Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set-AzureRmKeyVaultAccessPolicy with UPN, Error 'Sequence contains more than one element' #5201

Closed
takekazuomi opened this issue Dec 29, 2017 · 2 comments
Closed

Set-AzureRmKeyVaultAccessPolicy with UPN, Error 'Sequence contains more than one element' #5201

takekazuomi opened this issue Dec 29, 2017 · 2 comments
Assignees
@darshanhs90
Labels
KeyVault Resource Authorization AzRole* in Az.Resources Service Attention This issue is responsible by Azure service team.

Comments

@takekazuomi
Copy link
Contributor

takekazuomi commented Dec 29, 2017
edited by azuresdkci
Loading

Cmdlet(s)

PowerShell Version

PSVersion 5.1.17063.1000

Module Version

AzureRM.KeyVault 4.0.1

OS Version

10.0.17063.1000
10.0.16299.98

Description

Set-AzureRmKeyVaultAccessPolicy with UPN fails. UPN was checked with Get-AzureRmADUser.

$ Get-AzureRmADUser

UserPrincipalName                                         DisplayName  Id                                   Type
-----------------                                         -----------  --                                   ----
someone.a@florinalab.com                               Takekazu Omi e71db5f9-277b-465c-ad0a-xxxxx User
someone.a_kyrt.in#EXT#@takekazuomikyrt.onmicrosoft.com Takekazu Omi 8aeafe29-da48-42a9-aa32-x
xxxxx User

$ Set-AzureRmKeyVaultAccessPolicy -VaultName 'somekeyvault' -PermissionsToKeys create,list -UserPrincipalName someone.a@florinalab.com
Set-AzureRmKeyVaultAccessPolicy : Sequence contains more than one element
At line:1 char:1
+ Set-AzureRmKeyVaultAccessPolicy -VaultName 'somekeyvault' -Permissio ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Set-AzureRmKeyVaultAccessPolicy], InvalidOperationException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.SetAzureKeyVaultAccessPolicy

Debug Output

$ Set-AzureRmKeyVaultAccessPolicy -VaultName 'somekeyvault' -PermissionsToKeys create,list -UserPrincipalName someone.a@florinalab.com

**snip snip**

DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 12/29/2017 10:53:18:  - TokenCache: Serializing token cache with 7 items.
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.windows.net/68dae846-2402-4566-b0b1-************/users?api-version=1.6

Headers:
x-ms-client-request-id        : 0412036e-349b-4351-b62f-d912f04ffdce
accept-language               : en-US

Body:


DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Pragma                        : no-cache
ocp-aad-diagnostics-server-name: fXTBvptYakuPPD2oJlo2tdvSCxkWru00SOZNUHaFWVk=
request-id                    : db67b50a-4acb-4d40-bce9-0dc085be2ac8
client-request-id             : 75712e78-b180-45ed-b40d-06b3b47610f5
x-ms-dirapi-data-contract-version: 1.6
ocp-aad-session-key           : ****************************************************
X-Content-Type-Options        : nosniff
DataServiceVersion            : 3.0;
Strict-Transport-Security     : max-age=31536000; includeSubDomains
Access-Control-Allow-Origin   : *
Duration                      : 1244501
Cache-Control                 : no-cache
Server                        : Microsoft-IIS/8.5
X-AspNet-Version              : 4.0.30319
X-Powered-By                  : ASP.NET,ASP.NET
Date                          : Fri, 29 Dec 2017 10:53:16 GMT

