getting immediate error when launching PowerZure

[halfluke]

First, I connect to my account using my "root" user with connect-azaccount
Then I import Powerzure

PowerZure : Cannot validate argument on parameter 'ObjectId'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again

• PowerZure -Checks -Banner -Welcome

• CategoryInfo : InvalidData: (:) [PowerZure], ParameterBindingValidationException

• FullyQualifiedErrorId : ParameterArgumentValidationError,PowerZure

[hausec]

Does it tell you what line the error is on?

[halfluke]

yes, PowerZure.ps1:209 char:1

[halfluke]

it doesn't seem to like -welcome. Once removed it, everything seems to work

[hausec]

I'm thinking it has to do with the API call which pulls some info about the current user roles. Can you run the following code and tell me if you get the same error? (Just copy+paste into a powershell window)

$APSUser = Get-AzContext *>&1 
$resource = "https://graph.microsoft.com"
$Token = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($APSUser.Account, $APSUser.Environment, $APSUser.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, $resource).AccessToken
$Headers = @{}
$Headers.Add("Authorization","Bearer"+ " " + "$($token)")    
            $Headers = Get-AzureGraphToken 
		    Write-Host "You are logged into Azure PowerShell" -ForegroundColor Yellow							  
		    $obj = New-Object -TypeName psobject
		    $username = $APSUser.Account
		    $user = Get-AzADUser -UserPrincipalName $Username 
		    $userid=$user.id
		    $rbacroles = Get-AzRoleAssignment -ObjectId $userid *>&1
		    $obj | Add-Member -MemberType NoteProperty -Name Username -Value $user.userPrincipalName
		    $obj | Add-Member -MemberType NoteProperty -Name objectId -Value $userId
		    $rolearray = @()
            $scopearray = @()
	        $uri = 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments?$filter+=+principalId eq' + " " + "'" + $userid + "'"
	        $data = Invoke-RestMethod -Headers $Headers -Uri $uri 
	        $aadroles = $data.value
		    ForEach ($aadrole in $aadroles)
		    {
			    $id = $aadrole.roleDefinitionId
			    $uri = "https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions/$id"
			    $roledef = Invoke-RestMethod -Headers $Headers -Uri $uri
			    $rolearray += $roledef.displayName
                $scopearray += $roledef.resourceScopes
		    }
		    $obj | Add-Member -MemberType NoteProperty -Name AADRole -Value $rolearray
            $obj | Add-Member -MemberType NoteProperty -Name AADRoleScope -Value $scopearray
		    $uri = "https://graph.microsoft.com/v1.0/Users/$userid/getMemberGroups"
		    $body =
@"
{	"securityEnabledOnly": "False"
}
"@
		    $grouparray = @()
		    $groupdata = Invoke-RestMethod -Headers $Headers -Uri $uri -Body $body -Method Post -Contenttype application/json			
		    $groupids = $groupdata.value
		    foreach ($groupid in $groupids)
		    {
			    $groupstuff= Get-AzADGroup -Objectid $groupid
			    $grouparray += $groupstuff.DisplayName
		    }

		    $obj | Add-Member -MemberType NoteProperty -Name Groups -Value $grouparray	
		    $obj | Add-Member -MemberType NoteProperty -Name AzureRoles -Value $rbacroles.roleDefinitionName
		    $obj | Add-Member -MemberType NoteProperty -Name Scope -Value $rbacroles.scope	
            $obj | Add-Member -MemberType NoteProperty -Name SubscriptionName -Value $APSUser.Subscription.Name
            $obj | Add-Member -MemberType NoteProperty -Name SubscriptionId -Value $APSUser.Subscription.Id
		    $obj
        Write-Host ""
        Write-Host "Please set your default subscription with 'Set-Subscription -Id {id} if you have multiple subscriptions." -ForegroundColor Yellow

[halfluke]

Getting the same error but after this line:
$rbacroles = Get-AzRoleAssignment -ObjectId $userid *>&1

[hausec]

Ok, can you run this?

$APSUser = Get-AzContext *>&1 
$APSUser.Account

And check if you get any output?

[halfluke]

yes I get my tenantid. Id, type, tenants, and extendedproperties field. The accesstoken field is empty instead

[hausec]

Try this:

		    $username = $APSUser.Account.id
		    $user = Get-AzADUser -UserPrincipalName $Username 
		    $userid=$user.id
		    $rbacroles = Get-AzRoleAssignment -ObjectId $userid *>&1

If it errors, can you verify that $userid is populated (has content)?

[halfluke]

it errors and for some reason $userid has no content...

[hausec]

Does $User have content?

[halfluke]

nope, only $username has content.

[hausec]

Ok so Get-AzADUser -UserPrincipalName is failing.

Do you get any results back when you type Get-AzADUser?

If so, try manually putting in your userprincipalname and see if you get any results back

Get-AzADUser -UserPrincipalName [username@domain]

[halfluke]

Yeah... get-azaduser returns my two users. One is the root account (external, @live.com) and the other one is a IAM user.

What happens is:
$username = $APSUser.Account.id -> this one returns my @live.com account
$user = Get-AzADUser -UserPrincipalName $Username
This one returns nothing

[halfluke]

The userprincipalname is:
xxxxx_live.com#EXT#@xxxxxx.onmicrosoft.com

So basically the @live.com $username returned above is not equivalent to the UserPrincipalName returned by get-AzADUser

[hausec]

Ahhhh ok I see what's happening, thank you for finding this, i'll update it right now.

[halfluke]

Glad you see it, as I don't :) I am basically testing some tools on my account for an Azure configuration review I'll have to do in a couple of days :)

[hausec]

Fixed here: ef6f905

Get-AzContext will erroneously populate the 'id' property without appending #EXT#@tenant.onmicrosoft.com which is why searching via UPN does not return any data, as the id is not a proper UPN.

Fixed by fetching the UPN via Graph API call instead of Get-AzContext

[halfluke]

Hmm, getting a different error though:
Get-AzRoleAssignment : The Principal ID xxxxx_live.com#EXT#@xxxxxx.onmicrosoft.com is not valid. Principal ID must be a GUID