Closed aricade closed 1 year ago
JulianHayward
commented
1 year ago @aricade that functionality should already be in the script / excluding subscriptions with quotaId 'AAD_*'. Please pass more details at which stage it gets stuck /provide logs and please execute with parameter: -debugAzAPICall
aricade
commented
1 year ago Thanks @JulianHayward
Please pass more details at which stage it gets stuck /provide logs and please execute with parameter: -debugAzAPICall
I ran this connected with SPN that has Tenant READ:
Azure-MG-Sub-Governance-Reporting> pwsh\AzGovVizParallel.ps1 -OutputPath $OutputPath -DoPSRule -ManagementGroupID <my-root-tenant-mgmt-group> -debugAzAPICallThis is the interesting part of the debug verbosity:
[AzAPICall] DEBUGTASK: Get Eligible assignments for Scope subscription: <MY SUBSCRIPTION ID HERE> -> [AzAPICall] Get Eligible assignments for Scope subscription: <MY SUBSCRIPTION ID HERE> - retry
[AzAPICall] DEBUGTASK: Get Eligible assignments for Scope subscription: <MY SUBSCRIPTION ID HERE> -> attempt#7 processing: Get Eligible assignments for Scope subscription: <MY SUBSCRIPTION ID HERE> uri: 'https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,roleDefinition($expand=resource)&$count=true&$filter=(roleDefinition/resource/id eq '67ac961a-66fc-4072-98db-48ca82261e3d')+and+(assignmentState eq 'Eligible')&$top=100'
[AzAPICall] DEBUGTASK: Get Eligible assignments for Scope subscription: <MY SUBSCRIPTION ID HERE> -> unexpectedError: false
[AzAPICall] DEBUGTASK: Get Eligible assignments for Scope subscription: <MY SUBSCRIPTION ID HERE> -> apiStatusCode: '400' (BadRequest)
[AzAPICallErrorHandler] Get Eligible assignments for Scope subscription: <MY SUBSCRIPTION ID HERE> try #7; return: (StatusCode: '400' (BadRequest)) <.code: ''> <.error.code: 'UnknownError'> | <.message: ''> <.error.message: '{"error":{"code":"DisallowedOperation","message":"The current subscription type is not permitted to perform operations on any provider namespace. Please use a different subscription."}}'> - AzAPICall: try again in 7 second(s)Like this over and over the AzAPICall: try again in <#> second(s) keeps incrementing...
I seem to have 2 Access to Azure Active Directory subscriptions and it goes back and forth between each one retrying...
EDIT:
I shall try -SubscriptionQuotaIdWhitelist $ArrayOfQuotaidStrings thank you! But this the quota ID for Subscriptions I want to include (and not exclude), right?
I run this to to determine the whitelist subscriptions:
Get-AzSubscription| select Id,Name,@{label='QuotaID';E={$_.SubscriptionPolicies.QuotaId}}
EDIT 2: This fixed my issue:
Azure-MG-Sub-Governance-Reporting> pwsh\AzGovVizParallel.ps1 -OutputPath $OutputPath -DoPSRule -ManagementGroupID <my-root-tenant-mgmt-group> -debugAzAPICall -SubscriptionQuotaIdWhitelist "AAD_"So -SubscriptionQuotaIdWhitelist is an exclude of subscriptions with matching prefix. Thanks!
PS: thanks for all your work on this project! It is awesome!
JulianHayward
commented
1 year ago @aricade ok, got it - requires a fix, will update here. Meanwhile try parameter -NoPIMEligibility.
:) Using -SubscriptionQuotaIdWhitelist "AAD_" will only process subs matching that quotaId
aricade
commented
1 year ago :) Using -SubscriptionQuotaIdWhitelist "AAD_" will only process subs matching that quotaId
wait, really? that is interesting I think it might be opposite. Let me verify. I will update here.
Yeah you are right... Of course you made the script. Getting confused now. I ran with -SubscriptionQuotaIdWhitelist "CSP_","MSDN_" in my case.
ok, got it - requires a fix, will update here. Meanwhile try parameter -NoPIMEligibility.
