Unable to use Application principals for RBAC operations.

[ericrini]

Cmdlet(s)

New-AzureRmRoleAssignment

PowerShell Version

PSVersion                      5.1.15063.608

Module Version

2.1.0      Azure
3.4.0      Azure.Storage
3.4.0      AzureRM.Profile
4.4.0      AzureRM.Resources

OS Version

BuildVersion                   10.0.15063.608

Description

All attempts to add AD application principal to a resource or resource group role fail with the error "Principals of type Application cannot validly be used in role assignments". This can be done through the Azure portal.

Debug Output

PS> New-AzureRmRoleAssignment -ObjectId "--- APPLICATIONID ---" -RoleDefinitionName "contributor" -Scope "/subscriptions/--- SUBSCRIPTIONID ---/resourc
eGroups/rsg-usw-capability-dev/providers/Microsoft.ServiceBus/namespaces/sb-usw-capabilities-dev-2"

New-AzureRmRoleAssignment : Principals of type Application cannot validly be used in role assignments.
At C:\Users\erini\CloudServicesPlatform\Platform.Infrastructure\src\Infrastructure.Capability\Deploy-Capabilities.ps1:75 char:1
+ New-AzureRmRoleAssignment `
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [New-AzureRmRoleAssignment], CloudException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand

Full output...

PS> New-AzureRmRoleAssignment -ObjectId "--- APPLICATIONID ---" -RoleDefinitionName "contributor" -Scope "/subscriptions/--- SUBSCRIPTIONID ---/resourc
eGroups/rsg-usw-capability-dev/providers/Microsoft.ServiceBus/namespaces/sb-usw-capabilities-dev-2"
DEBUG: 4:44:28 PM - NewAzureRoleAssignmentCommand begin processing with ParameterSet 'EmptyParameterSet'.
DEBUG: 4:44:28 PM - using account id '--- EMAIL ---'...
DEBUG: [Common.Authentication]: Authenticating using Account: '--- EMAIL ---', environment: 'AzureCloud', tenant: '--- TENNANTID ---'
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 10/12/2017 20:44:28: 8367f5bd-8259-4591-8cb2-b3bd339bff26 - AcquireTokenHandlerBase: === Token Acquisition started:
 Authority: https://login.microsoftonline.com/--- TENNANTID ---/
 Resource: https://graph.windows.net/
 ClientId: 1950a258-227b-4e31-a9cf-717495945fc2
 CacheType: Microsoft.Azure.Commands.Common.Authentication.AuthenticationStoreTokenCache (3 items)
 Authentication Target: User

DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Verbose: 1 :
DEBUG: 10/12/2017 20:44:28: 8367f5bd-8259-4591-8cb2-b3bd339bff26 - TokenCache: Looking up cache for a token...
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 10/12/2017 20:44:28: 8367f5bd-8259-4591-8cb2-b3bd339bff26 - TokenCache: An item matching the requested resource was found in the cache
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Verbose: 1 :
DEBUG: 10/12/2017 20:44:28: 8367f5bd-8259-4591-8cb2-b3bd339bff26 - TokenCache: 51.48221391 minutes left until token in cache expires
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 10/12/2017 20:44:28: 8367f5bd-8259-4591-8cb2-b3bd339bff26 - TokenCache: A matching item (access token or refresh token or both) was found in the cache
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 10/12/2017 20:44:28: 8367f5bd-8259-4591-8cb2-b3bd339bff26 - AcquireTokenHandlerBase: === Token Acquisition finished successfully. An access token was retuned:
 Access Token Hash: vpLsrGRkJ3XaqQZg7Cty0JdkZ420ExE8R0w4q7zPJnQ=
 Refresh Token Hash: v8mTl+xuy9Vgv+Zz8it6oVXtv0v7EmDbY0wBQgnolaA=
 Expiration Time: 10/12/2017 21:35:57 +00:00
 User Hash: tzjoBdFX0+8HjE3TwqZdZgufVNMbf/rL9FVDOGVkYIo=

DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 10/12/2017 20:44:28:  - TokenCache: Serializing token cache with 3 items.
DEBUG: [Common.Authentication]: Authenticating using Account: '--- EMAIL ---', environment: 'AzureCloud', tenant: '--- TENNANTID ---'
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 10/12/2017 20:44:28: 8676f24d-f260-492e-8187-f7a58113f52b - AcquireTokenHandlerBase: === Token Acquisition started:
 Authority: https://login.microsoftonline.com/--- TENNANTID ---/
 Resource: https://management.core.windows.net/
 ClientId: 1950a258-227b-4e31-a9cf-717495945fc2
 CacheType: Microsoft.Azure.Commands.Common.Authentication.AuthenticationStoreTokenCache (3 items)
 Authentication Target: User

DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Verbose: 1 :
DEBUG: 10/12/2017 20:44:28: 8676f24d-f260-492e-8187-f7a58113f52b - TokenCache: Looking up cache for a token...
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 10/12/2017 20:44:28: 8676f24d-f260-492e-8187-f7a58113f52b - TokenCache: An item matching the requested resource was found in the cache
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Verbose: 1 :
DEBUG: 10/12/2017 20:44:28: 8676f24d-f260-492e-8187-f7a58113f52b - TokenCache: 43.6437034583333 minutes left until token in cache expires
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 10/12/2017 20:44:28: 8676f24d-f260-492e-8187-f7a58113f52b - TokenCache: A matching item (access token or refresh token or both) was found in the cache
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 10/12/2017 20:44:28: 8676f24d-f260-492e-8187-f7a58113f52b - AcquireTokenHandlerBase: === Token Acquisition finished successfully. An access token was retuned:
 Access Token Hash: GHuexrPaYNmEzqISLWAyhrOxW1AsnhDsPTjt5+W4nbM=
 Refresh Token Hash: v8mTl+xuy9Vgv+Zz8it6oVXtv0v7EmDbY0wBQgnolaA=
 Expiration Time: 10/12/2017 21:28:06 +00:00
 User Hash: tzjoBdFX0+8HjE3TwqZdZgufVNMbf/rL9FVDOGVkYIo=

DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 10/12/2017 20:44:28:  - TokenCache: Serializing token cache with 3 items.
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 10/12/2017 20:44:28: 64e7bf76-08c4-4d1f-8503-4f173ee490b2 - AcquireTokenHandlerBase: === Token Acquisition started:
 Authority: https://login.microsoftonline.com/--- TENNANTID ---/
 Resource: https://management.core.windows.net/
 ClientId: 1950a258-227b-4e31-a9cf-717495945fc2
 CacheType: Microsoft.Azure.Commands.Common.Authentication.AuthenticationStoreTokenCache (3 items)
 Authentication Target: User

DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Verbose: 1 :
DEBUG: 10/12/2017 20:44:28: 64e7bf76-08c4-4d1f-8503-4f173ee490b2 - TokenCache: Looking up cache for a token...
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 10/12/2017 20:44:28: 64e7bf76-08c4-4d1f-8503-4f173ee490b2 - TokenCache: An item matching the requested resource was found in the cache
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Verbose: 1 :
DEBUG: 10/12/2017 20:44:28: 64e7bf76-08c4-4d1f-8503-4f173ee490b2 - TokenCache: 43.6436199416667 minutes left until token in cache expires
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 10/12/2017 20:44:28: 64e7bf76-08c4-4d1f-8503-4f173ee490b2 - TokenCache: A matching item (access token or refresh token or both) was found in the cache
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 10/12/2017 20:44:28: 64e7bf76-08c4-4d1f-8503-4f173ee490b2 - AcquireTokenHandlerBase: === Token Acquisition finished successfully. An access token was retuned:
 Access Token Hash: GHuexrPaYNmEzqISLWAyhrOxW1AsnhDsPTjt5+W4nbM=
 Refresh Token Hash: v8mTl+xuy9Vgv+Zz8it6oVXtv0v7EmDbY0wBQgnolaA=
 Expiration Time: 10/12/2017 21:28:06 +00:00
 User Hash: tzjoBdFX0+8HjE3TwqZdZgufVNMbf/rL9FVDOGVkYIo=

DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 10/12/2017 20:44:28:  - TokenCache: Serializing token cache with 3 items.
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com//subscriptions/--- SUBSCRIPTIONID ---/resourceGroups/rsg-usw-capability-dev/providers/Microsoft.ServiceBus/namespaces/sb-usw-capabilities-dev-2/pr
oviders/Microsoft.Authorization/roleDefinitions?$filter=roleName eq 'contributor'&api-version=2015-07-01

Headers:
x-ms-client-request-id        : 1e94ab7c-c562-489b-b615-7cfd6eb31a8a
accept-language               : en-US

Body:


DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Pragma                        : no-cache
x-ms-request-id               : c11478db-3910-4663-9c72-5860fa2769cf
X-Content-Type-Options        : nosniff
Strict-Transport-Security     : max-age=31536000; includeSubDomains
x-ms-ratelimit-remaining-subscription-reads: 14989
x-ms-correlation-request-id   : 65125783-de78-4b20-a947-c32a864f8fa2
x-ms-routing-request-id       : EASTUS2:20171012T204428Z:65125783-de78-4b20-a947-c32a864f8fa2
Cache-Control                 : no-cache
Date                          : Thu, 12 Oct 2017 20:44:27 GMT
Set-Cookie                    : x-ms-gateway-slice=productionb; path=/; secure; HttpOnly
Server                        : Microsoft-IIS/8.5
X-Powered-By                  : ASP.NET

