Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Az-GetManagementGroup creates user error when encountering subscription in MG hierarchy that is disabled or de-registered state #25315

Open
brianmooremsft opened this issue Jun 19, 2024 · 0 comments
Open

Az-GetManagementGroup creates user error when encountering subscription in MG hierarchy that is disabled or de-registered state #25315

brianmooremsft opened this issue Jun 19, 2024 · 0 comments
Labels
bug This issue requires a change to an existing behavior in the product in order to be resolved. customer-reported Management Groups AzManagementGroup* in Az.Resources Service Attention This issue is responsible by Azure service team.

Comments

@brianmooremsft
Copy link

Description

Customer with account that has following permissions:
Tenant Root = Reader
Intermediate Root = Resource Policy Contributor, Role Based Access Control Administrator

When running command Az-GetManagmentGroup -GroupName Intermediate-Root, customer gets error

Get-AzManagementGroup: The client 'xxxxr@yyyyy.onmicrosoft.com' with object id 'xxxxxxxxx-d218-49fc-b3a0-421f69yyyyyyy' does not have authorization to perform action 'Microsoft.Management/register/action' over scope '/subscriptions/xxxxxxx8de1-4c6c-a5a3-2fe106ff2272' or the scope is invalid. If access was recently granted, please refresh your credentials.

The subscription does exist, but is in some kind of disabled state. Customer is only trying to read management groups, but the PS AZ module is clearly trying to take registration action, which it really shouldn't do in the context of reading a management group hierarchy.

FYI we believe the subscriptions in question (triggering this issue) may be a part of a platform wide deprecation effort for subscriptions identified as "Access to Azure Active Directory", which is in process of being deprecated.
(https://learn.microsoft.com/en-us/answers/questions/1657719/subscription-offer-access-to-azure-active-director)

Issue script & Debug output

Get-AzManagementGroup -GroupName VXXXXXXX
Get-AzManagementGroup: The client 'xxxxr@yyyyy.onmicrosoft.com' with object id 'xxxxxxxxx-d218-49fc-b3a0-421f69yyyyyyy' does not have authorization to perform action 'Microsoft.Management/register/action' over scope '/subscriptions/633b39b7-8de1-4c6c-a5a3-2fe106ff2272' or the scope is invalid. If access was recently granted, please refresh your credentials.

Environment data

$PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.4.2
PSEdition                      Core
GitCommitId                    7.4.2
OS                             Microsoft Windows 10.0.22631
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

PS C:\GitRepoClones\epac-issue680\epac-development> get-module Az*

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     3.0.0                 Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}
Script     7.1.0                 Az.Resources                        {Export-AzResourceGroup, Export-AzTemplateSpec, Get-AzDenyAssignment, Get-AzDeployment…}

Error output

Get-AzManagementGroup -GroupName VisaUSA-OI
Get-AzManagementGroup: The client 'xxxxx@yyyyy.onmicrosoft.com' with object id 'xxxxxxxxx-d218-49fc-b3a0-421f69yyyyyyy' does not have authorization to perform action 'Microsoft.Management/register/action' over scope '/subscriptions/633b39b7-8de1-4c6c-a5a3-2fe106ff2272' or the scope is invalid. If access was recently granted, please refresh your credentials.
@brianmooremsft brianmooremsft added bug This issue requires a change to an existing behavior in the product in order to be resolved. needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Jun 19, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added customer-reported needs-triage This is a new issue that needs to be triaged to the appropriate team. and removed needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Jun 19, 2024
@isra-fel isra-fel added Service Attention This issue is responsible by Azure service team. Management Groups AzManagementGroup* in Az.Resources and removed needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Jun 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue requires a change to an existing behavior in the product in order to be resolved. customer-reported Management Groups AzManagementGroup* in Az.Resources Service Attention This issue is responsible by Azure service team.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@isra-fel @brianmooremsft