Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get-AzureRmSubscription repeats subscription per tenantid when using AccessToken connection #6521

Closed
tylerd opened this issue Jun 22, 2018 · 21 comments
Closed

Get-AzureRmSubscription repeats subscription per tenantid when using AccessToken connection #6521

tylerd opened this issue Jun 22, 2018 · 21 comments
Assignees
@vladimir-shcherbakov
Labels
Azure PS Team

Comments

@tylerd
Copy link

tylerd commented Jun 22, 2018

Description

Executing Get-AzureRmSubscription results in repeat subscriptions per Tenant.

Interestingly, the Subscriptions listed are only under the Microsoft Tenant. There are other subscriptions under the other Tenants that are not listed (even though the TenantIds are listed)

Script/Steps for Reproduction

Generate Access Token to access Azure Management API.
Get all Subscriptions

Import-Module AzureRM -Global
Import-Module Microsoft.ADAL.PowerShell -Global

$azEnv = Get-AzureRmEnvironment -Name "AzureCloud"
$clientId = [Microsoft.Azure.Commands.Common.Authentication.AdalConfiguration]::PowerShellClientId
$redirectUri = [Microsoft.Azure.Commands.Common.Authentication.AdalConfiguration]::PowerShellRedirectUri

$token = Get-ADALAccessToken -AuthorityName $MSFT -ClientId $clientId -ResourceId $azEnv.ActiveDirectoryServiceEndpointResourceId -RedirectUri $redirectUri

Connect-AzureRmAccount -AccessToken $token -AccountId $AccountId -TenantId $MSFT

# Done Login

Get-AzureRmSubscription | select Name,TenantId

Module Version

C:\Users\tylerd\DesktopGet-Module -Name AzureRM -ListAvailable


    Directory: C:\Users\tylerd\Documents\WindowsPowerShell\Modules


ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     6.3.0      AzureRM
Script     6.2.0      AzureRM


    Directory: C:\Program Files\WindowsPowerShell\Modules


ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     5.7.0      AzureRM

Environment Data

C:\Users\tylerd\Desktop$PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.17134.112
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17134.112
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Debug Output

