I have manually created 2 different azure app registrations. From what I can see, they are the same. However, when I try to use them to programmatically run a powershell script that assigns Azure Roles to a managed ID, one works and the other fails.
So specifically I'm trying to add 3 roles to:
Azure Portal Home -> MyResourceGroup -> MyManagedId -> Azure Role Assignments.
The roles are:
- Storage Table Data Contributor
- Azure Service Bus Data Owner
- Storage Queue Data Contributor
From what I can see about the app registrations:
- Both are owners at the subscription level. (Subscriptions -> Access Control(IAM))
- Both have fresh secrets created
- both have these permissions listed under the "API permissions" section:
| PermissionName | Type | Admin consent required |
|---|---|---|
| Application.ReadWrite.OwnedBy | Application | Yes |
| AppRoleAssignment.ReadWrite.All | Application | Yes |
| User.Read | Delegated | No |
When I try to run my script that assigns the roles, app reg 1 works. I end up with the storage account roles I need. When I use app reg 2, it fails with the error:
{
"status": "Failed",
"error": {
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [{
"code": "BadRequest",
"message": "{\r\n \"error\": {\r\n \"code\": \"InvalidPrincipalId\",\r\n \"message\": \"A valid principal ID must be provided for role assignment.\"\r\n }\r\n}"
}, {
"code": "BadRequest",
"message": "{\r\n \"error\": {\r\n \"code\": \"InvalidPrincipalId\",\r\n \"message\": \"A valid principal ID must be provided for role assignment.\"\r\n }\r\n}"
Here's the script:
#Load Environment variables that drive this script.
$currentEnv = (Get-Content './vars.json' | Out-String | ConvertFrom-Json)
az cache purge
az login `
--service-principal `
--username $currentEnv.AZ_DEPLOYMENT_CLIENT_ID `
--password $currentEnv.AZ_DEPLOYMENT_CLIENT_SECRET `
--tenant $currentEnv.AZ_TENANT_ID `
--allow-no-subscriptions
#set the subscription we want to use
az account `
set --subscription $currentEnv.AZ_SUBSCRIPTION_ID
az resource list `
-g $currentEnv.AZ_RESOURCE_GROUP_NAME `
-o table
#look up the app function name for this resource group
$AZ_FUNCTION_APP = az functionapp list `
-g $currentEnv.AZ_RESOURCE_GROUP_NAME `
-o json | ConvertFrom-Json
Write-output $AZ_FUNCTION_APP.Name
$MANAGED_ID_DISPLAY_NAME = $AZ_FUNCTION_APP.Name + "-userId"
Write-output $MANAGED_ID_DISPLAY_NAME + " is the name of the managed identity"
$objectid=$(az ad sp list --display-name $MANAGED_ID_DISPLAY_NAME --query [].objectId --output tsv)
Write-output $objectid
az deployment group create `
--resource-group $currentEnv.AZ_RESOURCE_GROUP_NAME `
--template-file "./arm_templates/rbac-role.json" `
--parameters `
principalId=$objectid `
builtInRoleType="['StorageQueueDataContributor', 'StorageTableDataContributor','AzureServiceBusDataOwner']"
The line that the script is actually dying on is this:
$objectid=$(az ad sp list --display-name $MANAGED_ID_DISPLAY_NAME --query [].objectId --output tsv)
When I google this error, I see articles that state that the app reg must be either an owner or be a User Access Administrator. I've tried to add "User Access Administration" rights to the app reg 2 that fails. But it makes no difference.
Here's a screenshot showing the Subscription roles. The registration that works is the one that ends in lowercase "bi". The one that fails is the one that has "BI-Deploy" as a part of the name.
