search

Azure / enterprise-azure-policy-as-code

Enterprise-ready Azure Policy-as-Code (PaC) solution (includes Az DevOps pipeline)
https://azure.github.io/enterprise-azure-policy-as-code/
MIT License
422 stars 231 forks source link

Error with Get-AzManagementGroup when subscription has deleted or other non-active state #680

Closed brianmooremsft closed 3 months ago

brianmooremsft commented 3 months ago

Describe the bug In customer environment where user account running EPAC has required roles (reader + policy resource contributore + role based access control administror) when running hyrdration kit and other EPAC scripts, if heirarchy contains a subscriptions which has been disabled or is in some other state other than "avtive", when the command Get-AzManagementGroup is invoked it generates an error to the effect Get-AzManagementGroup: The client 'client@client.onmicrosoft.com' with object id XXXXXXXX-d218-49fc-b3a0-421f69dc25ad' does not have authorization to perform action 'Microsoft.Management/register/action' over scope '/subscriptions/XXXXXXX-8de1-4c6c-a5a3-2fe106ff2272' or the scope is invalid. If access was recently granted, please refresh your credentials.

It appear the PS module is trying to perform a resource provide registration action, which the user account does not have permissions to do.

Conjecture this a behavioral issue with Get-AzManagementGroup, and shoudl be remediated by instantiating the command as a REST call, similar to how other AZ commands have been transformed in EPAC.

To Reproduce Working to reproduce with a "disabled" tenant. Also, we beleive customer may generally be seeing this behavior because of some deprecated Azure test subscirptions previously provisioned only for Azure portal access testing (see https://learn.microsoft.com/en-us/answers/questions/1657719/subscription-offer-access-to-azure-active-director)

Expected behavior Instead of error from Get-AzManagementGroup, new function for Get-AzManagementGroup REST call should process to build manangement group hierarchy list without error.

Screenshots If applicable, add screenshots to help explain your problem.

EPAC Version 10.3

brianmooremsft commented 3 months ago

Was able to reproduce issue with Get-AzManagmentGroup in customer environment.
Refactored in EPAC new REST Method script to replace Get-AzManagement Group, and work with team to update dependencies in all subsequent scripts/commands that relied on this command.

Added new script/commandlet Get-AzManagementGroupRestMethod.

anwather commented 3 months ago

PR is complete and module is released