I'm troubleshooting an issue where an app registration is unable to query the subscriptions within an Azure tenant, despite a role assignment granting it access at the tenant root group level. Wondering if there's a straightforward method to run the relevant command, either through CLI or the web interface, to validate this behavior.
Specific test command is: az account management-group list
But I don't see any way to invoke that as a particular user or app, and I already know my own user account has the right permissions, and can run that command. Any suggestions would be appreciated.
Initially, fetch your service principal's ObjectID
that can be found in Enterprise Applications like this:
To check the IAM roles assigned for that app registration, you can make use of below CLI Command by passing above ObjectID
like this:
principalId="SPObjectID"
az role assignment list --all --query "[?principalId=='$principalId'].{RoleName:roleDefinitionName,Scope:scope, PrincipalID:principalId, PrincipalName:'$(az ad sp show --id $principalId --query displayName -o tsv)'}" --output table
Response:
As @KonTheCat suggested, you can login as service principal and connect to Azure by running below CLI command:
az login --service-principal -u "appID" -p "client_secret" --tenant "tenant.onmicrosoft.com"
Response:
When I ran below CLI command now, I got the response with list of subscriptions successfully like this:
az account subscription list
Response: