Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

az role assignment list - Failed to query xxxxxxxx by invoking Graph API #30672

Open
helannivas opened this issue Jan 17, 2025 · 3 comments
Open
Assignees
Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. Possible-Solution question The issue doesn't require a change to the product in order to be resolved. Most issues start as that RBAC az role Similar-Issue
Milestone

Comments

@helannivas
Copy link

Describe the bug

Hi,

I'm writing a cli command to list all the roles assigned under a user managed identity by running the below command

az role assignment list --assignee

but Im getting a warning as

Failed to query xxxxxxxx by invoking Graph API.If you dont have permission to query Graph API, please specifu --assignee-object-d and -assignee-principal-type

I tried running with --all parameter

az role assignment list --all

where I got output for all roles under each principalId.

I need to get the list for individual Principal Id. Please let me know what level of permission Im lagging to running this query

az role assignment list --assignee

Related command

az role assignment list --assignee
az role assignment list --all

Errors

Failed to query xxxxxxxx by invoking Graph API.If you dont have permission to query Graph API, please specifu --assignee-object-d and -assignee-principal-type

Issue script & Debug output

Failed to query xxxxxxxx by invoking Graph API.If you dont have permission to query Graph API, please specifu --assignee-object-d and -assignee-principal-type

Expected behavior

Output of roles assigned to user managed identity

Environment Summary

azure cli Version : 2.249.8

Additional context

No response

@helannivas helannivas added the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Jan 17, 2025
@yonzhan
Copy link
Collaborator

yonzhan commented Jan 17, 2025

Thank you for opening this issue, we will look into it.

@microsoft-github-policy-service microsoft-github-policy-service bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. Auto-Assign Auto assign by bot RBAC az role labels Jan 17, 2025
@microsoft-github-policy-service microsoft-github-policy-service bot added Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jan 17, 2025
Copy link

Here are some similar issues that might help you. Please check if they can solve your problem.


Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

The error message 'Failed to query xxxxxxxx by invoking Graph API' means the logged-in account doesn't have graph permission. If it is a service principal, you may follow the instructions to give it AD Graph Directory.Read.All permission. This involves granting the service principal the necessary permissions to access the Graph API.

Reference:

Solution 2:

Managed identity can't be granted Directory.Read.All permission. This permission can only be granted to a user account or a service principal account, not managed identity. Managed identity is only designed to access Azure resources, not Microsoft Graph or AD Graph.

Reference:

@yonzhan yonzhan removed the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Jan 17, 2025
@yonzhan yonzhan added this to the Backlog milestone Jan 17, 2025
@jiasli
Copy link
Member

jiasli commented Jan 20, 2025

It is a known issue that az role assignment list doesn't support --assignee-object-id: #30436.

For now you may provide the GUID object ID (aka Principal ID) in --assignee and this will trigger the fallback logic:

if fallback_to_object_id and is_guid(assignee):
logger.warning('Assuming %s as an object ID.', assignee)
return assignee, None

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. Possible-Solution question The issue doesn't require a change to the product in order to be resolved. Most issues start as that RBAC az role Similar-Issue
Projects
None yet
Development

No branches or pull requests

3 participants