Description
Description
I have multiple tenants I manage, I am trying to query each tenant using the 'Microsoft.CostManagement' API for the type of 'generateCostDetailsReport'. My account has the correct role 'Cost Management Reader'. But when running from the cloud shell in my home tenant I always get a 0.0 for pricing. But if I connect to the client tenant azure portal (using switch) and run cloud shell there it works.
Decoding the JWT by running the 'Get-AzAccessToken' I can see that in my home tenant the tid always stays as my home tenant ID regardless if I provide a tenant ID GUID. However, in my clients tenant the tid does update to their GUID along with the iss.
We are using Azure Lighthouse to delegate the role, the fact I can get all the cost details working so long as I switch in the Azure portal without inviting myself as guest says to me it's not a permission issue but a context issue.
Am I using the commands wrong? How do I get the issuer to change to that of my clients tenant and then the tid of the JWT should update as a result.
I am at a bit of a loss, and would really like to keep Azure Lighthouse and then allocate an identity of the automation account to lighthouse with the 'cost management reader' role but that too comes back with all the data but the price. I think it's the JWT created is wrong and something to do with that the tid never changes from that of my home tenant ID when setting context.
Issue script & Debug output
connect-azaccount -tenant '89<redacted>45' -Identity -Subscription '44<redacted>b5'
DEBUG: 10:40:57 PM - ConnectAzureRmAccountCommand begin processing with ParameterSet 'ManagedServiceLogin'.
DEBUG: 10:40:57 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 10:40:57 PM - Autosave setting from startup session: 'CurrentUser'
DEBUG: 10:40:57 PM - No autosave setting detected in environment variable 'AzContextAutoSave'.
DEBUG: 10:40:57 PM - Using Autosave scope 'CurrentUser'
DEBUG: 10:40:57 PM - [ManagedServiceIdentityAuthenticator] Calling ManagedIdentityCredential.GetTokenAsync - TenantId:'89<redacted>45', Scopes:'https://management.core.windows.net/', UserId:''
DEBUG: ManagedIdentityCredential.GetToken invoked. Scopes: [ https://management.core.windows.net/ ] ParentRequestId:
========================= HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://management.azure.com/subscriptions/44<redacted>b5?api-version=2021-01-01
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Body:
{
"id": "/subscriptions/44<redacted>b5",
"authorizationSource": "RoleBased",
"managedByTenants": [
{
"tenantId": "5a<redacted>7d"
}
],
"subscriptionId": "44<redacted>b5",
"tenantId": "89<redacted>45",
"displayName": "<redacted>",
"state": "Enabled",
"subscriptionPolicies": {
"locationPlacementId": "<redacted>",
"quotaId": "<redacted>",
"spendingLimit": "Off"
}
}
Account SubscriptionName TenantId Environment
------- ---------------- -------- -----------
<redacted> <redacted> 89<redacted>45 AzureCloud
Get-AzAccessToken
# decode JWT to find that tid is not set to the tenant given in authentication. TenantId returned from this command is correct though.Environment data
$psversiontable
Name Value
---- -----
PSVersion 7.4.0
PSEdition Core
GitCommitId 7.4.0
OS CBL-Mariner/Linux
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0Module versions
Get-Module Az*
ModuleType Version PreRelease Name ExportedCommands
---------- ------- ---------- ---- ----------------
Script 2.15.0 Az.Accounts {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear…
Script 7.1.0 Az.Compute {Add-AzImageDataDisk, Add-AzVhd, Add-AzVMAdditionalUnatten…
Script 7.1.0 Az.Network {Add-AzApplicationGatewayAuthenticationCertificate, Add-Az…
Script 6.12.1 Az.Resources {Export-AzResourceGroup, Export-AzTemplateSpec, Get-AzDeny…
Script 6.0.1 Az.Storage {Add-AzRmStorageContainerLegalHold, Add-AzStorageAccountMa…
Script 1.1.3 Az.Tools.Predictor {Disable-AzPredictor, Enable-AzPredictor, Open-AzPredictor…
Script 0.0.0.10 AzureAD.Standard.Preview {Add-AzureADApplicationOwner, Add-AzureADDeviceRegisteredO…
Script 0.9.3 AzurePSDrive…
Script 1.1.3 Az.Tools.Predictor {Disable-AzPredictor, Enable-AzPredictor, Open-AzPredictor…
Script 0.0.0.10 AzureAD.Standard.Preview {Add-AzureADApplicationOwner, Add-AzureADDeviceRegisteredO…
Script 0.9.3 AzurePSDriveError output
null