Forum Discussion
BUG: AVD Getting started wizard fails if 'Global Administrator' role group contains an Azure AD App
Bug: Getting started wizard fails to 'validate if the supplied AAD account is a Global Administrator' if the Global Administrator role group contains an Azure AD App (svc principal) as one of its members.
Repro:
- Add an Azure App
- Add the App to GA role group
- Run the Getting started Wizard
- GSW will create the Automation account with Validation Runbook, which will fail.
It’s common to have Azure AD Apps (Service Principal) as a member of Global Administrators Role Group. We need help in making the getting started wizard continue to work even if the members of the Global Administrator Role group are non-users.
This is happening while AADDS is being used for Identity, but may happen with all other deployment types.
Below are the two lines that fails in Easy-Button Deploy (Azure Automation Runbook😞
$GlobalAdministratorRoleTemplateId = '62e90394-69f5-4237-9190-012177145e10'
$GlobalAdministratorRoleId = Get-AzureADDirectoryRole | Where-Object { $_.roleTemplateId -eq $GlobalAdministratorRoleTemplateId }
$IsAdminUserGlobalAdministrator = Get-AzureADDirectoryRoleMember -ObjectId $GlobalAdministratorRoleId.ObjectId | Get-AzureADUser | Where-Object { $_.UserPrincipalName -eq $context.Account.Id }
FYI: Already submitted to https://aka.ms/avdgsquestions
Error Message in Easy-Button PowerShell Runbook:
------------------------------------------------------------------------------------------------------------
Get-AzureADUser : Error occurred while executing GetUser
Code: Request_ResourceNotFound
Message: Resource '119ff567-3f2e-4e86-a28f-6449f5ee7644' does not exist or one of its queried reference-property objects are not present.
RequestId: b6603f72-cbdd-421a-9884-4db0ad8a159d
DateTimeStamp: Mon, 11 Oct 2021 06:08:20 GMT
HttpStatusCode: NotFound
HttpStatusDescription: Not Found
HttpResponseStatus: Completed
At line:1 char:114
+ ... bjectId $GlobalAdministratorRoleId.ObjectId | Get-AzureADUser | Where ...
+ ~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-AzureADUser], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetUser
---------------------------------------------------------------------------------------------------------
'119ff567-3f2e-4e86-a28f-6449f5ee7644' in the above error message is the ObjectID of the Azure Ad App which is returned as one of the members of the Global Administrator Role Group and the validation script doesn't know how to handle that parsed object, it doesn't have UPN, doesn't have other reference-property that a User object would have.