Full Debug Output Attached:
debugoutput.txt

Name                          TenantId
----                          --------
IAAS                          b747b1a6-9639-44ab-82bf-db0805e29468
PCL                           b747b1a6-9639-44ab-82bf-db0805e29468
W                             b747b1a6-9639-44ab-82bf-db0805e29468
MSFT                          b747b1a6-9639-44ab-82bf-db0805e29468
BC                            b747b1a6-9639-44ab-82bf-db0805e29468
ML                            b747b1a6-9639-44ab-82bf-db0805e29468
IQ                            b747b1a6-9639-44ab-82bf-db0805e29468
MS1                           b747b1a6-9639-44ab-82bf-db0805e29468
MSDN                          b747b1a6-9639-44ab-82bf-db0805e29468
MO                            b747b1a6-9639-44ab-82bf-db0805e29468
Agile-BI-Azure-Subscription-2 b747b1a6-9639-44ab-82bf-db0805e29468
Visual Studio Enterprise      b747b1a6-9639-44ab-82bf-db0805e29468
ASC DEMO                      b747b1a6-9639-44ab-82bf-db0805e29468
Contoso IT - demo             b747b1a6-9639-44ab-82bf-db0805e29468
TORMTC                        b747b1a6-9639-44ab-82bf-db0805e29468
IAAS                          72f988bf-86f1-41af-91ab-2d7cd011db47
PCL                           72f988bf-86f1-41af-91ab-2d7cd011db47
W                             72f988bf-86f1-41af-91ab-2d7cd011db47
MSFT                          72f988bf-86f1-41af-91ab-2d7cd011db47
BC                            72f988bf-86f1-41af-91ab-2d7cd011db47
ML                            72f988bf-86f1-41af-91ab-2d7cd011db47
IQ                            72f988bf-86f1-41af-91ab-2d7cd011db47
MS1                           72f988bf-86f1-41af-91ab-2d7cd011db47
MSDN                          72f988bf-86f1-41af-91ab-2d7cd011db47
MO                            72f988bf-86f1-41af-91ab-2d7cd011db47
Agile-BI-Azure-Subscription-2 72f988bf-86f1-41af-91ab-2d7cd011db47
Visual Studio Enterprise      72f988bf-86f1-41af-91ab-2d7cd011db47
ASC DEMO                      72f988bf-86f1-41af-91ab-2d7cd011db47
Contoso IT - demo             72f988bf-86f1-41af-91ab-2d7cd011db47
TORMTC                        72f988bf-86f1-41af-91ab-2d7cd011db47
IAAS                          1604a336-abfc-4ffe-a7e7-bf277ec36f51
PCL                           1604a336-abfc-4ffe-a7e7-bf277ec36f51
W                             1604a336-abfc-4ffe-a7e7-bf277ec36f51
MSFT                          1604a336-abfc-4ffe-a7e7-bf277ec36f51
BC                            1604a336-abfc-4ffe-a7e7-bf277ec36f51
ML                            1604a336-abfc-4ffe-a7e7-bf277ec36f51
IQ                            1604a336-abfc-4ffe-a7e7-bf277ec36f51
MS1                           1604a336-abfc-4ffe-a7e7-bf277ec36f51
MSDN                          1604a336-abfc-4ffe-a7e7-bf277ec36f51
MO                            1604a336-abfc-4ffe-a7e7-bf277ec36f51
Agile-BI-Azure-Subscription-2 1604a336-abfc-4ffe-a7e7-bf277ec36f51
Visual Studio Enterprise      1604a336-abfc-4ffe-a7e7-bf277ec36f51
ASC DEMO                      1604a336-abfc-4ffe-a7e7-bf277ec36f51
Contoso IT - demo             1604a336-abfc-4ffe-a7e7-bf277ec36f51
TORMTC                        1604a336-abfc-4ffe-a7e7-bf277ec36f51
IAAS                          31f660a5-192a-4db3-92ba-ca424f1b259e
PCL                           31f660a5-192a-4db3-92ba-ca424f1b259e
W                             31f660a5-192a-4db3-92ba-ca424f1b259e
MSFT                          31f660a5-192a-4db3-92ba-ca424f1b259e
BC                            31f660a5-192a-4db3-92ba-ca424f1b259e
ML                            31f660a5-192a-4db3-92ba-ca424f1b259e
IQ                            31f660a5-192a-4db3-92ba-ca424f1b259e
MS1                           31f660a5-192a-4db3-92ba-ca424f1b259e
MSDN                          31f660a5-192a-4db3-92ba-ca424f1b259e
