Reputation: 2487
I am using runbook in Azure Automation Account. In this runbook, i use "run as account" which has Owner rights on the subscription. When i execute the command Get-AzRoleAssignment
, i get:
Get-AzRoleAssignment : Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown.
At line:21 char:16 + $listOfUsers = Get-AzRoleAssignment -verbose + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +
CategoryInfo : CloseError: (:) [Get-AzRoleAssignment], CloudException + FullyQualifiedErrorId :
Microsoft.Azure.Commands.Resources.GetAzureRoleAssignmentCommand
the Service Principal of "run as account" has below permissions:
Do you have any idea?
Is it an authorization error? If so, which permissions should i give to the SP?
Upvotes: 3
Views: 1907
Reputation: 42163
I can also reproduce your issue on my side, when you run the command with some parameters e.g. with ObjectId
, Get-AzRoleAssignment -ObjectId xxxxx
, it will call the AAD Graph first to verify the object in your tenant.
To solve the issue, just add the Application permission Directory.Read.All
of Azure Active Directory Graph
to your AD App of the RunAs account.
Note: In your screenshot, you added the Delegated permission Directory.Read.All
, it will not work, it must be Application permission, check the steps below.
After giving the permission, it works fine.
Upvotes: 2