Well, I have tested below 2 work arounds after some confusion:
Get Eligible assignments for Scope subscription: for QuoataIDs AAD_* even though it should include only matching QuotaIDs)Option 1: If you want PIM:
Azure-MG-Sub-Governance-Reporting> pwsh\AzGovVizParallel.ps1 -OutputPath $OutputPath -DoPSRule -ManagementGroupID <my-root-tenant-mgmt-group> -debugAzAPICall -SubscriptionQuotaIdWhitelist "CSP_","MSDN_"
Option 2: If you don't need PIM:
Azure-MG-Sub-Governance-Reporting> pwsh\AzGovVizParallel.ps1 -OutputPath $OutputPath -DoPSRule -ManagementGroupID <my-root-tenant-mgmt-group> -debugAzAPICal -NoPIMEligibility
JulianHayward
commented
1 year ago Using -SubscriptionQuotaIdWhitelist "AAD_" will only process subs matching that quotaId, hence all the nice data for subscriptions with other quotaIds will not be available
I fear - if you need the PIM data you will need to await the fix
aricade
commented
1 year ago I fear - if you need the PIM data you will need to await the fix
Well that's all good, appreciate you looking into this. When you get around to it, let me know and I will verify.
MarcelHeek
commented
1 year ago Had the same "Access to Azure AD" subscriptions. these are legacy and can be deleted. However you cannot do that yourself and need to raise a support ticket with MS to get them removed. I recall there is a 90 day retention before they can actually be deleted.
So in the meantime I am running with the -SubscriptionQuotaIdWhitelist argument populated
aricade
commented
1 year ago @MarcelHeek
Had the same "Access to Azure AD" subscriptions. these are legacy and can be deleted. However you cannot do that yourself and need to raise a support ticket with MS to get them removed. I recall there is a 90 day retention before they can actually be deleted.
Yes I had a call with MS escalated through my CSP. Though the support analyst was saying that these 2 subscriptions are from AAD_PREMIUM_P2 Licenses and Some free trial; Claiming they are required for Azure AD Connect and other features. But after I showed them that as a Subscription Owner I did not have access to modify permissions through IAM, they are looking into it. I think you are right they are legacy and have directed them to your first link when I started the ticket but they seemed convinced this was normal. Hence I started this issue. But I will point them to this issue and the links you have supplied. Thank you very much!
So in the meantime I am running with the -SubscriptionQuotaIdWhitelist argument populated With or Without PIM (Do you use an App Registration/SPN)? Interestingly I only have issues when running with SPN as I want to see PIM setup/config.
But -SubscriptionQuotaIdWhitelist does not seem to work for me. That said if I can have MS remove the subscriptions this may resolve all my issues.
Thanks!
JulianHayward
commented
1 year ago @aricade @MarcelHeek please check the dev branch. Do not use the parameters:
-SubscriptionQuotaIdWhitelist-NoPIMEligibilityaricade
commented
1 year ago @JulianHayward This worked! Thank you!
MarcelHeek
commented
1 year ago @JulianHayward
For me it fails pretty early in the execution (for 3 tenants before I cancelled the job) with the following........ For all 3 it failed on microsoft.web/sites/slots
MarcelHeek
commented
1 year ago @JulianHayward Perhaps good additional info is that I came from this version : v6_major_20221228_1
I bumped up to the latest released version, v6_major_20230103_1 and the script fatally exits at the first website slot for all my tenants, so I am back to v6_major_20221228_1 and this issue is introduced after that version.
JulianHayward
commented
1 year ago @MarcelHeek let´s try the latest in the dev branch (v6_major_20230106_1)
MarcelHeek
commented
1 year ago @JulianHayward Damn, you are fast. The error is gone.
JulianHayward
commented
1 year ago thanks gents @MarcelHeek @aricade
Running with a SPN the script get's stuck in an endless failing loop if it tries to analyze MS special subscriptions for licensing called "Access to Azure Active Directory". Not even Tenant Owner/Global Admin can see the roles of these subscriptions. I think only MS can.
Is there a way to add a Subscription Exclude List? Or perhaps another strategy the will work with the code as it is now?
I have been using Management groups to work around it but right now we are moving subscriptions and it would be helpful to analyze everything (subscriptions) from the tenant-root-group.