Skip to content

Get-AzContext doesn't always grab the UPN #15181

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
FallenHoot opened this issue Jun 4, 2021 · 6 comments
Closed

Get-AzContext doesn't always grab the UPN #15181

FallenHoot opened this issue Jun 4, 2021 · 6 comments
Assignees
@dcaro @VeryEarly
Labels
AAD AzAd cmdlets in Az.Resources feature-request This issue requires a new behavior in the product in order be resolved.
Milestone
Nov 2021 (2021-12...

Comments

@FallenHoot
Copy link

FallenHoot commented Jun 4, 2021
edited
Loading

Description

This might be a duplicate, but creating it for an issue tracker product. Azure/Enterprise-Scale#601

Get-AzContext doesn't always grab the UPN.

#13797

Steps to reproduce

#sign in to Azure  from Powershell, this will redirect you to a web browser for authentication, if required
Connect-AzAccount

Get the UPN from this:
(Get-AzContext).Account

(Get-AzContext).Account.Id
``
@FallenHoot FallenHoot added the needs-triage This is a new issue that needs to be triaged to the appropriate team. label Jun 4, 2021
@FallenHoot FallenHoot mentioned this issue Jun 4, 2021
Closed
@dingmeng-xue
Copy link
Member

Thanks for reporting. The account name may be different from UPN. We didn't find clear rule between account id for login and UPN from AAD graph or MSGraph. Is there any official doc?

@FallenHoot
Copy link
Author

FallenHoot commented Jun 8, 2021
edited
Loading

The only docs I see is the following:
https://docs.microsoft.com/en-us/powershell/module/az.accounts/get-azcontext?view=azps-6.0.0

It looks to be a legacy issue with Get-AzureRmSubscription
#1665

I have asked several people to see if they can reproduce this, but everything works as normal. It might be an issue with Service Principles or Guest Accounts. Will verify with (Get-AzContext).Account.Type

I was told this method works in Bash with no issue.

#sign  into AZ CLI, this will redirect you to a web browser for authentication, if required
az login

#assign Owner role to Tenant root scope  ("/") as a Owner (gets object Id of the current user (az login))
az role assignment create --scope '/'  --role 'Owner' --assignee-object-id $(az ad signed-in-user show --query  objectId)

@dingmeng-xue dingmeng-xue added the Accounts Issues in Az.Accounts except authentication related label Jun 10, 2021
@ghost ghost removed the needs-triage This is a new issue that needs to be triaged to the appropriate team. label Jun 10, 2021
@dingmeng-xue dingmeng-xue added this to the Backlog milestone Jun 10, 2021
@dingmeng-xue dingmeng-xue added AAD Graph Deprecating AAD Graph endpoint and removed Accounts Issues in Az.Accounts except authentication related labels Jun 22, 2021
@dingmeng-xue
Copy link
Member

Our proposal is Get-AzAdUser -SignedInUser returns current signed in user. It should call /{tenantID}/me
https://github.com/Azure/azure-rest-api-specs/blob/c059fb47f87a35ce5a90631883dfba8f01a41d8e/specification/graphrbac/data-plane/Microsoft.GraphRbac/stable/1.6/graphrbac.json#L39

@dingmeng-xue dingmeng-xue added AAD AzAd cmdlets in Az.Resources feature-request This issue requires a new behavior in the product in order be resolved. and removed AAD Graph Deprecating AAD Graph endpoint labels Nov 13, 2021
@VeryEarly
Copy link
Collaborator

please try above suggestion, close this issue for now.
Feel free to reopen if you meet have further questions.

@adamasmar
Copy link
Member

adamasmar commented Jun 25, 2022
edited
Loading

Oh boy, I really wish this would work using Azure Powershell. Using Azure CLI as a workaround really doesn't work too well when trying to integrate with other scripts.

In my example, my Microsoft account is linked with my personal e-mail address. It produces a UPN that looks something like
{my email}_gmail.com#EXT#@{my email}gmail.onmicrosoft.com with a user type of Member on the Azure portal.

However, note the results of the following commands using Azure Powershell:

(Get-AzContext).Account.Id
# returns '{my email}@gmail.com'

(Get-AzContext).Account.Type
# returns 'User'

I am trying to create a script that assigns Key Vault access policies dynamically to the executing user, but this makes it nearly impossible for this type of account scenario as I don't believe there is any good way to assign it without hardcoding a -UserPrincipalName.

@adamasmar adamasmar reopened this Jun 25, 2022
@dingmeng-xue
Copy link
Member

@adamasmar , thanks for contacting us. Please try to use Get-AzAdUser -SignedIn. If you still cannot get expected result, please create a Github issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dcaro dcaro

@VeryEarly VeryEarly

Labels
AAD AzAd cmdlets in Az.Resources feature-request This issue requires a new behavior in the product in order be resolved.
Projects
None yet
Milestone
Nov 2021 (2021-12-07) ❗ Breaking chan...
Development

No branches or pull requests
5 participants
@dcaro @VeryEarly @FallenHoot @adamasmar @dingmeng-xue