Error trying to create Azure Role Assignment

I have what I thought was a simple issue - I need to add users in my Azure AD Org to a role (“reader”) in the portal. This has proven to not be very simple… There seems to be something different in the powershell environment when the deploy process (“Run an Azure PowerShell Script”) runs. The service principal being used is a subscription owner in the portal and I have many other scripts in this process that are running just fine.

Here is the snippet from my script:

$PortalEmailArray = “[testemail1]”, “[testemail2]”
$AzureAccessGroup = “Reader”
$SubscriptionScope = “/subscriptions/#{AzureSubscriptionID}”

foreach ($email in $PortalEmailArray)
{
try
{
Write-Host "Adding $AzureAccessGroup access for $email…"
New-AzureRmRoleAssignment -SignInName $email -RoleDefinitionName $AzureAccessGroup -Scope $SubscriptionScope
Write-Host “Added $email to $AzureAccessGroup group in Azure portal…”
}
catch
{
Write-Host $_.Exception | Format-List -Force
}
}

Here is the error I get currently:

System.Collections.Generic.KeyNotFoundException: The provided information does not map to an AD object id.
at Microsoft.Azure.Commands.Resources.Models.ActiveDirectory.ActiveDirectoryClient.GetObjectId(ADObjectFilterOptions options)
at Microsoft.Azure.Commands.Resources.Models.Authorization.AuthorizationClient.CreateRoleAssignment(FilterRoleAssignmentsOptions parameters)
at Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()

Here is the version of Powershell on my machine and the:

PSVersion 5.0.10586.494

And I have the Octopus.Action.Azure.UseBundledAzurePowerShellModules variable set to false so that this updated version of Powershell runs on the deploy server as well.

This command works in my powershell console and in the powershell console on the deploy machine when I RDP to it.

Any pointers or tips would be appreciated. Hopefuly, I’m just missing something silly…

David

UPDATE - I tested this while using the Octopus Deploy Service Principal account and got the same error in my powershell console. So, the issue is related to which account is current. The service principal is an “owner” in the Azure portal.

Still no solution though…

Hi David,

Thanks for getting in touch. I can’t think of anything obvious going on there I’m sorry. The only thing I can think of is that the problem is in the Azure<->AD link. Does your Octopus Service Principal have the appropriate permissions in AD? AD rights and Azure ownership are independent.

I’d also try looking up an explicit AD user ObjectId and test out the New-AzureRmRoleAssignment -ObjectId dc9fe0ee-user-guid-here-94ccbb05fd04 -RoleDefinitionName Reader -Scope /subscriptions/7f3a1172-sub-guid-here-bcbae5157bc2 at the command line, as that error does show up when it can’t find the given SignInName. And can you lookup users with the Get-AzureRmADUser cmdlet which is presumably doing to require similar permissions.

Not an answer I’m afraid, but perhaps something to help you in debugging.

Regards,
Mark

Notice:

This issue has been closed due to inactivity. If you encounter the same or a similar issue and require help, please open a new discussion (if we asked for logs or extra details in this thread, consider including them in the new thread). If you are the creator of this thread and believe it should not be closed let us know via our support email.