Get-AzRoleAssignment doesn't work #28472
Description
Description
I tested out the new solution with the updated location parameter. The authentication as well as the role assignment request works just fine. However, not all the subscriptions are possible to query. The error message indicates that either the token has expired (which is certainly not the case) or the scope is wrong, which I also can confirm that is not the case as the subscription exists. Further more I have to assume that the provided entitlements are also valid based on the debug output. The command is valid as well, given that other lookups with other subscriptions work.
Attached I have the full log file with the Debug extension enabled for the plain http visibility.
The log file shows two lookups for two different subscriptions (printed out before the actual execution for visibility).
lookup (doesn’t work)
Get-AzRoleAssignment -Scope /subscriptions/**************** -PrincipalId -****** -Verbose -Debug
Issue script & Debug output
# lookup (doesn’t work)
Get-AzRoleAssignment -Scope /subscriptions/**************** -PrincipalId *********-*************** -Verbose -DebugEnvironment data
Account 5.2.0
Powershell 5.1Module versions
Account 5.2.0Error output
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Forbidden
Headers:
Pragma : no-cache
x-ms-failure-cause : gateway
x-ms-request-id : 0fa8c9e9-f9f3-41ac-a853-30336b0c01e9
x-ms-correlation-request-id : 0fa8c9e9-f9f3-41ac-a853-30336b0c01e9
x-ms-routing-request-id : GERMANYWESTCENTRAL:20250819T053014Z:0fa8c9e9--***********a853-30336b0c01e9
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
X-Cache : CONFIG_NOCACHE
X-MSEdge-Ref : Ref A: D8E13490E95D4D0C8D-***********467B823A6 Ref B: FRA231050413051 Ref C: 2025-08-19T05:30:14Z
Cache-Control : no-cache
Date : Tue, 19 Aug 2025 05:30:13 GMT
Body:
{
"error": {
"code": "AuthorizationFailed",
"message": "The client 'fabioDEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Forbidden
Headers:
Pragma : no-cache
x-ms-failure-cause : gateway
x-ms-request-id : 0fa8c9e9-f9f3-41ac-*********b0c01e9
x-ms-correlation-request-id : 0fa8c9e9-f9f3-41ac-*********0c01e9
x-ms-routing-request-id : GERMANYWESTCENTRAL:20250819T053014Z:0fa8c9e9--***********a853-30336b0c01e9
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
X-Cache : CONFIG_NOCACHE
X-MSEdge-Ref : Ref A: D8E13490E95D4D0C8D-***********467B823A6 Ref B: FRA231050413051 Ref C: 2025-08-19T05:30:14Z
Cache-Control : no-cache
Date : Tue, 19 Aug 2025 05:30:13 GMT
Body:
{
"error": {
"code": "AuthorizationFailed",
"message": "The client 'f****o@*********.com' with object id '125d25e9-***********2cc-36a8c6562504' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/read'
over scope '/subscriptions/580a7cba-473d-4cd3--***********527a16ee1b' or the scope is invalid. If access was recently granted, please refresh your credentials."
}
}
DEBUG: 07:30:14 - [ConfigManager] Got nothing from [EnableErrorRecordsPersistence], Module = [Az.Resources], Cmdlet = [Get-AzRoleAssignment]. Returning default value [False].
Confirm
Operation returned an invalid status code 'Forbidden'
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): A
Get-AzRoleAssignment : Operation returned an invalid status code 'Forbidden'
At P:\Documents\activate-azure-pim\activate-azure-pim-1.0.4-20240104\activate-azure-pim.ps1:81 char:5
+ Get-AzRoleAssignment -Scope $scope -PrincipalId $principal_id -Ve ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Get-AzRoleAssignment], ErrorResponseException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.GetAzureRoleAssignmentCommand
DEBUG: 07:30:39 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [Az.Resources], Cmdlet = [Get-AzRoleAssignment]. Returning default value [True].
DEBUG: 07:30:39 - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 07:30:39 - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 07:30:39 - No authentication telemetry is found for the current cmdlet with Id edec713e--***********6a-5d8d29fcd554.
DEBUG: AzureQoSEvent: Module: Az.Resources:8.1.0; CommandName: Get-AzRoleAssignment; PSVersion: 5.1.17763.7553; IsSuccess: False; Duration: 00:00:34.3235309; SanitizeDuration: 00:00:00; Exception:
Operation returned an invalid status code 'Forbidden';
DEBUG: 07:30:39 - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 07:30:39 - GetAzureRoleAssignmentCommand end processing *********.co@*********.com' with object id '125d25e9-***********2cc-36a8c6562504' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/read'
over scope '/subscriptions/580a7cba-473d-4cd3--***********ee1b' or the scope is invalid. If access was recently granted, please refresh your credentials."
}
}
DEBUG: 07:30:14 - [ConfigManager] Got nothing from [EnableErrorRecordsPersistence], Module = [Az.Resources], Cmdlet = [Get-AzRoleAssignment]. Returning default value [False].
Confirm
Operation returned an invalid status code 'Forbidden'
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): A
Get-AzRoleAssignment : Operation returned an invalid status code 'Forbidden'
At P:\Documents\activate-azure-pim\activate-azure-pim-1.0.4-20240104\activate-azure-pim.ps1:81 char:5
+ Get-AzRoleAssignment -Scope $scope -PrincipalId $principal_id -Ve ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Get-AzRoleAssignment], ErrorResponseException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.GetAzureRoleAssignmentCommand
DEBUG: 07:30:39 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [Az.Resources], Cmdlet = [Get-AzRoleAssignment]. Returning default value [True].
DEBUG: 07:30:39 - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 07:30:39 - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 07:30:39 - No authentication telemetry is found for the current cmdlet with Id edec713e--********************54.
DEBUG: AzureQoSEvent: Module: Az.Resources:8.1.0; CommandName: Get-AzRoleAssignment; PSVersion: 5.1.17763.7553; IsSuccess: False; Duration: 00:00:34.3235309; SanitizeDuration: 00:00:00; Exception:
Operation returned an invalid status code 'Forbidden';
DEBUG: 07:30:39 - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 07:30:39 - GetAzureRoleAssignmentCommand end processing.