MO                            31f660a5-192a-4db3-92ba-ca424f1b259e
Agile-BI-Azure-Subscription-2 31f660a5-192a-4db3-92ba-ca424f1b259e
Visual Studio Enterprise      31f660a5-192a-4db3-92ba-ca424f1b259e
ASC DEMO                      31f660a5-192a-4db3-92ba-ca424f1b259e
Contoso IT - demo             31f660a5-192a-4db3-92ba-ca424f1b259e
TORMTC                        31f660a5-192a-4db3-92ba-ca424f1b259e
IAAS                          434e9d2b-d8d3-4bd9-bd27-03b20a16d863
PCL                           434e9d2b-d8d3-4bd9-bd27-03b20a16d863
W                             434e9d2b-d8d3-4bd9-bd27-03b20a16d863
MSFT                          434e9d2b-d8d3-4bd9-bd27-03b20a16d863
BC                            434e9d2b-d8d3-4bd9-bd27-03b20a16d863
ML                            434e9d2b-d8d3-4bd9-bd27-03b20a16d863
IQ                            434e9d2b-d8d3-4bd9-bd27-03b20a16d863
MS1                           434e9d2b-d8d3-4bd9-bd27-03b20a16d863
MSDN                          434e9d2b-d8d3-4bd9-bd27-03b20a16d863
MO                            434e9d2b-d8d3-4bd9-bd27-03b20a16d863
Agile-BI-Azure-Subscription-2 434e9d2b-d8d3-4bd9-bd27-03b20a16d863
Visual Studio Enterprise      434e9d2b-d8d3-4bd9-bd27-03b20a16d863
ASC DEMO                      434e9d2b-d8d3-4bd9-bd27-03b20a16d863
Contoso IT - demo             434e9d2b-d8d3-4bd9-bd27-03b20a16d863
TORMTC                        434e9d2b-d8d3-4bd9-bd27-03b20a16d863
IAAS                          4b30439b-26ef-4016-aa9b-a1dc19acbb8f
PCL                           4b30439b-26ef-4016-aa9b-a1dc19acbb8f
W                             4b30439b-26ef-4016-aa9b-a1dc19acbb8f
MSFT                          4b30439b-26ef-4016-aa9b-a1dc19acbb8f
BC                            4b30439b-26ef-4016-aa9b-a1dc19acbb8f
ML                            4b30439b-26ef-4016-aa9b-a1dc19acbb8f
IQ                            4b30439b-26ef-4016-aa9b-a1dc19acbb8f
MS1                           4b30439b-26ef-4016-aa9b-a1dc19acbb8f
MSDN                          4b30439b-26ef-4016-aa9b-a1dc19acbb8f
MO                            4b30439b-26ef-4016-aa9b-a1dc19acbb8f
Agile-BI-Azure-Subscription-2 4b30439b-26ef-4016-aa9b-a1dc19acbb8f
Visual Studio Enterprise      4b30439b-26ef-4016-aa9b-a1dc19acbb8f
ASC DEMO                      4b30439b-26ef-4016-aa9b-a1dc19acbb8f
Contoso IT - demo             4b30439b-26ef-4016-aa9b-a1dc19acbb8f
TORMTC                        4b30439b-26ef-4016-aa9b-a1dc19acbb8f
IAAS                          633f3069-d670-4419-9fee-2ab4251c88ee
PCL                           633f3069-d670-4419-9fee-2ab4251c88ee
W                             633f3069-d670-4419-9fee-2ab4251c88ee
MSFT                          633f3069-d670-4419-9fee-2ab4251c88ee
BC                            633f3069-d670-4419-9fee-2ab4251c88ee
ML                            633f3069-d670-4419-9fee-2ab4251c88ee
IQ                            633f3069-d670-4419-9fee-2ab4251c88ee
MS1                           633f3069-d670-4419-9fee-2ab4251c88ee
MSDN                          633f3069-d670-4419-9fee-2ab4251c88ee
MO                            633f3069-d670-4419-9fee-2ab4251c88ee
Agile-BI-Azure-Subscription-2 633f3069-d670-4419-9fee-2ab4251c88ee
Visual Studio Enterprise      633f3069-d670-4419-9fee-2ab4251c88ee
ASC DEMO                      633f3069-d670-4419-9fee-2ab4251c88ee
Contoso IT - demo             633f3069-d670-4419-9fee-2ab4251c88ee
TORMTC                        633f3069-d670-4419-9fee-2ab4251c88ee
IAAS                          94c40a73-c82f-47f0-8244-aed167ae33a0
PCL                           94c40a73-c82f-47f0-8244-aed167ae33a0
W                             94c40a73-c82f-47f0-8244-aed167ae33a0
MSFT                          94c40a73-c82f-47f0-8244-aed167ae33a0
BC                            94c40a73-c82f-47f0-8244-aed167ae33a0
