Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default tenant selection is broken if account is guest in another tenant and default context is set to guest tenant #762

Closed
Gregoryincludia opened this issue Oct 2, 2024 · 4 comments
Closed

Default tenant selection is broken if account is guest in another tenant and default context is set to guest tenant #762

Gregoryincludia opened this issue Oct 2, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@Gregoryincludia
Copy link

Gregoryincludia commented Oct 2, 2024
edited
Loading

Describe the bug
Default context is not properly chosen again if account is guest account to several tenants

To Reproduce
Make sure your Azure account is guest in another tenant and run BuildDeployment-Plan

Expected behavior
Shall work

Screenshots
PS C:\repo\azure-policies-infra> get-azContext | fl

Name               : InfoSec Subscription - Production (43909631-37cf-XXXXX-9fdb-706fc002ae5f) - 692216d6-XXXX-41c4-afb6-53159e46b17f - [email protected]
Subscription       : 43909631-37cf-XXXX-9fdb-706fc002ae5f
Account            : [email protected]
Environment        : AzureCloud
Tenant             : 692216d6-XXXX-41c4-afb6-53159e46b17f
TokenCache         : 
VersionProfile     : 
ExtendedProperties : {}

This Tenant above is not guest tenant my account is member of, it's not my home tenant. Since this is default context the rest of steps are failing as a result.

EPAC Version
10.6.0
@Gregoryincludia Gregoryincludia added the bug Something isn't working label Oct 2, 2024
@artisticcheese
Copy link
Contributor

Issue present here https://github.com/Azure/enterprise-azure-policy-as-code/blob/75a8c580318fe8e0400335b285e6bd00f80de9dd/Scripts/Helpers/Set-AzCloudTenantSubscription.ps1#L12C1-L13C1

This shall be Get-AzSubscription | Where-Object TenantId -eq $TenantId | Select-Object -First 1 | Set-AzContext , s
In my case, I have access to the same subscription through 2 different tenants and based on original code first one is chosen which is incorrect selection since subscription is in different tenant compared to AzContext

PS C:\repo\azure-policies-infra> Get-AzSubscription  | where name -eq "InfoSec Subscription - Production" |  select name, HomeTenantId, tenantid

Name                              HomeTenantId                         TenantId
----                              ------------                         --------
InfoSec Subscription - Production 79c33897-92ad-8c26b93e2199 692216d6-afb6-53159e46b17f
InfoSec Subscription - Production 79c33897-92ad-8c26b93e2199 79c33897-92ad-8c26b93e2199

@anwather
Copy link
Collaborator

anwather commented Oct 9, 2024

Does using defaultContext in the global-settings.jsonc file help with this?

defaultContext: In rare cases (typically only when deploying to a lighthouse managed tenant) the default context (Get-azContext) of a user/SPN running a plan will
be set to a subscription where that user/SPN does not have sufficient privileges. Some checks have been built in so that in some cases when this happens EPAC is able to fix the context issue. When it is not, a defaultContext subscription name must be provided. This can be any subscription within the deploymentRootScope.

@artisticcheese
Copy link
Contributor

Yes, defaultContext fixed it.

@artisticcheese
Copy link
Contributor

You can close the case, the other account that was used is not active anymore.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@anwather @artisticcheese @Gregoryincludia