Body:
{
  "value": [
    {
      "properties": {
        "roleName": "Contributor",
        "type": "BuiltInRole",
        "description": "Lets you manage everything except access to resources.",
        "assignableScopes": [
          "/"
        ],
        "permissions": [
          {
            "actions": [
              "*"
            ],
            "notActions": [
              "Microsoft.Authorization/*/Delete",
              "Microsoft.Authorization/*/Write",
              "Microsoft.Authorization/elevateAccess/Action"
            ]
          }
        ],
        "createdOn": "0001-01-01T08:00:00Z",
        "updatedOn": "2016-12-14T02:04:45.1393855Z",
        "createdBy": null,
        "updatedBy": null
      },
      "id": "/subscriptions/--- SUBSCRIPTIONID ---/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
      "type": "Microsoft.Authorization/roleDefinitions",
      "name": "b24988ac-6180-42a0-ab88-20f7382dd24c"
    }
  ]
}

DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 10/12/2017 20:44:28: d9ee48a9-fbf8-48a7-aa75-a3eae6c1b9d9 - AcquireTokenHandlerBase: === Token Acquisition started:
 Authority: https://login.microsoftonline.com/--- TENNANTID ---/
 Resource: https://management.core.windows.net/
 ClientId: 1950a258-227b-4e31-a9cf-717495945fc2
 CacheType: Microsoft.Azure.Commands.Common.Authentication.AuthenticationStoreTokenCache (3 items)
 Authentication Target: User

DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Verbose: 1 :
DEBUG: 10/12/2017 20:44:28: d9ee48a9-fbf8-48a7-aa75-a3eae6c1b9d9 - TokenCache: Looking up cache for a token...
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 10/12/2017 20:44:28: d9ee48a9-fbf8-48a7-aa75-a3eae6c1b9d9 - TokenCache: An item matching the requested resource was found in the cache
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Verbose: 1 :
DEBUG: 10/12/2017 20:44:28: d9ee48a9-fbf8-48a7-aa75-a3eae6c1b9d9 - TokenCache: 43.6408533783333 minutes left until token in cache expires
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 10/12/2017 20:44:28: d9ee48a9-fbf8-48a7-aa75-a3eae6c1b9d9 - TokenCache: A matching item (access token or refresh token or both) was found in the cache
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 10/12/2017 20:44:28: d9ee48a9-fbf8-48a7-aa75-a3eae6c1b9d9 - AcquireTokenHandlerBase: === Token Acquisition finished successfully. An access token was retuned:
 Access Token Hash: GHuexrPaYNmEzqISLWAyhrOxW1AsnhDsPTjt5+W4nbM=
 Refresh Token Hash: v8mTl+xuy9Vgv+Zz8it6oVXtv0v7EmDbY0wBQgnolaA=
 Expiration Time: 10/12/2017 21:28:06 +00:00
 User Hash: tzjoBdFX0+8HjE3TwqZdZgufVNMbf/rL9FVDOGVkYIo=

DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 10/12/2017 20:44:28:  - TokenCache: Serializing token cache with 3 items.
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
PUT

Absolute Uri:
https://management.azure.com//subscriptions/--- SUBSCRIPTIONID ---/resourceGroups/rsg-usw-capability-dev/providers/Microsoft.ServiceBus/namespaces/sb-usw-capabilities-dev-2/pr
oviders/Microsoft.Authorization/roleAssignments/ce7f0f50-eb26-4120-82c9-ab61413a6213?api-version=2015-07-01

Headers:
x-ms-client-request-id        : 53b6cad8-5b01-474e-b385-c2093f6d5002
accept-language               : en-US

Body:
{
  "properties": {
    "roleDefinitionId":
"/subscriptions/--- SUBSCRIPTIONID ---/resourceGroups/rsg-usw-capability-dev/providers/Microsoft.ServiceBus/namespaces/sb-usw-capabilities-dev-2/providers/Microsoft.Authorizat
ion/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
    "principalId": "--- APPLICATIONID ---"
  }
}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
BadRequest

