Azure-cli: Principals of type Application cannot validly be used in role assignments.
Environment summary
Command
az role assignment create \
--assignee-object-id <objec-id> \ --role Contributor \ --scope /subscriptions/<subscription id>/
returning error: Principals of type Application cannot validly be used in role assignments.
Install Method (e.g. pip, interactive script, apt-get, Docker, MSI, edge build) / CLI version (az --version) / OS version / Shell Type (e.g. bash, cmd.exe, Bash on Windows)
macOS High Serria 10.13.2
installed using brew
az --version
azure-cli (2.0.25)
acr (2.0.19)
acs (2.0.24)
advisor (0.1.1)
appservice (0.1.24)
backup (1.0.6)
batch (3.1.8)
batchai (0.1.4)
billing (0.1.7)
cdn (0.0.11)
cloud (2.0.11)
cognitiveservices (0.1.10)
command-modules-nspkg (2.0.1)
configure (2.0.13)
consumption (0.2.1)
container (0.1.16)
core (2.0.25)
cosmosdb (0.1.16)
dla (0.0.17)
dls (0.0.19)
eventgrid (0.1.8)
extension (0.0.7)
feedback (2.0.8)
find (0.2.8)
interactive (0.3.13)
iot (0.1.16)
keyvault (2.0.16)
lab (0.0.15)
monitor (0.1.0)
network (2.0.21)
nspkg (3.0.1)
profile (2.0.17)
rdbms (0.0.11)
redis (0.2.11)
reservations (0.1.1)
resource (2.0.21)
role (2.0.17)
servicefabric (0.0.9)
sql (2.0.19)
storage (2.0.23)
vm (2.0.24)
Python location '/usr/local/opt/python3/bin/python3.6'
Extensions directory '/Users/shaun/.azure/cliextensions'
Python (Darwin) 3.6.4 (default, Jan 6 2018, 11:51:59)
[GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.39.2)]
Legal docs and information: aka.ms/AzureCliLegal
smarshal-Quest
All 12 comments
@smarshal-Quest if you run az ad sp show --id <objec-id> what you get?
(EDIT, if you use --assignee-object-id, it must be the object id of a service principal, not the object id of an Application, different thing, and I have to agree it is very confusing.
If your CLI account has a graph permission, please use --assignee <app id or name> so that CLI can provide much much better support to resolve the right object id for you)
yugangw-msft
on 18 Jan 2018
Hi
Error below:
SP is there and showing in portal
[cid:[email protected]]
$ az ad sp show --id
or one of its queried reference-property objects are not present.
Traceback (most recent call last):
File "/usr/local/Cellar/azure-cli/2.0.25/libexec/lib/python3.6/site-packages/knack/cli.py", line 194, in invoke
cmd_result = self.invocation.execute(args)
File "/usr/local/Cellar/azure-cli/2.0.25/libexec/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 316, in execute
cmd.exception_handler(ex)
File "/usr/local/Cellar/azure-cli/2.0.25/libexec/lib/python3.6/site-packages/azure/cli/core/util.py", line 40, in empty_on_404
raise ex
File "/usr/local/Cellar/azure-cli/2.0.25/libexec/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 292, in execute
result = cmd(params)
File "/usr/local/Cellar/azure-cli/2.0.25/libexec/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 169, in __call__
return super(AzCliCommand, self).__call__(args, kwargs)
File "/usr/local/Cellar/azure-cli/2.0.25/libexec/lib/python3.6/site-packages/knack/commands.py", line 109, in __call__
return self.handler(args, **kwargs)
File "/usr/local/Cellar/azure-cli/2.0.25/libexec/lib/python3.6/site-packages/azure/cli/core/__init__.py", line 337, in default_command_handler
result = op(command_args)
File "/usr/local/Cellar/azure-cli/2.0.25/libexec/lib/python3.6/site-packages/azure/cli/command_modules/role/custom.py", line 530, in show_service_principal
return client.get(object_id)
File "/usr/local/Cellar/azure-cli/2.0.25/libexec/lib/python3.6/site-packages/azure/graphrbac/operations/service_principals_operations.py", line 276, in get
raise models.GraphErrorException(self._deserialize, response)
azure.graphrbac.models.graph_error.GraphErrorException: Resource '9506a52a-3470-418e-9669-1d3bdd7446aa' does not exist or one of its queried reference-property objects are not present
Shaun Marshall
Subject: Re: [Azure/azure-cli] Principals of type Application cannot validly be used in role assignments. (#5340)
@smarshal-Questhttps://github.com/smarshal-quest if you run az ad sp show --id
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/Azure/azure-cli/issues/5340#issuecomment-358759189, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AEeDi3Rs0rlRr8xRPd7eby4R4oK2R-6gks5tL56BgaJpZM4Ri-nD.
smarshal-Quest
on 18 Jan 2018
This confirms, can you try --assignee <the APPLICATION ID you see in portal>?
yugangw-msft
on 18 Jan 2018
Hi
Running :
az ad sp list -o json --query "[?contains(displayName,'pm-logcollect')]"
returns a different ID value than what the portal lists as object id
Shaun Marshall
Subject: Re: [Azure/azure-cli] Principals of type Application cannot validly be used in role assignments. (#5340)
@smarshal-Questhttps://github.com/smarshal-quest if you run az ad sp show --id
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/Azure/azure-cli/issues/5340#issuecomment-358759189, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AEeDi3Rs0rlRr8xRPd7eby4R4oK2R-6gks5tL56BgaJpZM4Ri-nD.
smarshal-Quest
on 18 Jan 2018
Same Error with –assignee
$ az role assignment create \
--assignee *** \ --role Contributor \ --scope /subscriptions/***/Principals of type Application cannot validly be used in role assignments.
