Azure Functions managed identity does now work for Az cmdlets when working against graph API endpoint

[eamonoreilly]

If you run the below command that calls into graph.windows.net, the cmdlet will fail with the below information:

Get-AzAdServicePrincipal -DisplayName eamononboardonboarding -debug

2019-06-26T01:01:36.658 [Information] Executing 'Functions.TestIdentity' (Reason='This function was programmatically called via the host APIs.', Id=478821d7-dedd-497b-9104-f8ffcb76e82e)
2019-06-26T01:01:37.715 [Debug] DEBUG: 1:01:37 AM - GetAzureADServicePrincipalCommand begin processing with ParameterSet 'DisplayNameParameterSet'.
2019-06-26T01:01:37.716 [Debug] DEBUG: 1:01:37 AM - using account id 'MSI@50342'...
2019-06-26T01:01:37.716 [Debug] DEBUG: [Common.Authentication]: Authenticating using Account: 'MSI@50342', environment: 'AzureCloud', tenant: '72f988bf-86f1-41af-91ab-2d7cd011db47'
2019-06-26T01:01:37.716 [Debug] DEBUG: [HttpClientOperations]: Adding Header 'Metadata'
2019-06-26T01:01:37.717 [Debug] DEBUG: [HttpClientOperations]: Adding Header 'Secret'
2019-06-26T01:01:37.763 [Debug] DEBUG: Checking Cache request http://127.0.0.1:41442/MSI/token/?resource=https://management.azure.com/&api-version=2017-09-01
2019-06-26T01:01:37.771 [Debug] DEBUG: Cache Hit
2019-06-26T01:01:37.771 [Debug] DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/servicePrincipals?$filter=displayName eq 'eamononboardonboarding'&api-version=1.6

Headers:
x-ms-client-request-id : 27b8fe02-2bb9-4ad0-8e75-0dc1a22b4708
Accept-Language : en-US

Body:
2019-06-26T01:01:37.772 [Debug] DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Unauthorized

Headers:
Cache-Control : private
ocp-aad-diagnostics-server-name: Evz/RQYOj17tGf6qidpDB5jHhTmaNfoVg48JzcqP5m4=
request-id : c5cdca19-0f73-4123-9622-6c99200ee993
client-request-id : 2da01d5d-c208-40e7-bb49-3d2f389e1ec5
x-ms-dirapi-data-contract-version: 1.6
Strict-Transport-Security : max-age=31536000; includeSubDomains
Access-Control-Allow-Origin : *
WWW-Authenticate : Bearer realm="72f988bf-86f1-41af-91ab-2d7cd011db47", error="invalid_token", error_description="Access Token missing or malformed.", authorization_uri="https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize", client_id="00000002-0000-0000-c000-000000000000"
X-Powered-By : ASP.NET
Duration : 182401
Date : Wed, 26 Jun 2019 01:01:36 GMT

Body:
{
"odata.error": {
"code": "Authentication_MissingOrMalformed",
"message": {
"lang": "en",
"value": "Access Token missing or malformed."
}
}
}
2019-06-26T01:01:37.772 [Debug] DEBUG: Caught exception, type: Microsoft.Azure.Graph.RBAC.Models.GraphErrorException
2019-06-26T01:01:37.876 [Error] ERROR: Access Token missing or malformed.
Microsoft.Azure.WebJobs.Script.Rpc.RpcException : Result: ERROR: Access Token missing or malformed.
Exception: Access Token missing or malformed.
Stack:
2019-06-26T01:01:37.897 [Debug] DEBUG: AzureQoSEvent: CommandName - Get-AzADServicePrincipal; IsSuccess - False; Duration - 00:00:00.1294588; Exception - System.Exception: Access Token missing or malformed.;
2019-06-26T01:01:37.950 [Debug] DEBUG: Finish sending metric.
2019-06-26T01:01:37.950 [Debug] DEBUG: 1:01:37 AM - GetAzureADServicePrincipalCommand end processing.
2019-06-26T01:01:37.950 [Debug] DEBUG: 1:01:37 AM - GetAzureADServicePrincipalCommand end processing.
2019-06-26T01:01:37.951 [Information] Executed 'Functions.TestIdentity' (Succeeded, Id=478821d7-dedd-497b-9104-f8ffcb76e82e)
2019-06-26T01:03:31 No new trace in the past 1 min(s).

This works correctly in Azure Functions by getting a token for the graph.windows.net audience like below and calling the graph API directly.

$tokenAuthURI = $Env:MSI_ENDPOINT + "?resource=https://graph.windows.net&api-version=2017-09-01"
$tokenResponse = Invoke-RestMethod -Method Get -Headers @{"Secret"="$env:MSI_SECRET"} -Uri $tokenAuthURI
$accessToken = $tokenResponse.access_token
$headers = @{ 'Authorization' = "Bearer $accessToken" }

Invoke-RestMethod -Uri "https://graph.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/servicePrincipals?$filter=displayName eq 'eamononboardonboarding'&api-version=1.6" -Headers $headers

[markcowl]

@eamonoreilly What is the version installed? This is simply asking for the wrong token audience, which looks an awful lot like the old version of accounts

[eamonoreilly]

@markcowl I think you are right Mark. I was pretty sure I had the latest installed but it was 1.5.2. When I upgraded to 1.5.3 it started working. I'll close the issue.
Thanks for the help.

[markcowl]

@eamonoreilly Given the age of the linked bug, and that selecting additional audiences was only made available in the last release, I believe the customer was simply using too old a version of Az.Accounts. Are you still seeing thsi when upgrading?

[eamonoreilly]

@markcowl Hi Mark, I updated the linked issue to let the customer know to move to 2.* in the function app as that will get the latest module downloaded for them automatically.