Az-GetManagementGroup creates user error when encountering subscription in MG hierarchy that is disabled or de-registered state #25315
Labels
bug
This issue requires a change to an existing behavior in the product in order to be resolved.
customer-reported
Management Groups
AzManagementGroup* in Az.Resources
Service Attention
This issue is responsible by Azure service team.
Description
Customer with account that has following permissions:
Tenant Root = Reader
Intermediate Root = Resource Policy Contributor, Role Based Access Control Administrator
When running command Az-GetManagmentGroup -GroupName Intermediate-Root, customer gets error
Get-AzManagementGroup: The client 'xxxxr@yyyyy.onmicrosoft.com' with object id 'xxxxxxxxx-d218-49fc-b3a0-421f69yyyyyyy' does not have authorization to perform action 'Microsoft.Management/register/action' over scope '/subscriptions/xxxxxxx8de1-4c6c-a5a3-2fe106ff2272' or the scope is invalid. If access was recently granted, please refresh your credentials.
The subscription does exist, but is in some kind of disabled state. Customer is only trying to read management groups, but the PS AZ module is clearly trying to take registration action, which it really shouldn't do in the context of reading a management group hierarchy.
FYI we believe the subscriptions in question (triggering this issue) may be a part of a platform wide deprecation effort for subscriptions identified as "Access to Azure Active Directory", which is in process of being deprecated.
(https://learn.microsoft.com/en-us/answers/questions/1657719/subscription-offer-access-to-azure-active-director)
Issue script & Debug output
Environment data
Module versions
Error output
The text was updated successfully, but these errors were encountered: