Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with subscription "Access to Azure Active Directory" #161

Closed
aricade opened this issue Jan 4, 2023 · 15 comments
Closed

Issue with subscription "Access to Azure Active Directory" #161

aricade opened this issue Jan 4, 2023 · 15 comments

Comments

@aricade
Copy link

aricade commented Jan 4, 2023

Running with a SPN the script get's stuck in an endless failing loop if it tries to analyze MS special subscriptions for licensing called "Access to Azure Active Directory". Not even Tenant Owner/Global Admin can see the roles of these subscriptions. I think only MS can.

Is there a way to add a Subscription Exclude List? Or perhaps another strategy the will work with the code as it is now?

I have been using Management groups to work around it but right now we are moving subscriptions and it would be helpful to analyze everything (subscriptions) from the tenant-root-group.
@JulianHayward
Copy link
Owner

@aricade that functionality should already be in the script / excluding subscriptions with quotaId 'AAD_*'. Please pass more details at which stage it gets stuck /provide logs and please execute with parameter: -debugAzAPICall

@aricade
Copy link
Author

aricade commented Jan 4, 2023
edited
Loading

Thanks @JulianHayward

Please pass more details at which stage it gets stuck /provide logs and please execute with parameter: -debugAzAPICall

I ran this connected with SPN that has Tenant READ:

Azure-MG-Sub-Governance-Reporting> pwsh\AzGovVizParallel.ps1 -OutputPath $OutputPath -DoPSRule -ManagementGroupID <my-root-tenant-mgmt-group> -debugAzAPICall

This is the interesting part of the debug verbosity:

[AzAPICall] DEBUGTASK: Get Eligible assignments for Scope subscription: <MY SUBSCRIPTION ID HERE> -> [AzAPICall] Get Eligible assignments for Scope subscription: <MY SUBSCRIPTION ID HERE> - retry
  [AzAPICall] DEBUGTASK: Get Eligible assignments for Scope subscription: <MY SUBSCRIPTION ID HERE> -> attempt#7 processing: Get Eligible assignments for Scope subscription: <MY SUBSCRIPTION ID HERE> uri: 'https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,roleDefinition($expand=resource)&$count=true&$filter=(roleDefinition/resource/id eq '67ac961a-66fc-4072-98db-48ca82261e3d')+and+(assignmentState eq 'Eligible')&$top=100'
  [AzAPICall] DEBUGTASK: Get Eligible assignments for Scope subscription: <MY SUBSCRIPTION ID HERE> -> unexpectedError: false
  [AzAPICall] DEBUGTASK: Get Eligible assignments for Scope subscription: <MY SUBSCRIPTION ID HERE> -> apiStatusCode: '400' (BadRequest)
[AzAPICallErrorHandler] Get Eligible assignments for Scope subscription: <MY SUBSCRIPTION ID HERE> try #7; return: (StatusCode: '400' (BadRequest)) <.code: ''> <.error.code: 'UnknownError'> | <.message: ''> <.error.message: '{"error":{"code":"DisallowedOperation","message":"The current subscription type is not permitted to perform operations on any provider namespace. Please use a different subscription."}}'> - AzAPICall: try again in 7 second(s)

Like this over and over the AzAPICall: try again in <#> second(s) keeps incrementing...

I seem to have 2 Access to Azure Active Directory subscriptions and it goes back and forth between each one retrying...
EDIT:
I shall try -SubscriptionQuotaIdWhitelist $ArrayOfQuotaidStrings thank you! But this the quota ID for Subscriptions I want to include (and not exclude), right?

I run this to to determine the whitelist subscriptions:
Get-AzSubscription| select Id,Name,@{label='QuotaID';E={$_.SubscriptionPolicies.QuotaId}}

EDIT 2:
This fixed my issue:

Azure-MG-Sub-Governance-Reporting> pwsh\AzGovVizParallel.ps1 -OutputPath $OutputPath -DoPSRule -ManagementGroupID <my-root-tenant-mgmt-group> -debugAzAPICall -SubscriptionQuotaIdWhitelist "AAD_"

So -SubscriptionQuotaIdWhitelist is an exclude of subscriptions with matching prefix. Thanks!

PS: thanks for all your work on this project! It is awesome!

@JulianHayward
Copy link
Owner

@aricade ok, got it - requires a fix, will update here. Meanwhile try parameter -NoPIMEligibility.
:) Using -SubscriptionQuotaIdWhitelist "AAD_" will only process subs matching that quotaId

@aricade
Copy link
Author

aricade commented Jan 4, 2023
edited
Loading

:) Using -SubscriptionQuotaIdWhitelist "AAD_" will only process subs matching that quotaId

wait, really? that is interesting I think it might be opposite. Let me verify. I will update here.
Yeah you are right... Of course you made the script. Getting confused now. I ran with -SubscriptionQuotaIdWhitelist "CSP_","MSDN_" in my case.

ok, got it - requires a fix, will update here. Meanwhile try parameter -NoPIMEligibility.

