Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New-AzAdServicePrincipal does not process all input parameters #16841

Closed
strat-alex opened this issue Jan 14, 2022 · 5 comments · Fixed by #16924
Closed

New-AzAdServicePrincipal does not process all input parameters #16841

strat-alex opened this issue Jan 14, 2022 · 5 comments · Fixed by #16924
Assignees
@VeryEarly
Labels
AAD AzAd cmdlets in Az.Resources customer-reported feature-request This issue requires a new behavior in the product in order be resolved.
Milestone
Jan 2022 (2022-02...

Comments

@strat-alex
Copy link

strat-alex commented Jan 14, 2022
edited
Loading

Description

The New-AzAdServicePrincipal documentation lists several parameters, like -AppRoleAssignmentRequired, which should do the following:
Specifies whether users or other service principals need to be granted an app role assignment for this service principal before users can sign in or apps can get tokens.

When trying a command like:
New-AzADServicePrincipal -AppRoleAssignmentRequired

the following error is shown:
New-AzADServicePrincipal: A parameter cannot be found that matches parameter name 'AppRoleAssignmentRequired'.

When looking at the powershell code in Az.MsGraph\New-AzAdServicePrincipal.ps1, the script first creates an AzAdApplication with the current set of $PSBoundParameters. Once the app is created, it tries to create a service principal with a limited set of parameters: AppId & AccountEnabled.

This also ignores the -accountenabled switch that is also documented.

I think this is the the code that actually makes the service principal

    $param = @{'AppId' = $PSBoundParameters['ApplicationId']; 'AccountEnabled'=$true; }
    if ($PSBoundParameters['Debug']) {
      $param['Debug'] = $PSBoundParameters['Debug']
    }
    $sp = Az.MSGraph.internal\New-AzADServicePrincipal @param

It's my first time navigating this code, I hope I didn't overlook or misinterpret anything.

But it seems the implementation is only partially done?

Issue script & Debug output

New-AzADServicePrincipal -AppRoleAssignmentRequired

Environment data

Name                           Value
----                           -----
PSVersion                      7.2.1
PSEdition                      Core
GitCommitId                    7.2.1
OS                             Microsoft Windows 10.0.22000
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.7.1                 Az.Accounts                         {Add-AzEnvironment, Clear-AzContext, Clear-AzDefault, Connect-AzAccount…}
Script     5.2.0                 Az.Resources                        {Export-AzResourceGroup, Export-AzTemplateSpec, Get-AzDenyAssignment, Get-AzDeployment…}

Error output

Message        : A parameter cannot be found that matches parameter name 'AppRoleAssignmentRequired'.
StackTrace     :    at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception)
                    at System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(InterpretedFrame frame)
                    at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
                    at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
                    at System.Management.Automation.Interpreter.Interpreter.Run(InterpretedFrame frame)
                    at System.Management.Automation.Interpreter.LightLambda.RunVoid1[T0](T0 arg0)
                    at System.Management.Automation.PSScriptCmdlet.RunClause(Action`1 clause, Object dollarUnderbar, Object inputToProcess)
                    at System.Management.Automation.PSScriptCmdlet.DoProcessRecord()
                    at System.Management.Automation.CommandProcessor.ProcessRecord()
Exception      : System.Management.Automation.ParameterBindingException
InvocationInfo : {New-AzADApplication}
Line           :       $app = New-AzADApplication @PSBoundParameters

Position       : At C:\Users\...\PowerShell\Modules\Az.Resources\5.2.0\MSGraph.Autorest\custom\New-AzADServicePrincipal.ps1:741 char:34
                 +       $app = New-AzADApplication @PSBoundParameters
                 +                                  ~~~~~~~~~~~~~~~~~~
HistoryId      : 19
@strat-alex strat-alex added bug This issue requires a change to an existing behavior in the product in order to be resolved. needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Jan 14, 2022
@ghost ghost added question The issue doesn't require a change to the product in order to be resolved. Most issues start as that customer-reported and removed needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Jan 14, 2022
@dingmeng-xue
Copy link
Member

@VeryEarly , please help to look into it.

@dingmeng-xue dingmeng-xue added the AAD AzAd cmdlets in Az.Resources label Jan 17, 2022
@VeryEarly
Copy link
Contributor

Hi @alexv-be ,

The limited parameters for creating service principal is to align with older version of New-AzADServicePrincipal (using AAD API and not switch to Microsoft Graph API), we plan to enable other optional parameters soon in the near future.

Thanks

@strat-alex
Copy link
Author

Thanks for the follow up!
I lost quite some time figuring out what works and doesn't work in both Add-AzADApplication and Add-AzADServicePrincipal. Having more in the documentation than actually works is not really helpful.

The breaking changes notice is in the documentation, why not add a notice that it's only partially implemented? A "use at your own risk" kind of thing?
Is the work planned or is it still in limbo? I'd like to figure out when I need to revisit these scripts to be working with the Az.Resources module. I'll keep an eye on the change notes in any case.

@dingmeng-xue dingmeng-xue added feature-request This issue requires a new behavior in the product in order be resolved. and removed bug This issue requires a change to an existing behavior in the product in order to be resolved. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jan 19, 2022
@VeryEarly VeryEarly self-assigned this Jan 25, 2022
@VeryEarly
Copy link
Contributor

Hi @alexv-be , fix will be available early next month.

@strat-alex
Copy link
Author

thank you!

@VeryEarly VeryEarly added this to the Jan 2022 (2022-02-08) milestone Jan 25, 2022
@VeryEarly VeryEarly mentioned this issue Jan 26, 2022
Merged
8 tasks
@VeryEarly VeryEarly linked a pull request Jan 26, 2022 that will close this issue
Bugfix for MSGraph #16924
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@VeryEarly VeryEarly

Labels
AAD AzAd cmdlets in Az.Resources customer-reported feature-request This issue requires a new behavior in the product in order be resolved.
Projects
None yet
Milestone
Jan 2022 (2022-02-08)
Development

Successfully merging a pull request may close this issue.

Bugfix for MSGraph Azure/azure-powershell
3 participants
@VeryEarly @strat-alex @dingmeng-xue