powershell icon indicating copy to clipboard operation
powershell copied to clipboard
verified publisher icon pnp

[BUG] Add-PnPAzureADServicePrincipalAppRole not working in azure government

Open jrudley opened this issue 1 year ago • 4 comments

Reporting an Issue or Missing Feature

Add-PnPAzureADServicePrincipalAppRole -Principal "id" -AppRole "Group.Read.All" -BuiltInType MicrosoftGraph Get-PnPAzureADServicePrincipal: Service principal not found

Expected behavior

it adds the app role

Actual behavior

Get-PnPAzureADServicePrincipal: Service principal not found

Steps to reproduce behavior

create azure function enable managed identity run Add-PnPAzureADServicePrincipalAppRole -Principal "id" -AppRole "Group.Read.All" -BuiltInType MicrosoftGraph

What is the version of the Cmdlet module you are running?

(you can retrieve this by executing Get-Module -Name "PnP.PowerShell" -ListAvailable) 2.12.0

Which operating system/environment are you running PnP PowerShell on?

  • [ X] Windows
  • [ ] Linux
  • [ ] MacOS
  • [ ] Azure Cloud Shell
  • [ ] Azure Functions
  • [ ] Other : please specify

jrudley avatar Oct 11 '24 14:10 jrudley

I don't have access to such an environment myself, which makes it really hard to troubleshoot. As far as I can judge from the code, the cmdlet you use implements the logic properly to deal with sovereign clouds. Can you check and confirm that if you run: Get-PnPConnection

That for you it returns the property AzureEnivronment with the proper value? I.e. USGovernment, USGovernmentDoD or USGovernmentHigh?

KoenZomers avatar Oct 11 '24 15:10 KoenZomers

Yes, this works.

Get-PnPConnection

ConnectionMethod : AzureADAppOnly ConnectionType : TenantAdmin InitializationType : Unknown Scopes : PSCredential : ClientId : removed ClientSecret : ApplicationInsights : PnP.PowerShell.ALC.ApplicationInsights Url : https://removed.sharepoint.us/ TenantAdminUrl : Certificate : [Subject] CN=JRDEV-PNP

                                         [Issuer]
                                           CN=JRDEV-PNP

                                         [Serial Number]
                                           00932F2004E613344A

                                         [Not Before]
                                           2/6/2024 12:00:00 AM

                                         [Not After]
                                           2/6/2034 12:00:00 AM

                                         [Thumbprint]
                                           A7018A5D573BFC2D6B8BBD342A1D

DeleteCertificateFromCacheOnDisconnect : False Context : PnP.Framework.PnPClientContext Tenant : removed.onmicrosoft.com UserAssignedManagedIdentityObjectId : UserAssignedManagedIdentityClientId : UserAssignedManagedIdentityAzureResourceId : AzureEnvironment : USGovernmentHigh

Get-PnPAzureADServicePrincipal -BuiltInType MicrosoftGraph | Get-PnPAzureADServicePrincipalAvailableAppRole Get-PnPAzureADServicePrincipal: Service principal not found Does not work.

On Fri, Oct 11, 2024 at 10:51 AM Koen Zomers @.***> wrote:

I don't have access to such an environment myself, which makes it really hard to troubleshoot. As far as I can judge from the code, the cmdlet you use implements the logic properly to deal with sovereign clouds. Can you check and confirm that if you run: Get-PnPConnection

That for you it returns the property AzureEnivronment with the proper value? I.e. USGovernment, USGovernmentDoD or USGovernmentHigh?

— Reply to this email directly, view it on GitHub https://github.com/pnp/powershell/issues/4420#issuecomment-2407690967, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOYIS27UJZ7XBCYPUPL2WDZ27XYVAVCNFSM6AAAAABPZCOVW6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMBXGY4TAOJWG4 . You are receiving this because you authored the thread.Message ID: @.***>

jrudley avatar Oct 11 '24 18:10 jrudley

I ended up switching back to an client id and cert. I manually created the managed identity permissions and had too many issues.

jrudley avatar Oct 11 '24 21:10 jrudley

Add-PnPAzureADServicePrincipalAppRole: Verification code expired before contacting the server

allanwei avatar Oct 15 '24 18:10 allanwei

Having the same issue in a commercial tenant with the nightly build. I believe it was actually working with 2.12, then I had to switch to a nightly build to resolve an issue with creating an App Registration with a certificate in order to run any PowerShell cmdlets, and now assigning the rights with that PowerShell instance to an Azure Automation Account fails, even though the response to Get-PnPEntraIDServicePrincipal DOES include the Azure Automation Account to which I'm trying to assign a permission.

Related bug logged: https://github.com/pnp/powershell/issues/4501

erobillard avatar Nov 06 '24 21:11 erobillard

I have issues as well with the 2.99.42 version. For now I moved to Graph to keep it going.

Chrdik78 avatar Nov 13 '24 13:11 Chrdik78

hi @jrudley , @Chrdik78 - this issue has been fixed now. It will be available in tomorrow's as well as subsequent nightly builds !

Thanks for raising this.

gautamdsheth avatar Nov 25 '24 19:11 gautamdsheth

Thanks!

On Mon, Nov 25, 2024, 1:34 PM Gautam Sheth @.***> wrote:

hi @jrudley https://github.com/jrudley , @Chrdik78 https://github.com/Chrdik78 - this issue has been fixed now. It will be available in tomorrow's as well as subsequent nightly builds !

Thanks for raising this.

— Reply to this email directly, view it on GitHub https://github.com/pnp/powershell/issues/4420#issuecomment-2498871923, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOYIS23CDUIEGU4G5WMQ4L2CN3VFAVCNFSM6AAAAABPZCOVW6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIOJYHA3TCOJSGM . You are receiving this because you were mentioned.Message ID: @.***>

jrudley avatar Nov 25 '24 19:11 jrudley