApplication -DisplayNameStartWith $appName
2018-12-18T22:20:49.8307055Z + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2018-12-18T22:20:49.8310265Z HistoryId : 1
2018-12-18T22:20:49.8310334Z
2018-12-18T22:20:49.8368006Z DEBUG: AzureQoSEvent: CommandName - Resolve-AzureRmError; IsSuccess - True; Duration - 00:00:00.2897294; Exception - ;
2018-12-18T22:20:50.2726702Z DEBUG: Finish sending metric.
@MouthOfMadness I would make sure that the account you're using to access the applications has proper permissions in the current tenant. Running Get-AzureRmContext
will give you more information about the account you are currently using to make the call to AD.
(From my script in VSTS), I won’t print the outcomes but this is the code I printed in my log, I’m exactly in the subscription that I want to be.
Write-Host("get context") $rc = Get-AzureRmContext Write-Host("rca = '$($rc.Account)'") Write-Host("rce = '$($rc.Environment)'") Write-Host("rcn = '$($rc.Name)'") Write-Host("rcs = '$($rc.Subscription)'") Write-Host("rct = '$($rc.Tenant)'")
There’s only the single subscription and tenant, my Service Principal has been configured with these APIs and every permission within the API. Is there a specific permission that you think I’m missing?
[cid:image001.png@01D4978C.AB581880]
From: Cormac McCarthy notifications@github.com Sent: Tuesday, December 18, 2018 5:53 PM To: Azure/azure-powershell azure-powershell@noreply.github.com Cc: James Mattern James.Mattern@aiworldwide.com; Mention mention@noreply.github.com Subject: Re: [Azure/azure-powershell] Get-AzureRmADApplication insufficient privileges (#8163)
@MouthOfMadnesshttps://github.com/MouthOfMadness I would make sure that the account you're using to access the applications has proper permissions in the current tenant. Running Get-AzureRmContext will give you more information about the account you are currently using to make the call to AD.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/Azure/azure-powershell/issues/8163#issuecomment-448415778, or mute the threadhttps://github.com/notifications/unsubscribe-auth/Ab4Q-shUReA88zMMLf3S3NRZljqGWapDks5u6X_UgaJpZM4ZZISH.
Let me attach the picture that keeps getting dropped
Based on the picture I attached, which permission do you think I'm missing?
@MouthOfMadness Apologies for the delayed response. I would make sure of two things:
(1) The permissions you have above are fine (you should only need Windows Azure Active Directory for the calls being made with our cmdlets), but I would make sure that you clicked the Grant permissions button to ensure that your application is given the permissions.
(2) You've created a role assignment to grant the service principal access over the given subscription. From the subscriptions blade, select the subscription you want to grant the service principal access over, then select Access control (IAM), and then select Add role assignment. You can then select your application and the corresponding role you'd like it to have over the subscription (I usually select Contributor).
Please let me know if you're still seeing the same error above after confirming the above two.
I have every permission granted for each API, and it won't let me assign a second Contributor Role as the role already exists.
@grlin Hey Grace, the user above has a service principal with a role assignment over their given subscription, and the service principal has been granted the appropriate permissions in the tenant, but is still receiving the "Insufficient privileges to complete the operation." error message when trying to run the Get-AzADApplication
cmdlet when authenticated in Azure PowerShell with the service principal. Is there anything additional that you can think of that would be causing this issue?
You just need to grant this permission to make it work:
I've tested on my tenant and used AzureRM module and it works fine; so there's something weird with AZ Module
OK.... now it's odd..... I didn't change anything but I logged once with an AppId using AzureRM module on PS 5.1..... after that, Get-AzADApplication in PSCore started to work. Even further, I created a new App thinking it might be related on how the cached token is accessed and it's working too..... really no-sense to me.... Right granted to the new app:
I started with the default grants for a contributor; but in my desperation, I selected everything single API and permission to work around this problem without luck.
@MouthOfMadness Did you click "Grant permissions"? Ticking them might not be enough. They need to be granted by a tenant administrator. I had a similar issue in my tenant, but I am not an admin, so I was able to tick the permissions, but a tenant admin had to grant them.
For reading AAD as a Service Principal you'd only need "Read directory data" application permission. Alternatively, your automation could log in as a domain user with Login-AzAccount -Credential
.
Hello,
I came across this thread through a Google search, and I was wondering what the outcome of this issue is because I am experiencing the same issue: I have an App Registration that has "Directory.Read.All" in the Microsoft.Graph API with consent given by the admin. When I connect as the App Registration's service principal in PowerShell and run this command:
Get-AzADServicePrincipal -DisplayName "name of service principal"
I get this error:
Get-AzADServicePrincipal : Insufficient privileges to complete the operation.
At line:1 char:1
+ Get-AzADServicePrincipal -DisplayName "app-hdi-test"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-AzADServicePrincipal], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ActiveDirectory.GetAzureADServicePrincipalCommand
This looks awfully similar to the issue that @MouthOfMadness is expriencing, hence this post.
Thank you.
@januschr The solution posted by @xenalite fixed my issue; he or she was correct, you have to grant them, ticking them isn't enough (even though it persists for ticks between sessions, they haven't been applied). This should really be a bug against the UI, as you really think you have them applied.
Thank you for the response. In my case the privileges granted to the service principal have been granted, so the cause of the issue must be different.
It would appear that many of the PowerShell cmdlets use the old Azure Active Directory Graph
API as opposed to the newer Microsoft Graph
that is supposed to replace it.
Several cmdlets from Az.Resources
(v. 1.13.0) refuse to authenticate using Microsoft Graph
.
Perhaps someone from @Microsoft would care to comment.
Issue is not Resolved. Ples Reopen
@cormacpayne Is there any progress or plans to make the change to the Microsoft Graph api? Our tenant manages our registered apps and we are only granted permissions for Microsoft Graph.
@tylertownsend Hey there, I'm no longer a member of the Azure PowerShell team, but I think @dingmeng-xue should be able to help out with getting the right folks to take a look at this issue.
Thank you for the follow up @cormacpayne. @dingmeng-xue if you could point me to the right folks, that would be greatly appreciated.
Description
I'm using a service principal to query and configure another application for the purpose of putting a policy in a key vault, but every powershell command returns insufficient privileges.
I have configured my service principal with every possible permission (see the attached screen shot).
Script/Steps for Reproduction
I can't get past the Get-AzureRmADApplication without a Authorization_RequestDenied error when I run a Powershell script in VSTS using the latest version of powershell. In testing, the commands work on my desktop, I suppose because I'm a user rather than a service principal.
Module Version
Environment Data
Debug Output