Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Service principal is missing in `az ad group owner list` after upgrade to 2.37

See original GitHub issue

This is autogenerated. Please review and update as needed.

Describe the bug

Command Name az ad group owner list

Errors: Missing service principal as owner after upgrade to azcli 2.37+

$ az ad group owner list --group c40d6c92-ebf1-46ee-9fd1-99685b281394 --out tsv --query '[].[mail,id]'
user1@company.com        7addc286-717c-4590-9ec9-4559d41725f9
user2@company.com        c2ddd1d1-8ae8-42e6-aef4-2d7dd44bce65
user3@company.com        07930e5c-a4fd-4365-a817-1fb436d7c5c3
user4@company.com        aa62e803-6966-4dff-b7f0-0772bf76b0c9
user5@company.com        df2f9469-acc3-4bf9-993e-dfa6872903fe

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

  • Authenticate to azure subscription
  • install azcli 2.37 or higher (includes Microsoft Graph API migration)
  • az ad group owner list --group ExampleGroup

Expected Behavior

Service principal is display as owner before 2.37

$ az ad group owner list --group c40d6c92-ebf1-46ee-9fd1-99685b281394 --out tsv --query '[].[mail,objectId]'
user1@company.com        7addc286-717c-4590-9ec9-4559d41725f9
user2@company.com        c2ddd1d1-8ae8-42e6-aef4-2d7dd44bce65
user3@company.com        07930e5c-a4fd-4365-a817-1fb436d7c5c3
user4@company.com        aa62e803-6966-4dff-b7f0-0772bf76b0c9
user5@company.com        df2f9469-acc3-4bf9-993e-dfa6872903fe
None    1d0bb3be-f638-4b53-ac11-4ddd39e0d990

$ az version
{
  "azure-cli": "2.32.0",
  "azure-cli-core": "2.32.0",
  "azure-cli-telemetry": "1.0.6",
  "extensions": {
    "account": "0.2.2",
    "alertsmanagement": "0.2.2",
    "log-analytics": "0.2.2",
    "monitor-control-service": "0.3.0",
    "resource-graph": "2.1.0",
    "scheduled-query": "0.5.0"
  }
}

Environment Summary

Linux-4.4.0-19041-Microsoft-x86_64-with-glibc2.29, Ubuntu 20.04.4 LTS
Python 3.8.10
Installer: PIP

azure-cli 2.40.0

Extensions:
account 0.2.3
alertsmanagement 0.2.2
log-analytics 0.2.2
monitor-control-service 0.3.0
resource-graph 2.1.0
scheduled-query 0.5.1

Dependencies:
msal 1.18.0b1
azure-mgmt-resource 21.1.0b1

Additional Context

image Group owners as display in azure portal

Issue Analytics

  • State:open
  • Created a year ago
  • Comments:5 (1 by maintainers)

github_iconTop GitHub Comments

1reaction
jiaslicommented, Nov 10, 2022

Similar to

According to List group owners API’s documentation:

https://learn.microsoft.com/en-us/graph/api/group-list-owners?view=graph-rest-1.0&tabs=http

Note: Currently, service principals are not listed as group owners due to the staged rollout of service principals to the Microsoft Graph v1.0 endpoint.

This is a feature gap between AD Graph and Microsoft Graph. az ad group owner list internally calls that API.

As a workaround, you may try using az rest to call beta API: https://learn.microsoft.com/en-us/graph/api/group-list-owners?view=graph-rest-beta&tabs=http (though I haven’t verified that myself).

0reactions
floryutcommented, Nov 9, 2022

@jiasli Thank you for the workaround, it’s indeed working fine, I’m going to go with that while the bug is fix

$ az rest --method get --url https://graph.microsoft.com/beta/groups/c40d6c92-ebf1-46ee-9fd1-99685b281394/owners | jq -r ".value | .[] | [.mail,.id] | @tsv"
user.name1@company.com     7addc286-717c-4590-9ec9-4559d41725f9
user.name2@company.com     c2ddd1d1-8ae8-42e6-aef4-2d7dd44bce65
                           07930e5c-a4fd-4365-a817-1fb436d7c5c3
user.name3@company.com     aa62e803-6966-4dff-b7f0-0772bf76b0c9

versus

$ az ad group owner list -g c40d6c92-ebf1-46ee-9fd1-99685b281394 --out tsv --query '[].[mail,id]'
user.name1@company.com     7addc286-717c-4590-9ec9-4559d41725f9
user.name2@company.com     c2ddd1d1-8ae8-42e6-aef4-2d7dd44bce65
user.name3@company.com     aa62e803-6966-4dff-b7f0-0772bf76b0c9
Read more comments on GitHub >

github_iconTop Results From Across the Web

az ad group member list not returning results - Microsoft Learn
Currently service principals are not listed as group members due to staged roll-out of service principals on Graph V1.0 endpoint. This is a ......
Read more >
Azure Service Principal - permission to add members to an AD ...
Allows the app to list groups, read basic properties, read and update the membership of the groups the signed-in user has access to....
Read more >
azure-cli 2.16.0 - PyPI
Fix bug when using set-tier command with service principal login (#15471). Upgrade version for file datalake to 2020-02-10 (#15572). az storage queue list...
Read more >
Azure REST APIs with Postman (2021) - Jon Gallant
After executing: az ad sp create-for-rbac you will see the service principal that was created. Take note of the displayname field here. Now...
Read more >
How to automate Azure Active Directory (AAD) tasks using the ...
The following example will show the Azure Active Directory (AAD) User ... az sql server ad-admin list –resource-group mynewgp –server-name ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Log when az login uses WAM as authentication method

Next page

The new feature "Show status during deployment for linux apps" gets stuck waiting