ML                            94c40a73-c82f-47f0-8244-aed167ae33a0
IQ                            94c40a73-c82f-47f0-8244-aed167ae33a0
MS1                           94c40a73-c82f-47f0-8244-aed167ae33a0
MSDN                          94c40a73-c82f-47f0-8244-aed167ae33a0
MO                            94c40a73-c82f-47f0-8244-aed167ae33a0
Agile-BI-Azure-Subscription-2 94c40a73-c82f-47f0-8244-aed167ae33a0
Visual Studio Enterprise      94c40a73-c82f-47f0-8244-aed167ae33a0
ASC DEMO                      94c40a73-c82f-47f0-8244-aed167ae33a0
Contoso IT - demo             94c40a73-c82f-47f0-8244-aed167ae33a0
TORMTC                        94c40a73-c82f-47f0-8244-aed167ae33a0
IAAS                          a8d84f34-161b-4927-998e-1a9cafc0444f
PCL                           a8d84f34-161b-4927-998e-1a9cafc0444f
W                             a8d84f34-161b-4927-998e-1a9cafc0444f
MSFT                          a8d84f34-161b-4927-998e-1a9cafc0444f
BC                            a8d84f34-161b-4927-998e-1a9cafc0444f
ML                            a8d84f34-161b-4927-998e-1a9cafc0444f
IQ                            a8d84f34-161b-4927-998e-1a9cafc0444f
MS1                           a8d84f34-161b-4927-998e-1a9cafc0444f
MSDN                          a8d84f34-161b-4927-998e-1a9cafc0444f
MO                            a8d84f34-161b-4927-998e-1a9cafc0444f
Agile-BI-Azure-Subscription-2 a8d84f34-161b-4927-998e-1a9cafc0444f
Visual Studio Enterprise      a8d84f34-161b-4927-998e-1a9cafc0444f
ASC DEMO                      a8d84f34-161b-4927-998e-1a9cafc0444f
Contoso IT - demo             a8d84f34-161b-4927-998e-1a9cafc0444f
TORMTC                        a8d84f34-161b-4927-998e-1a9cafc0444f
IAAS                          b4e19cf5-ed91-44d3-81ce-70c848fa6841
PCL                           b4e19cf5-ed91-44d3-81ce-70c848fa6841
W                             b4e19cf5-ed91-44d3-81ce-70c848fa6841
MSFT                          b4e19cf5-ed91-44d3-81ce-70c848fa6841
BC                            b4e19cf5-ed91-44d3-81ce-70c848fa6841
ML                            b4e19cf5-ed91-44d3-81ce-70c848fa6841
IQ                            b4e19cf5-ed91-44d3-81ce-70c848fa6841
MS1                           b4e19cf5-ed91-44d3-81ce-70c848fa6841
MSDN                          b4e19cf5-ed91-44d3-81ce-70c848fa6841
MO                            b4e19cf5-ed91-44d3-81ce-70c848fa6841
Agile-BI-Azure-Subscription-2 b4e19cf5-ed91-44d3-81ce-70c848fa6841
Visual Studio Enterprise      b4e19cf5-ed91-44d3-81ce-70c848fa6841
ASC DEMO                      b4e19cf5-ed91-44d3-81ce-70c848fa6841
Contoso IT - demo             b4e19cf5-ed91-44d3-81ce-70c848fa6841
TORMTC                        b4e19cf5-ed91-44d3-81ce-70c848fa6841
IAAS                          bb99324c-2b39-4c9f-8cc4-e4d7c9f1877d
PCL                           bb99324c-2b39-4c9f-8cc4-e4d7c9f1877d
W                             bb99324c-2b39-4c9f-8cc4-e4d7c9f1877d
MSFT                          bb99324c-2b39-4c9f-8cc4-e4d7c9f1877d
BC                            bb99324c-2b39-4c9f-8cc4-e4d7c9f1877d
ML                            bb99324c-2b39-4c9f-8cc4-e4d7c9f1877d
IQ                            bb99324c-2b39-4c9f-8cc4-e4d7c9f1877d
MS1                           bb99324c-2b39-4c9f-8cc4-e4d7c9f1877d
MSDN                          bb99324c-2b39-4c9f-8cc4-e4d7c9f1877d
MO                            bb99324c-2b39-4c9f-8cc4-e4d7c9f1877d
Agile-BI-Azure-Subscription-2 bb99324c-2b39-4c9f-8cc4-e4d7c9f1877d
Visual Studio Enterprise      bb99324c-2b39-4c9f-8cc4-e4d7c9f1877d
ASC DEMO                      bb99324c-2b39-4c9f-8cc4-e4d7c9f1877d
Contoso IT - demo             bb99324c-2b39-4c9f-8cc4-e4d7c9f1877d
TORMTC                        bb99324c-2b39-4c9f-8cc4-e4d7c9f1877d
@tylerd
Copy link
Author

