0

Below errors occur when executing a DevOps pipeline using Yaml AzureCLI@2 task.

  1. ERROR: Insufficient privileges to complete the operation.
  2. ERROR: argument --assignee-object-id: expected one argument
task: AzureCLI@2
  displayName: 'Assign role "Storage Blob Data Contributor" to the task-poll-queued-compliance-jobs1-<env> logic app'
  inputs:
    azureSubscription: ${{ parameters.connectionName }}
    scriptLocation: 'inlineScript'
    scriptType: 'pscore'
    inlineScript: '$assigneeId = (az ad sp list --all --filter "servicePrincipalType eq ''ManagedIdentity'' and displayName eq ''<logic app name>''" | ConvertFrom-Json | select -ExpandProperty id);az role assignment create --role "Storage Blob Data Contributor" --assignee-object-id $assigneeId --scope "/subscriptions/<subscriptionId>/resourceGroups/<resource group>/providers/Microsoft.Storage/storageAccounts/<storageaccount>"'

I have tried the following to diagnose and fix the issue.

  1. I have hard coded the $assigneeId value in the YAML and executed the pipeline successfully.

EG. az role assignment create --role "Storage Blob Data Contributor" --assignee-object-id "" --scope "/subscriptions//resourceGroups//providers/Microsoft.Storage/storageAccounts/"'

  1. On failed pipeline runs I am able copy the inline script to be executed from the Pipeline logs and run it in an Azure Cloud shell with no issues.

  2. I tried giving the App Registration that the pipeline connects to Azure has owner role of the resource group, but this also did not fix the issue.

Improve this question
13
  • 2
    Hi Dean! I assume that your Pipeline is using a Service Connection that is connected to a service principle in Entra ID. Can you verify that this Service Principle have access to perform the "az ad sp list" command? Commented Jul 16, 2024 at 12:01
  • 1
    According to the current info, it seems that the App Registration used in your service connection doesn't have enough permission to list SP. You can try to assign it with 'Application Administrator' role of your Azure tenant. Commented Jul 16, 2024 at 12:40
  • @ZiyangLiu-MSFT happy to give App Admin for short term testing but is there a more granular role that it can be assigned to for the long term? Commented Jul 16, 2024 at 14:38
  • thanks @EricQvarnström, do you have any suggestions on how to test the service connection has access to az ad sp list? Commented Jul 16, 2024 at 14:39
  • 1
    Hi @Dean, I have tested assigning a system-assigned managed identity (created in a logic app) roles using an application having API permission Application.Read.All and Owner role of the resource group, it works fine. You can check whether you assigned API permission Application.Read.All to the correct application. Commented Jul 23, 2024 at 13:09

1 Answer 1

Reset to default
0

Root Cause

According to the current info, the App Registration used in your service connection doesn't have enough permission to list SP.

Solution

Option1: Assign the App Registration used in your service connection with 'Application Administrator' role of your Azure tenant.

Option2: Assign the App Registration used in your service connection with API permission Application.Read.All.

Go to your App Registration -> API permissions -> Add a permission -> Microsoft Graph -> Application permissions -> Application -> Application.Read.All -> Grant admin consent for your tenant.

enter image description here

enter image description here

Result:

enter image description here

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.