Azure CLI v2: "--allow-no-subscriptions"

[ItalyPaleAle]

I have created a connection to Azure using a Service Principal which is not assigned to any subscription. The SP has permission to make changes only to the Azure AD tenant (I need to run commands like az ad app update only).

When using that connection with the AzureCLI v2 task, the task always fails with the error:

ERROR: No subscriptions were found for '***'. If this is expected, use '--allow-no-subscriptions' to have tenant level accesses

It doesn't look like there's a way to pass the --allow-no-subscriptions flag.

The workaround for me was to create a new bogus resource group with no resources inside and grant the SP access to that RG so at least it has a subscription. However, there should be a way to have --allow-no-subscriptions.

[bishal-pdMSFT]

Thanks for raising this issu @ItalyPaleAle. Although this is a valid scenario, we haven't heard this request from community till now. We would like to gather more feedback before trying to support this scenario.

[ItalyPaleAle]

I understand. My purpose in creating this issue was two-fold:

1. Bring it up so the devs are aware of it.
2. Write my workaround here in hope it can help others. The workaround is quite simple (albeit not very clean :) ) anyways.

[mbrancato]

I have the same issue:

There are a number of use cases where we want per-pipeline auth using AzureAD for access to non-Azure resources. ADO and AzureAD are SaaS services, tying them to Azure for authentication of a pipeline seems kinda odd. We need to leverage the JWT of the pipeline to access other services that validate against AzureAD for access.

[bishal-pdMSFT]

@mbrancato

we want per-pipeline auth using AzureAD for access to non-Azure resources

This is Azure CLI task and hence it is designed to be used for Azure resources only.

ADO and AzureAD are SaaS services, tying them to Azure for authentication of a pipeline seems kinda odd. We need to leverage the JWT of the pipeline to access other services that validate against AzureAD for access.

ADO has service connections which can be used to gain access to those services by validating against identity providers (including AAD). Is that not what you can use?

[ItalyPaleAle]

This is Azure CLI task and hence it is designed to be used for Azure resources only.

Azure AD (and Azure DevOps) are Azure resources.

[mbrancato]

@bishal-pdMSFT

ADO has service connections which can be used to gain access to those services by validating against identity providers (including AAD). Is that not what you can use?

I think that is exactly what we are trying to do, and so no, it cannot be used unless the service principal is granted access to an Azure Resource Group, which it does not need.

@ItalyPaleAle is correct - the Azure CLI is the CLI for Azure, Azure AD (az ad), and Azure DevOps (az devops).

Just to be clear, when I say non-Azure resources, I mean applications registered in AzureAD that exist in the OAuth environment provided by a paid AzureAD tenant. The pipeline needs to authenticate to AzureAD and obtain a JWT token (az account get-access-token) to participate in the OAuth flow to other registered applications in AzureAD.

[ArindamRayMukherjee]

I have the same issue while trying to create a resource group from the build pipeline. The usual AzureResourceGroupDeployment task with ARM templates does not work(another open issue), so I was trying to use the AzureCLI task with an inline script "az group create -l $(location) -n $(resourceGroupName) -s $(azureSubscription)" ... And then I hit the same error message as above.

[a-vishar]

Any resolution to this? This is currently causing our build pipelines to fail transiently...

[ItalyPaleAle]

@a-vishar See my workaround in the first comment. Not a fix, but effective.

[a-vishar]

@ItalyPaleAle - It's a transient problem, the management group has access to everything, for some reason it just isn't resolved correctly 1/20 times.