tylerd commented Jun 22, 2018

FYI for anyone that can't wait for the resolution to this, the workaround is:

Get-AzureRmSubscription -TenantId $yourTenantGuid

Also this issue somehow breaks Select-AzureRmSubscription where it does not actually change subscriptions for some reason. Also the workaround here is Select-AzureRmSubscription "name" -TenantId $yourTenantGuid

@tylerd
Copy link
Author

tylerd commented Jun 22, 2018

After debugging the code, the key issue here is that there are multiple places that the code iterates the list of Tenants that the user has access to and re-uses a single Access Token to call the management API for each of the tenants. Which results in repeated values for each tenant.

Access Tokens are inherently Tenant Specific -- If you login using an Access Token, the code should only use the TenantId associated with that Access Token (either through a required parameter, or embedded in the Access Token JWT tid claim)

@cormacpayne cormacpayne added this to the 2018-06-29 milestone Jun 25, 2018
@vladimir-shcherbakov vladimir-shcherbakov self-assigned this Jun 25, 2018
@vladimir-shcherbakov
Copy link
Contributor

@tylerd
What did you put into the $MSFT variable?

@tylerd
Copy link
Author

tylerd commented Jun 28, 2018
edited by vladimir-shcherbakov
Loading

The TenantId GUID for "microsoft.onmicrosoft.com"

@vladimir-shcherbakov
Copy link
Contributor

vladimir-shcherbakov commented Jun 28, 2018
edited
Loading

@tylerd
I got the error when I ran the command:

Connect-AzureRmAccount -AccessToken $token -AccountId $AccountId -TenantId <GUID>

or

$MSFT = <name>.onmicrosoft.com
Connect-AzureRmAccount -AccessToken $token -AccountId $AccountId -TenantId $MSFT

@tylerd
Copy link
Author

tylerd commented Jun 28, 2018
edited
Loading

$MSFT = "72f988bf-86f1-41af-91ab-2d7cd011db47"
$AccountId = "tylerd@microsoft.com" <-- your email address here

@vladimir-shcherbakov
Copy link
Contributor

@tylerd
On my side the cmdlet

Connect-AzureRmAccount -AccessToken $token -AccountId $AccountId -TenantId $tenantId

works if

$authorityName =microsoft.onmicrosoft.com 
$tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47

and errors if

$authorityName =<tenantName>.onmicrosoft.com 
$tenantId=<tenantGUID>

@tylerd
Copy link
Author

tylerd commented Jun 29, 2018

Where are you using $authorityName? I don't see the reference to that veriable anywhere.

Also, it looks like you were able to run Connect-AzureRmAccount but the bug was with Get-AzureRmSubscription

@vladimir-shcherbakov
Copy link
Contributor

vladimir-shcherbakov commented Jun 29, 2018
edited
Loading 

$token = Get-ADALAccessToken -AuthorityName $authorityName -ClientId $clientId -ResourceId $azEnv.ActiveDirectoryServiceEndpointResourceId -RedirectUri $redirectUri

@tylerd
Copy link
Author

tylerd commented Jun 29, 2018

Ok … that does not really address the issue of the Access Token being re-used for Tenants other than the one generating the token.

@vladimir-shcherbakov
Copy link
Contributor

vladimir-shcherbakov commented Jun 29, 2018
edited
Loading

Sorry, clicked the wrong button and closed.

@vladimir-shcherbakov
Copy link
Contributor

Did you try Clear-AzureRmContext -Scope CurrentUser?

@tylerd
Copy link
Author

tylerd commented Jun 29, 2018

Yes

@vladimir-shcherbakov
Copy link
Contributor

@tylerd
I got the repro. Possibly, after I used Clear-AzureRmContext -Scope CurrentUser
Thanks.

@cormacpayne cormacpayne modified the milestones: 2018-06-29, 2018-07-13 Jul 2, 2018
@tylerd
Copy link
Author

tylerd commented Jul 5, 2018

Just realized. This causes an issue in the Cloud Shell also.

PS Azure:\> Get-Command Get-AzureRmSubscription

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Get-AzureRmSubscription                            0.12.0     AzureRM.Profile.Netcore

@maddieclayton maddieclayton modified the milestones: 2018-07-13, 2018-07-27 Jul 16, 2018
@vladimir-shcherbakov
Copy link
Contributor

A PR has been opened #6621

@tylerd tylerd mentioned this issue Jul 23, 2018
Closed
8 tasks
@markcowl
Copy link
Member

markcowl commented Jul 26, 2018
edited
Loading

So, I think the root cause here was a clash in keys in the context #6489, which is slated for a fix in this release. When this is fixed, we will ensure that this particular scenario is covered.

@markcowl markcowl modified the milestones: 2018-07-27, 2018-08-10 Jul 26, 2018
@tylerd
Copy link
Author

tylerd commented Jul 26, 2018 via email
edited
Loading

@tylerd
Copy link
Author

tylerd commented Jul 27, 2018

Debug Output using AzureRM 6.5.0
psoutput1.txt

@MiYanni MiYanni modified the milestones: 2018-08-10, Backlog Aug 14, 2018
@maddieclayton
Copy link
Contributor

Linking the relevant PR here: #6621. Once we are finished with the NetStandard conversion we will revisit this issue and assign it to a milestone.

@tylerd
Copy link
Author

tylerd commented Aug 31, 2018

Tested release 6.8.1 -- no longer an issue

@tylerd tylerd closed this as completed Aug 31, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vladimir-shcherbakov vladimir-shcherbakov

Labels
Azure PS Team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@tylerd @markcowl @cormacpayne @vladimir-shcherbakov @maddieclayton @MiYanni