JulianHayward / Azure-MG-Sub-Governance-Reporting

Azure Governance Visualizer aka AzGovViz is a PowerShell script that captures Azure Governance related information such as Azure Policy, RBAC (a lot more) by polling Azure ARM, Storage and Microsoft Graph APIs.
MIT License
857 stars 308 forks source link

[Error] Cannot run AzGovViz using the user's Access Token #243

Closed skhomyuk closed 4 months ago

skhomyuk commented 4 months ago

AzGovViz version 6.4.5

CodeRunPlatform Console

Describe the bug I am trying to implement the service/console app to run AzGovViz under different users using their access tokens. This application expects the user's access token as one of parameters and run AzGovViz, no any interactivity with user. A valid access token is prepared by another application. AzGovViz starts to work but get the error below.

Steps to reproduce:

  1. Connect-AzAccount -AccessToken $accessToken -TenantId $tenantId -AccountId $accountId -SubscriptionId $subscriptionId
  2. .\AzGovVizParallel.ps1 -ManagementGroupId $managementGroupId -OutputPath $outputPath

Please note, on application side no any pre-stored user's context in the cache. If you already have connected user, it needs to clear the cache before (run clear-AzContext) to reproduce the issue.

Error Check Subscription: 'Subscription replaced' (criteria: quotaId notLike 'AAD*'; state==enabled) +Processing new bearer token request 'ARM' "https://management.azure.com" Likely your Azure credentials have not been set up or have expired, please run 'Connect-AzAccount -tenantId ' Write-Error: C:\Users\Folder\Documents\PowerShell\Modules\AzAPICall\1.2.2\functions\AzAPICallFunctions.ps1:1654 Line | 1654 | … Logging -logMessage "-ERROR processing new bearer token r … | ~~~~~~~~~~~~~ | -ERROR processing new bearer token request (Console) for targetEndPoint 'ARM' (https://management.azure.com): | Exception calling "Authenticate" with "7" argument(s): "[AccessTokenAuthenticator] failed to retrieve access | token for resource 'https://management.azure.com';. Please ensure that you have provided the appropriate access | tokens when using access token login." Exception: C:\Users\Folder\Documents\PowerShell\Modules\AzAPICall\1.2.2\functions\AzAPICallFunctions.ps1:1655 Line | 1655 | … Throw 'Error - check the last console output for details' … | ~~~~~~~~~~~~~ | Error - check the last console output for details

Screenshots image image

Additional context It seems the error is appeared in AzAPICall createBearerToken function. Instance.AuthenticationFactory.Authenticate does not work in case azContext is created using user's access token.

JulianHayward commented 4 months ago

@skhomyuk interesting scenario.. when you say 'user' are these really accounts of type 'user'? is there no way to use Service Principal? AzDO/GitHub is not an option?

skhomyuk commented 4 months ago

Hi @JulianHayward, I think the account type in this case is 'AccessToken', like it is shown on the second screen above. It is should be multi-tenant application with user-specific permissions. If think about Service Principal way, in this case "Applications permissions" is only documented, but what about "Delegated permissions"? The service principal with delegated permissions is also going to use user's Access Token, and it looks like is no option to run AzGovViz too. I think, I just need your confirmation that AzGovViz does not support 'AccessToken' account type now.

https://github.com/JulianHayward/Azure-MG-Sub-Governance-Reporting/blob/master/setup/azure-devops.md image

I need to use "Delegated permissions": image

JulianHayward commented 4 months ago

jepp, does not work that way :(. Please share your workaround later on. thx