Whilst sorting some permissions out on a resource group I stumbled across an issue with assigning them to a group. We have a replicate On Premise and Azure Active Directory solution in place. In the On Premise AD not all groups are Distribution groups so don’t have a ‘group1@contoso.com’ sign in. This causes a problem when trying to assign a role in the usual PowerShell way:
New-AzureRmRoleAssignment -SignInName 'group1@contoso.com' -RoleDefinitionName Contributor -ResourceGroupName MyRgor
New-AzureRmRoleAssignment -SignInName 'group1' -RoleDefinitionName Contributor -ResourceGroupName MyRgboth return a nice red error message:
'New-AzureRmRoleAssignment : The provided information does not map to an AD object id. At line:1 char:1 + New-AzureRmRoleAssignment -SignInName group1@contoso.com -RoleD ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [New-AzureRmRoleAssignment], KeyNotFoundException + FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand'
The workaround for this is to use the ObjectID parameter, and to grab the ObjectId like this:
$objectid = (Get-AzureRmADGroup -DisplayName "Our Developers").Id New-AzureRmRoleAssignment -ObjectId $objectid -RoleDefinitionName Contributor -ResourceGroupName MyRgJust another one of those little oddities that crop up when you’ve got a long established infrastructure that doesn’t quite fit the modern templates 😉
Cris
this solved my issue! actually, when i run this it says the role has been granted already which i did via the portal. thanks.
Stuart Moore
Excellent, always good to hear people find these things useful