Headers:
Pragma                        : no-cache
x-ms-request-id               : 536aacdf-b3e4-4ea7-bcf4-893985e464f7
X-Content-Type-Options        : nosniff
Strict-Transport-Security     : max-age=31536000; includeSubDomains
x-ms-ratelimit-remaining-subscription-writes: 1196
x-ms-correlation-request-id   : addf1a52-0887-4c1d-abad-e7ca52d3f1f7
x-ms-routing-request-id       : EASTUS2:20171012T204429Z:addf1a52-0887-4c1d-abad-e7ca52d3f1f7
Cache-Control                 : no-cache
Date                          : Thu, 12 Oct 2017 20:44:28 GMT
Set-Cookie                    : x-ms-gateway-slice=productionb; path=/; secure; HttpOnly
Server                        : Microsoft-IIS/8.5
X-Powered-By                  : ASP.NET

Body:
{
  "error": {
    "code": "PrincipalTypeNotSupported",
    "message": "Principals of type Application cannot validly be used in role assignments."
  }
}

New-AzureRmRoleAssignment : Principals of type Application cannot validly be used in role assignments.
At line:1 char:1
+ New-AzureRmRoleAssignment -ObjectId "660c628a-9669-4edb-9e65-4933c32d ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [New-AzureRmRoleAssignment], CloudException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand

DEBUG: AzureQoSEvent: CommandName - New-AzureRmRoleAssignment; IsSuccess - False; Duration - 00:00:01.1877895; Exception - Microsoft.Rest.Azure.CloudException: Principals of type
Application cannot validly be used in role assignments.
   at Microsoft.Azure.Management.Authorization.Version2015_07_01.RoleAssignmentsOperations.<CreateWithHttpMessagesAsync>d__8.MoveNext() in
D:\workspace\AzPsPri-Sign\src\Common\Commands.Common.Authorization\RoleAssignmentsOperations.cs:line 735
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Azure.Management.Authorization.Version2015_07_01.RoleAssignmentsOperationsExtensions.<CreateAsync>d__7.MoveNext() in
D:\workspace\AzPsPri-Sign\src\Common\Commands.Common.Authorization\RoleAssignmentsOperationsExtensions.cs:line 222
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Azure.Management.Authorization.Version2015_07_01.RoleAssignmentsOperationsExtensions.Create(IRoleAssignmentsOperations operations, String scope, String roleAssignmentName,
RoleAssignmentCreateParameters parameters) in D:\workspace\AzPsPri-Sign\src\Common\Commands.Common.Authorization\RoleAssignmentsOperationsExtensions.cs:line 193
   at Microsoft.Azure.Commands.Resources.Models.Authorization.AuthorizationClient.CreateRoleAssignment(FilterRoleAssignmentsOptions parameters) in
D:\workspace\AzPsPri-Sign\src\ResourceManager\Resources\Commands.Resources\Models.Authorization\AuthorizationClient.cs:line 178
   at Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand.ExecuteCmdlet() in
D:\workspace\AzPsPri-Sign\src\ResourceManager\Resources\Commands.Resources\RoleAssignments\NewAzureRoleAssignmentCommand.cs:line 149
   at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord() in D:\workspace\AzPsPri-Sign\src\Common\Commands.Common\AzurePSCmdlet.cs:line 639;
DEBUG: Finish sending metric.
DEBUG: 4:44:29 PM - NewAzureRoleAssignmentCommand end processing.
DEBUG: 4:44:29 PM - NewAzureRoleAssignmentCommand end processing.

[markcowl]

@darshanhs90 Can you take a look? This is a pretty fundamental scenario. Want to ensure that this is the right kind of service principal.

[ericrini]

If it helps, this may be more of an API issue since both the CLI and PowerShell cmdlet give the same error. Maybe I'm just doing it wrong.

[dreck410]

I am getting the same issue when trying to add a custom role to my service principal in a subscription scope. I can add the role to the application in the UI, but i have to do a lot of these and I'm trying to script it.

[markcowl]

@ericrini @dreck410 The issue is that the applicationId and the graph object ID are not the same. If you provide the applicationId to the 'ServicePrincipalName' parameter rather than the 'ObjectId' parameter, the cmdlet will query graph for the object ID for you.

If you get the service principal details using Get-AzureRmServicePrincipal the 'Id' property is the OID, the APplicationId property is the applicationId, and the serviceprinipalnames are in teh "ServicePOrincopalNames' property.

[anthonyonazure]

For those finding this thread now or later, the command Get-AzureRmServicePrincipal didn't work for me Get-AzureRmADServicePrincipal is what I believe @markcowl meant to type, and it worked just like he described.

Get-AzureRmADServicePrincipal -SearchString "application name" will net you the ServicePrincipalNames, ApplicationId, DisplayName, Id, and Type back, and the ServicePrincipalName is different.