The open source PowerShell script here is used to create an Azure AD Application associate it with a new service principal via New-AzureRmADServicePrincipal and then delegate that service principals rights on a target Azure subscription via New-AzureRMRoleAssignment. I have been able to reproduce a periodic timing issue when running the script where the delegation fails with a “PrincipalNotFound” http REST response. The error is inconstant and if I subsequently re-issue the same command it will succeed. I can provide the output of the Azure PowerShell cmdlets with the addition of -Debug -Verbose to the commands to return the raw REST output (ping me directly internal to MSFT please)
In the results, when https://graph.windows.net/{tenant_id}/$metadata#directoryObjects/Microsoft.DirectoryServices.ServicePrincipal is queried for the service principal, it locates the object and successfully returns attributes "objectId": "e7e918c7-536c-49c1-ac96-f3f80b89bd54". However, when a subsequent call goes to https://management.azure.com//subscriptions/{subscriptionID}/providers/Microsoft.Authorization/roleAssignments that call fails with “Principal e7e918c7536c49c1ac96f3f80b89bd54 does not exist in the directory”.
It is my belief that the graph endpoint the service principal create call is going to may be load balanced to a different backend directory instance than the ARM call is querying and potentially suffering from directory version skew until the replication of the object completes.
The open source PowerShell script here is used to create an Azure AD Application associate it with a new service principal via New-AzureRmADServicePrincipal and then delegate that service principals rights on a target Azure subscription via New-AzureRMRoleAssignment. I have been able to reproduce a periodic timing issue when running the script where the delegation fails with a “PrincipalNotFound” http REST response. The error is inconstant and if I subsequently re-issue the same command it will succeed. I can provide the output of the Azure PowerShell cmdlets with the addition of -Debug -Verbose to the commands to return the raw REST output (ping me directly internal to MSFT please)
In the results, when https://graph.windows.net/{tenant_id}/$metadata#directoryObjects/Microsoft.DirectoryServices.ServicePrincipal is queried for the service principal, it locates the object and successfully returns attributes "objectId": "e7e918c7-536c-49c1-ac96-f3f80b89bd54". However, when a subsequent call goes to https://management.azure.com//subscriptions/{subscriptionID}/providers/Microsoft.Authorization/roleAssignments that call fails with “Principal e7e918c7536c49c1ac96f3f80b89bd54 does not exist in the directory”.
It is my belief that the graph endpoint the service principal create call is going to may be load balanced to a different backend directory instance than the ARM call is querying and potentially suffering from directory version skew until the replication of the object completes.