Shauns-MacBook-Pro:~ shaun$
Shaun Marshall
Subject: Re: [Azure/azure-cli] Principals of type Application cannot validly be used in role assignments. (#5340)
This confirms, can you try --assignee
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/Azure/azure-cli/issues/5340#issuecomment-358769492, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AEeDi-NpXgr2qtq6AVB0dUeno4WvG-D9ks5tL6dggaJpZM4Ri-nD.
smarshal-Quest
on 18 Jan 2018
what is the output of az ad app show --id <APPLICATION ID in portal>?
yugangw-msft
on 18 Jan 2018
az ad sp show --id
Resource * does not exist or one of its queried reference-property objects are not present.
Traceback (most recent call last):
File "/usr/local/Cellar/azure-cli/2.0.25/libexec/lib/python3.6/site-packages/knack/cli.py", line 194, in invoke
cmd_result = self.invocation.execute(args)
File "/usr/local/Cellar/azure-cli/2.0.25/libexec/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 316, in execute
cmd.exception_handler(ex)
File "/usr/local/Cellar/azure-cli/2.0.25/libexec/lib/python3.6/site-packages/azure/cli/core/util.py", line 40, in empty_on_404
raise ex
File "/usr/local/Cellar/azure-cli/2.0.25/libexec/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 292, in execute
result = cmd(params)
File "/usr/local/Cellar/azure-cli/2.0.25/libexec/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 169, in __call__
return super(AzCliCommand, self).__call__(args, *kwargs)
File "/usr/local/Cellar/azure-cli/2.0.25/libexec/lib/python3.6/site-packages/knack/commands.py", line 109, in __call__
return self.handler(args, *kwargs)
File "/usr/local/Cellar/azure-cli/2.0.25/libexec/lib/python3.6/site-packages/azure/cli/core/__init__.py", line 337, in default_command_handler
result = op(command_args)
File "/usr/local/Cellar/azure-cli/2.0.25/libexec/lib/python3.6/site-packages/azure/cli/command_modules/role/custom.py", line 530, in show_service_principal
return client.get(object_id)
File "/usr/local/Cellar/azure-cli/2.0.25/libexec/lib/python3.6/site-packages/azure/graphrbac/operations/service_principals_operations.py", line 276, in get
raise models.GraphErrorException(self._deserialize, response)
azure.graphrbac.models.graph_error.GraphErrorException: Resource '737be4f1-eb96-437b-827d-d169759fcc12' does not exist or one of its queried reference-property objects are not present.
Shaun Marshall
Subject: Re: [Azure/azure-cli] Principals of type Application cannot validly be used in role assignments. (#5340)
what is the output of az ad app show --id?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/Azure/azure-cli/issues/5340#issuecomment-358771757, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AEeDi1h-EQ3k27pettKH_pS0XsgCzGcnks5tL6lsgaJpZM4Ri-nD.
smarshal-Quest
on 18 Jan 2018
Looks like this is an external application. Did you create the application in the tenant? If yes do you remember how you did ?
Please also double check in the portal you are under the same tenant with CLI's. You can use az account show to cross check the tenantId
yugangw-msft
on 18 Jan 2018
HI
I may have had different account set I first was trying a script
for sub in $(az account list --query "[].[id]" --output tsv);
do
SUBS=$(echo "/subscriptions/$sub/")
az role assignment create
--assignee
done
To add the SP to all the subscriptions , then went on to test for single subscription and then with –assignee-object-it
I just did a show with the object id from
az ad sp list -o json --query "[?contains(displayName,'pm-logcollect')].objectId"
and it did return the SP details, I had put the id before. The output of the cli objected is different from the portal,
regards
Shaun Marshall
Subject: Re: [Azure/azure-cli] Principals of type Application cannot validly be used in role assignments. (#5340)
Looks like this is an external application. Did you create the application in the tenant? If yes do you remember how you did ?
Please also double check in the portal you are under the same tenant with CLI's. You can use az account show to cross check the tenantId
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/Azure/azure-cli/issues/5340#issuecomment-358773599, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AEeDi1FGVwpvF1ocJwDNwEIhBxoRDgBnks5tL6sQgaJpZM4Ri-nD.
smarshal-Quest
on 18 Jan 2018
@smarshal-Quest, please send me a mail to yugangw at microsoft dot com with the output of az ad app show --id <APPLICATION ID in portal>. Note, i am asking for app not sp.
yugangw-msft
on 18 Jan 2018
Per our mail communications, using Application ID resolves the issue. I will add a bit more logic to handle when --assignee is an Application's object id
yugangw-msft
on 19 Jan 2018
I got the same problem when trying to assign a role to a service principal with C# code. The problem is that the service principal ID should be the object ID of the service principal, not the object ID of the application nor the application ID. I got the object ID of the service principal with the AZURE CLI and it worked out.
houliang428
on 30 Jul 2019
Related issues
jsturtevant
·
3Comments
rlewkowicz
·
3Comments
seanknox
·
3Comments
ambakshi
·
3Comments
troydai
·
3Comments
Most helpful comment
@smarshal-Quest if you run
az ad sp show --id <objec-id>what you get?(EDIT, if you use
--assignee-object-id, it must be the object id of a service principal, not the object id of anApplication, different thing, and I have to agree it is very confusing.If your CLI account has a graph permission, please use
--assignee <app id or name>so that CLI can provide much much better support to resolve the right object id for you)