0

I tried to run a powershell script as Service Connection. Given that all the parameters are correct, no powershell script syntax error. The Service connection is also the valid one as I normally use it successfully for other AzureCLI task. I am sure My Service connection can access to all the pipelines. there is no restriction to it that I am aware of.

- task: AzurePowerShell@5
  displayName: 'Run my script'
  inputs:
    azureSubscription: 'My Service Connection'
    ScriptPath: '$(Agent.BuildDirectory)/drop/MyPowerShellScript.ps1'
    ScriptArguments: >
      -ADGroupName '${{ parameters.domainTeamName }}'
    FailOnStandardError: true
    azurePowerShellVersion: OtherVersion
    preferredAzurePowerShellVersion: 6.5.0
    pwsh: true

and I got this error message when I run the pipeline enter image description here

Here is the script code, the last line is where it failed. It cannot run that azure command "Get AzADGroup" because it does not have permission.

[CmdletBinding()]
param (
    [ValidateNotNullOrEmpty()][Parameter(Mandatory = $true)][string]$ADGroupName
)

Set-StrictMode -Version 3

$ADGroup = Get-AzADGroup -DisplayName $ADGroupName

I feel weird because I have run the task as the valid "My Service Connection". it should have had permission to do everything. Anyone can help me please. Thanks

J Nguyen
  • 113
  • 1
  • 13
  • Have you confirmed that the service principal you're using has sufficient permissions to access Azure AD? – Daniel Mann Aug 30 '23 at 13:49
  • @DanielMann how can I check that ? When I created the service connection, I select scope level is my current subscription, and tick "Grant access permission to all pipelines". As I said there is no restriction that I am aware of. Normally I still can use it to run tasks that deploy other azure infrastructures: sql db, keyvault... it is all fine. – J Nguyen Aug 30 '23 at 14:00
  • Look at the RBAC assigned to the service principal in the Azure portal. – Daniel Mann Aug 30 '23 at 14:02
  • @DanielMann , I navigate to Service Principle page, select "Role and administrators". I see that the service principle has "Cloud Application Administratior" role . The description of the role is "Can create and manage all aspects of app registrations and enterprise apps except App Proxy." . Do I miss anything ? – J Nguyen Aug 30 '23 at 14:08
  • Look at the duplicate questions about this. There are answers explaining a solution. – Daniel Mann Aug 30 '23 at 14:13
  • hi @DanielMann, I have take a look at those answers and it does not satisfy me. The first one require add more built-in roles (Directory.readers...) to the service principle. However I do not see any more role to add . There is only one built-in role "Cloud Application Administratior" . The UI seem to change already. The second solution is not really passwordless solution. – J Nguyen Aug 30 '23 at 14:24

0 Answers0