Function code cannot run command that works interactively

Question

I have an Azure Durable function, that runs some PowerShell code.

The code takes the Application Id from a newly created Application Account and grants it Contributor access on a resource group.

The code looks like this:

$param = @{
    ApplicationId      = $SpnAppId
    RoleDefinitionName = 'Contributor'
    ResourceGroupName  = $ResourceGroupName
    ErrorAction        = 'Stop'
    }
New-AzRoleAssignment @param

I have the code running in 2 different tenants. In both tenants I can run an interactive PowerShell console with the credentials of the Application account running the function session and add the newly created Application Account as Contributor on the resource group. Both Application Accounts tunning the functions have Directory.Read.All(Application) and Owner on the subscriptions containing the resource groups.

The strange thing is, that in one tenant the function grants the Contributor role to the Application Account on the resource group as expected, when running the function, in the other tenant it does not.

What could cause a function to fail with ERROR: Insufficient privileges to complete the operation in one tenant and not in the other, given that the operation succeeds in both tenants when run interactively?

Answer 1

AFAIK, Interactive Session will not work with the Azure Functions, you have to use Service Principal.

This Role privileges were assigned on the account, so service principal is required for assigning roles to specific services or applications like Azure Function apps.

ERROR: Insufficient privileges to complete the operation

This error will come when the object id is not having required permissions to create or assign the service principals even if it is assigned as owner on the subscription level.

To fix the above error, make as owner of the subscription, Create Service principal for role assigning and pass that service principal name to the role assignment PowerShell command, refer to this MS Doc of Role Assignment format.

Answer 2

After some debugging it turned out, that I was on version ~3 in function version and had an older version of the Az module installed. Upgrading to ~4 and installing Az version 8.* solved the issue.

In the Dev environment, the Service Principal had the Azure AD Directory.Read.All API permission. That was why it worked on the old version of the module, because it used the old API in the cmdlets. Azure AD API permissions have been deprecated and they could not be added to the Service Principal in the new tenant.

When running Azure Functions ~4 and Az PowerShell module version 8.0, Microsoft.Graph Directory.Read.All is sufficient for assigning the role to the resource group and in the end, upgrading was what solved my issue.