Well, I have tested below 2 work arounds after some confusion:

  • Option 1 is not working (it appears to try and Get Eligible assignments for Scope subscription: for QuoataIDs AAD_* even though it should include only matching QuotaIDs)
  • Option 2 is working but no PIM (And this is one of my favorite features about this script)

Option 1: If you want PIM:
Azure-MG-Sub-Governance-Reporting> pwsh\AzGovVizParallel.ps1 -OutputPath $OutputPath -DoPSRule -ManagementGroupID <my-root-tenant-mgmt-group> -debugAzAPICall -SubscriptionQuotaIdWhitelist "CSP_","MSDN_"

Option 2: If you don't need PIM:
Azure-MG-Sub-Governance-Reporting> pwsh\AzGovVizParallel.ps1 -OutputPath $OutputPath -DoPSRule -ManagementGroupID <my-root-tenant-mgmt-group> -debugAzAPICal -NoPIMEligibility

@JulianHayward
Copy link
Owner

Using -SubscriptionQuotaIdWhitelist "AAD_" will only process subs matching that quotaId, hence all the nice data for subscriptions with other quotaIds will not be available
image

I fear - if you need the PIM data you will need to await the fix

@aricade
Copy link
Author

aricade commented Jan 4, 2023

I fear - if you need the PIM data you will need to await the fix

Well that's all good, appreciate you looking into this. When you get around to it, let me know and I will verify.

@MarcelHeek
Copy link

Had the same "Access to Azure AD" subscriptions. these are legacy and can be deleted. However you cannot do that yourself and need to raise a support ticket with MS to get them removed. I recall there is a 90 day retention before they can actually be deleted.

https://www.jasonfritts.me/2020/04/07/what-is-the-access-to-azure-active-directory-subscription-for/#:~:text=The%20%E2%80%9CAccess%20to%20Azure%20Active%20Directory%E2%80%9D%20subscriptions%20are%20a%20legacy,portal.azure.com

https://stackoverflow.com/questions/68623828/access-to-azure-active-directory-subscription-permission-error

So in the meantime I am running with the -SubscriptionQuotaIdWhitelist argument populated

@aricade
Copy link
Author

aricade commented Jan 5, 2023

@MarcelHeek

Had the same "Access to Azure AD" subscriptions. these are legacy and can be deleted. However you cannot do that yourself and need to raise a support ticket with MS to get them removed. I recall there is a 90 day retention before they can actually be deleted.

Yes I had a call with MS escalated through my CSP. Though the support analyst was saying that these 2 subscriptions are from AAD_PREMIUM_P2 Licenses and Some free trial; Claiming they are required for Azure AD Connect and other features. But after I showed them that as a Subscription Owner I did not have access to modify permissions through IAM, they are looking into it. I think you are right they are legacy and have directed them to your first link when I started the ticket but they seemed convinced this was normal. Hence I started this issue. But I will point them to this issue and the links you have supplied. Thank you very much!

So in the meantime I am running with the -SubscriptionQuotaIdWhitelist argument populated
With or Without PIM (Do you use an App Registration/SPN)? Interestingly I only have issues when running with SPN as I want to see PIM setup/config.

But -SubscriptionQuotaIdWhitelist does not seem to work for me. That said if I can have MS remove the subscriptions this may resolve all my issues.

Thanks!

@JulianHayward
Copy link
Owner

@aricade @MarcelHeek
please check the dev branch.
Do not use the parameters:

  • -SubscriptionQuotaIdWhitelist
  • -NoPIMEligibility

@aricade
Copy link
Author

aricade commented Jan 5, 2023

@JulianHayward
This worked! Thank you!

@MarcelHeek
Copy link

@JulianHayward

For me it fails pretty early in the execution (for 3 tenants before I cancelled the job) with the following........ For all 3 it failed on microsoft.web/sites/slots
image

@MarcelHeek
Copy link

@JulianHayward
Perhaps good additional info is that I came from this version : v6_major_20221228_1

I bumped up to the latest released version, v6_major_20230103_1 and the script fatally exits at the first website slot for all my tenants, so I am back to v6_major_20221228_1 and this issue is introduced after that version.

@JulianHayward
Copy link
Owner

@MarcelHeek let´s try the latest in the dev branch (v6_major_20230106_1)

@MarcelHeek
Copy link

@JulianHayward Damn, you are fast. The error is gone.

@JulianHayward JulianHayward mentioned this issue Jan 6, 2023
Merged
@JulianHayward
Copy link
Owner

thanks gents @MarcelHeek @aricade

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aricade @JulianHayward @MarcelHeek