Body:
{
  "odata.metadata": "https://graph.windows.net/68dae846-2402-4566-b0b1-************/$metadata#directoryObjects/Microsoft.DirectoryServices.User",
  "value": [
    {
      "odata.type": "Microsoft.DirectoryServices.User",
      "objectType": "User",
      "objectId": "e71db5f9-277b-465c-ad0a-************",
      "deletionTimestamp": null,
      "accountEnabled": true,
      "assignedLicenses": [],
      "assignedPlans": [],
      "city": null,
      "companyName": null,
      "country": null,
      "creationType": null,
      "department": null,
      "dirSyncEnabled": null,
      "displayName": "Takekazu Omi",
      "employeeId": null,
      "facsimileTelephoneNumber": null,
      "givenName": "Takekazu",
      "immutableId": null,
      "isCompromised": null,
      "jobTitle": null,
      "lastDirSyncTime": null,
      "legalAgeGroupClassification": null,
      "mail": null,
      "mailNickname": "takekazu.omi",
      "mobile": null,
      "onPremisesDistinguishedName": null,
      "onPremisesSecurityIdentifier": null,
      "otherMails": [],
      "passwordPolicies": null,
      "passwordProfile": null,
      "physicalDeliveryOfficeName": null,
      "postalCode": null,
      "preferredLanguage": null,
      "provisionedPlans": [],
      "provisioningErrors": [],
      "proxyAddresses": [],
      "refreshTokensValidFromDateTime": "2017-12-29T05:51:41Z",
      "showInAddressList": null,
      "signInNames": [],
      "sipProxyAddress": null,
      "state": null,
      "streetAddress": null,
      "surname": "Omi",
      "telephoneNumber": null,
      "usageLocation": null,
      "userIdentities": [],
      "userPrincipalName": "someone.a@florinalab.com",
      "userType": "Member"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.User",
      "objectType": "User",
      "objectId": "8aeafe29-da48-42a9-aa32-************",
      "deletionTimestamp": null,
      "accountEnabled": true,
      "assignedLicenses": [],
      "assignedPlans": [],
      "city": null,
      "companyName": null,
      "country": null,
      "creationType": null,
      "department": null,
      "dirSyncEnabled": null,
      "displayName": "Takekazu Omi",
      "employeeId": null,
      "facsimileTelephoneNumber": null,
      "givenName": "Takekazu",
      "immutableId": null,
      "isCompromised": null,
      "jobTitle": null,
      "lastDirSyncTime": null,
      "legalAgeGroupClassification": null,
      "mail": null,
      "mailNickname": "someone.a_kyrt.in#EXT#",
      "mobile": null,
      "onPremisesDistinguishedName": null,
      "onPremisesSecurityIdentifier": null,
      "otherMails": [
        "someone.a@kyrt.in"
      ],
      "passwordPolicies": null,
      "passwordProfile": null,
      "physicalDeliveryOfficeName": null,
      "postalCode": null,
      "preferredLanguage": null,
      "provisionedPlans": [],
      "provisioningErrors": [],
      "proxyAddresses": [],
      "refreshTokensValidFromDateTime": null,
      "showInAddressList": null,
      "signInNames": [],
      "sipProxyAddress": null,
      "state": null,
      "streetAddress": null,
      "surname": "Omi",
      "telephoneNumber": null,
      "usageLocation": "JP",
      "userIdentities": [],
      "userPrincipalName": "someone.a_kyrt.in#EXT#@takekazuomikyrt.onmicrosoft.com",
      "userType": "Member"
    }
  ]
}

Set-AzureRmKeyVaultAccessPolicy : Sequence contains more than one element
At line:1 char:1
+ Set-AzureRmKeyVaultAccessPolicy -VaultName 'somekeyvault' -Permissio ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Set-AzureRmKeyVaultAccessPolicy], InvalidOperationException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.SetAzureKeyVaultAccessPolicy

DEBUG: AzureQoSEvent: CommandName - Set-AzureRmKeyVaultAccessPolicy; IsSuccess - False; Duration - 00:00:01.8970008; Exception - System.InvalidOperationException: Sequence contains more than one element
   at System.Linq.Enumerable.SingleOrDefault[TSource](IEnumerable`1 source)
   at Microsoft.Azure.Commands.KeyVault.KeyVaultManagementCmdletBase.GetObjectIdByUpn(String upn)
   at Microsoft.Azure.Commands.KeyVault.KeyVaultManagementCmdletBase.GetObjectId(String objectId, String upn, String email, String spn)
   at Microsoft.Azure.Commands.KeyVault.SetAzureKeyVaultAccessPolicy.ExecuteCmdlet()
   at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord();
DEBUG: Finish sending metric.
DEBUG: 7:53:21 PM - SetAzureKeyVaultAccessPolicy end processing.
DEBUG: 7:53:21 PM - SetAzureKeyVaultAccessPolicy end processing.

My simple triage

  1. In logs, Graph Query dose't include condition.
https://graph.windows.net/68dae846-2402-4566-b0b1-************/users?api-version=1.6
  1. with EmailAddress, Its works fine.
Set-AzureRmKeyVaultAccessPolicy -VaultName 'somekeyvault' -PermissionsToKeys create,list -EmailAddress someone.a@florinalab.com
@takekazuomi takekazuomi mentioned this issue Dec 29, 2017
Closed
13 tasks
@takekazuomi
Copy link
Contributor Author

workaround

Use EmailAddress option. -EmailAddress use AAD UserPrincipalName for query condition.

https://github.com/Azure/azure-powershell/blob/preview/src/Common/Commands.Common.Graph.RBAC/ActiveDirectory/ActiveDirectoryClient.cs#L190

I doubt whether this is a good design. However, the current code searches for UserPrincipalName in the case of '-EmailAddress'.

@markcowl markcowl assigned darshanhs90 and unassigned markcowl Jan 2, 2018
@markcowl markcowl added the Resource Authorization AzRole* in Az.Resources label Jan 2, 2018
@darshanhs90 darshanhs90 added the Policy Azure Resource Policy label Jun 26, 2018
@bsiegel bsiegel added the Service Attention This issue is responsible by Azure service team. label Sep 26, 2018
@LizMS LizMS added KeyVault and removed Policy Azure Resource Policy Graph labels Jun 12, 2019
@isra-fel
Copy link
Member

Cannot reproduce on latest Az.
Feel free to reopen if anyone still has the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@darshanhs90 darshanhs90

Labels
KeyVault Resource Authorization AzRole* in Az.Resources Service Attention This issue is responsible by Azure service team.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@takekazuomi @bsiegel @markcowl @darshanhs90 @isra-fel @LizMS