Closed brianmooremsft closed 3 months ago
Was able to reproduce issue with Get-AzManagmentGroup in customer environment.
Refactored in EPAC new REST Method script to replace Get-AzManagement Group, and work with team to update dependencies in all subsequent scripts/commands that relied on this command.
Added new script/commandlet Get-AzManagementGroupRestMethod.
PR is complete and module is released
Describe the bug In customer environment where user account running EPAC has required roles (reader + policy resource contributore + role based access control administror) when running hyrdration kit and other EPAC scripts, if heirarchy contains a subscriptions which has been disabled or is in some other state other than "avtive", when the command Get-AzManagementGroup is invoked it generates an error to the effect Get-AzManagementGroup: The client 'client@client.onmicrosoft.com' with object id XXXXXXXX-d218-49fc-b3a0-421f69dc25ad' does not have authorization to perform action 'Microsoft.Management/register/action' over scope '/subscriptions/XXXXXXX-8de1-4c6c-a5a3-2fe106ff2272' or the scope is invalid. If access was recently granted, please refresh your credentials.
It appear the PS module is trying to perform a resource provide registration action, which the user account does not have permissions to do.
Conjecture this a behavioral issue with Get-AzManagementGroup, and shoudl be remediated by instantiating the command as a REST call, similar to how other AZ commands have been transformed in EPAC.
To Reproduce Working to reproduce with a "disabled" tenant. Also, we beleive customer may generally be seeing this behavior because of some deprecated Azure test subscirptions previously provisioned only for Azure portal access testing (see https://learn.microsoft.com/en-us/answers/questions/1657719/subscription-offer-access-to-azure-active-director)
Expected behavior Instead of error from Get-AzManagementGroup, new function for Get-AzManagementGroup REST call should process to build manangement group hierarchy list without error.
Screenshots If applicable, add screenshots to help explain your problem.
EPAC Version 10.3