3

I am using runbook in Azure Automation Account. In this runbook, i use "run as account" which has Owner rights on the subscription. When i execute the command Get-AzRoleAssignment, i get:

    Get-AzRoleAssignment : Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown. 
    At line:21 char:16 + $listOfUsers = Get-AzRoleAssignment -verbose + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +
 CategoryInfo : CloseError: (:) [Get-AzRoleAssignment], CloudException + FullyQualifiedErrorId : 
Microsoft.Azure.Commands.Resources.GetAzureRoleAssignmentCommand

the Service Principal of "run as account" has below permissions: enter image description here

Do you have any idea?

Is it an authorization error? If so, which permissions should i give to the SP?

MoonHorse
  • 1,966
  • 2
  • 24
  • 46
  • 1
    Considering `Get-AzRoleAssignment` is for RBAC roles in an Azure Subscription, you will need to give `Azure Service Management` permission. Please see my answer here: https://stackoverflow.com/questions/66970160/how-do-you-set-up-app-with-permissions-to-azure-compute-api/66970727#66970727. – Gaurav Mantri Apr 08 '21 at 11:05
  • Any update this issue? – Joy Wang Apr 13 '21 at 01:25
  • @JoyWang, the issue is resolved after applying the Azure Service Management permission. I thought i have written a comment about it. So Gaurav Mantri's proposition has worked. – MoonHorse Apr 13 '21 at 07:02
  • Really? I don't believe the `delegated permission` will work in this case, because when you use this command, it essentially uses [client credential flow](https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow) to get the token, `delegated permission` will not take effect. – Joy Wang Apr 13 '21 at 07:29
  • I also have a quick test with the `Azure Service Management` permission, it does not work on my side. Are you sure you didn't give some [azure ad admin roles](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal?context=/azure/active-directory/roles/context/ugr-context) to the service principal? Except my answer, it will also work. – Joy Wang Apr 13 '21 at 07:29
  • Besides the permission in the screenshot and the Azure Service Management permission. We have given nothing. I will also test if your solution works but it will take some time. I will let you know. – MoonHorse Apr 13 '21 at 08:54
  • @JoyWang, after some time, Azure Service Management permission didn't work. I have tried your solution and it worked. thanks! Marked it as approved solution your answer. – MoonHorse Apr 29 '21 at 09:45

1 Answers1

2

I can also reproduce your issue on my side, when you run the command with some parameters e.g. with ObjectId, Get-AzRoleAssignment -ObjectId xxxxx, it will call the AAD Graph first to verify the object in your tenant.

To solve the issue, just add the Application permission Directory.Read.All of Azure Active Directory Graph to your AD App of the RunAs account.

Note: In your screenshot, you added the Delegated permission Directory.Read.All, it will not work, it must be Application permission, check the steps below.

enter image description here

enter image description here

enter image description here

After giving the permission, it works fine.

enter image description here

Joy Wang
  • 39,905
  • 3
  • 30
  • 54