All geek questions in one place

AzureAD PowerShell New-AzureRmRoleAssignment continues to fail

I am working on a powershell script that will create a resource group, register the included application (in this example, Web Api) for the associated AAD. But with a call trying to assign Reader rights, it continues to fail.

I started with the main * .ps1 deployment file, which comes with the AzureResourceGroup template in Visual Studio (2015).

I run the following code:

 #Requires -Version 3.0 #Requires -Module AzureRM.Resources #Requires -Module Azure.Storage Import-Module Azure -ErrorAction SilentlyContinue Set-StrictMode -Version 3 Login-AzureRmAccount $tenantWebSite = New-AzureRmADApplication -DisplayName "TheSiteName" -HomePage "http://MySignOnUrl" -IdentifierUris "http://MyIdentifierUrl" -Password "MyClientSecret" $tenantWebSiteServicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $tenantWebSite.ApplicationId New-AzureRmRoleAssignment -RoleDefinitionName Reader -ServicePrincipalName $tenantWebSite.ApplicationId

This last command ( New-AzureRmRoleAssignment ) continues to fail with the following error:

 09:58:26 - [ERROR] New-AzureRmRoleAssignment : PrincipalNotFound: Principal 09:58:26 - [ERROR] 50f3d430c68b485b8c11a63552171550 does not exist in the directory 09:58:26 - [ERROR] <MyTenantId>. 09:58:26 - [ERROR] At D:\dev_new_2010\cto\src\dev\d.tom.0\deploy\calidos.maat.deploy.azureresource 09:58:26 - [ERROR] group\Scripts\Deploy-AzureResourceGroup.ps1:115 char:1 09:58:26 - [ERROR] + New-AzureRmRoleAssignment -RoleDefinitionName Reader -ServicePrincipa ... 09:58:26 - [ERROR] + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 09:58:26 - [ERROR] + CategoryInfo : CloseError: (:) [New-AzureRmRoleAssignment], Clo 09:58:26 - [ERROR] udException 09:58:26 - [ERROR] + FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleA 09:58:26 - [ERROR] ssignmentCommand

I usually run this script using the deployment option in visual studio. When I run this script from the Microsoft Azure PowerShell command window, I get the same error.

BUT, when I run the exact command in the same powershell window, it works!

 New-AzureRmRoleAssignment -RoleDefinitionName Reader -ServicePrincipalName <ApplicationId>

Does anyone have an idea on why this could come from a ps1 file? I also tried to explicitly define the scope, but that didn't help either.

+9
source share
3 answers

EDIT:

Well, the previous "solution" was pure luck ... Apparently, New-AzureRmADServicePrincipal is created asynchronously. This method returns the object immediately, but the actual director is not instantiated ...

I worked on this by adding the Start-Sleep -s 15 command.

If this is not enough, either increase it, or catch the error, and wait a few more seconds before retrying.

+8
source

I had the same error, but the reason for the route and the solution were different. This was my code:

New-AzureRmRoleAssignment -ObjectId $ServicePrincipal.ApplicationId -RoleDefinitionName $Role -Scope "/subscriptions/$($Subscription.Context.Subscription.Id)"

and he always failed with the same error:

New-AzureRmRoleAssignment: Principal 7dfxxxxxxxxxxxxx1b1 does not exist in directory 3141xxxxxxxxxxxxxx736.

The wait did not help.

The problem was resolved using $ServicePrincipal.Id instead of $ServicePrincipal.ApplicationId for the -ObjectId parameter

The use of $ServicePrincipal.ApplicationId suggested in Example 5 at https://docs.microsoft.com/en-us/powershell/module/azurerm.resources/new-azurermroleassignment?view=azurermps-5.5.0 , which is incorrect.

+2
source

I voted for the second sentence above, but after testing, it doesn't seem to work for me. Failed to remove my voice.

Waiting with some repetition logic did the trick for me.

0
source

Source: https://habr.com/ru/post/1242170/

More articles:


All Articles