powershell azure-pipelines azure-pipelines-yaml azure-rbac

Why does my Powershell variable not get set as expected when executing inline powershell in yaml task: AzureCLI@2?

Below errors occur when executing a DevOps pipeline using Yaml AzureCLI@2 task.

ERROR: Insufficient privileges to complete the operation.
ERROR: argument --assignee-object-id: expected one argument

task: AzureCLI@2
  displayName: 'Assign role "Storage Blob Data Contributor" to the task-poll-queued-compliance-jobs1-<env> logic app'
  inputs:
    azureSubscription: ${{ parameters.connectionName }}
    scriptLocation: 'inlineScript'
    scriptType: 'pscore'
    inlineScript: '$assigneeId = (az ad sp list --all --filter "servicePrincipalType eq ''ManagedIdentity'' and displayName eq ''<logic app name>''" | ConvertFrom-Json | select -ExpandProperty id);az role assignment create --role "Storage Blob Data Contributor" --assignee-object-id $assigneeId --scope "/subscriptions/<subscriptionId>/resourceGroups/<resource group>/providers/Microsoft.Storage/storageAccounts/<storageaccount>"'

I have tried the following to diagnose and fix the issue.

I have hard coded the $assigneeId value in the YAML and executed the pipeline successfully.

EG. az role assignment create --role "Storage Blob Data Contributor" --assignee-object-id "" --scope "/subscriptions//resourceGroups//providers/Microsoft.Storage/storageAccounts/"'

On failed pipeline runs I am able copy the inline script to be executed from the Pipeline logs and run it in an Azure Cloud shell with no issues.
I tried giving the App Registration that the pipeline connects to Azure has owner role of the resource group, but this also did not fix the issue.

Solution

Root Cause

According to the current info, the App Registration used in your service connection doesn't have enough permission to list SP.

Solution

Option1: Assign the App Registration used in your service connection with 'Application Administrator' role of your Azure tenant.

Option2: Assign the App Registration used in your service connection with API permission Application.Read.All.

Go to your App Registration -> API permissions -> Add a permission -> Microsoft Graph -> Application permissions -> Application -> Application.Read.All -> Grant admin consent for your tenant.

Result: