Identity not found after succesful creation of Service Principal with az cli

Question

I created a Service principal using AZ cli

az ad sp create-for-rbac --name eShopSecure-SPcli --role Contributor --scopes /subscriptions/XXXXXXXX-4725-460d-8e3b-XXXXXXXX/resourcegroups/msDefenderTrialTest/providers/Microsoft.KeyVault/vaults/myKV

for which I got back the appID, password and tenant ID, then I assigned it 2 roles as follows

 az role assignment create --assignee-object-id yyyyyyy-847f-4848-8334-yyyyyyyyy --assignee-principal-type ServicePrincipal --role "Key Vault Reader" --scope /subscriptions/XXXXXXX-4725-460d-8e3b-XXXXXXXXX/resourcegroups/msDefenderTrialTest/providers/Microsoft.KeyVault/vaults/sieracdefenderKV

which seems also succesfull as follows

{
  "condition": null,
  "conditionVersion": null,
  "createdBy": null,
  "createdOn": "2024-03-28T18:17:04.223144+00:00",
  "delegatedManagedIdentityResourceId": null,
  "description": null,
  "id": "/subscriptions/f151ee3f-4725-460d-8e3b-82512dfda843/resourcegroups/msDefenderTrialTest/providers/Microsoft.KeyVault/vaults/sieracdefenderKV/providers/Microsoft.Authorization/roleAssignments/14bb8b87-5cd5-4016-bfb5-319bd40b0746",
  "name": "14bb8b87-5cd5-4016-bfb5-319bd40b0746",
  "principalId": "yyyyyyy-847f-4848-8334-yyyyyyyyy",
  "principalType": "ServicePrincipal",
  "resourceGroup": "msTrialTest",
  "roleDefinitionId": "/subscriptions/XXXXXXXX-4725-460d-8e3b-XXXXXXXX/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2",
  "scope": "/subscriptions/XXXXXXXX-4725-460d-8e3b-XXXXXXXX/resourcegroups/msDefenderTrialTest/providers/Microsoft.KeyVault/vaults/sieracdefenderKV",
  "type": "Microsoft.Authorization/roleAssignments",
  "updatedBy": "8ef0c0eb-860b-47a4-8ae8-8dcb7463dd20",
  "updatedOn": "2024-03-28T18:17:04.647144+00:00"
}

When I visit the IAM blade for keyvault, I see "Unable to find the identity" or identity not found, as you can notice in the snapshot

So what is missing?

Answer 1

Hi Salam, as discussed in our call , we have fixed the issue and please find below update

Issue:

Using az ad sp create-for-rbac to create a service principal with a specific role and then attempting to assign additional roles to the same service principal at the same scope could result in an "identity not found" error

Solution:

We tried creating role assignments using portal and it worked as expected , so it seems some issue with az role assignment command maybe it was not working as expected from platform or maybe you are not able to use correctly ,

Kindly accept answer , Thanks!

Answer 2

Hi, Thanks out to reaching us.

In the list of role assignments for the Azure portal, you notice that the security principal (user, group, service principal, or managed identity) is listed as Identity not found with an Unknown type so please check below cause and solutions for this

Cause 1

You recently invited a user when creating a role assignment and this security principal is still in the replication process across regions.

Solution 1

Wait a few moments and refresh the role assignments list.

Cause 2

You deleted a security principal that had a role assignment. If you assign a role to a security principal and then you later delete that security principal without first removing the role assignment, the security principal will be listed as Identity not found and an Unknown type.

Solution 2

It isn't a problem to leave these role assignments where the security principal has been deleted. If you like, you can remove these role assignments using steps that are similar to other role assignments. For information about how to remove role assignments, see Remove Azure role assignments. In PowerShell, if you try to remove the role assignments using the object ID and role definition name, and more than one role assignment matches your parameters, you'll get the error message: The provided information does not map to a role assignment. The following output shows an example of the error message:

Please check this doc for ref --> https://learn.microsoft.com/en-us/azure/role-based-access-control/troubleshooting?tabs=bicep

Kindly accept answer , if it helps , Thanks!

Answer 3

Hi Salam,

I think I got the Issue , please find complete below details

Issue:

Using az ad sp create-for-rbac to create a service principal with a specific role and then attempting to assign additional roles to the same service principal at the same scope could result in an "identity not found" error

Cause:

Scope Limitations: When you create a service principal using az ad sp create-for-rbac with a specific role and scope, it is scoped to that particular role and scope. Attempting to assign additional roles to the same service principal at the same scope may conflict with the initial role assignment.

Role Conflicts: The roles assigned to a service principal should not conflict with each other or overlap in their permissions. If there are conflicting roles assigned to the service principal, it could lead to issues such as "identity not found" errors.

Solution:

approach to avoid the "identity not found" error due to scope limitations or role conflicts is to create the service principal (az ad sp create) separately and then assign multiple roles to it as needed. This approach allows for more flexibility in managing permissions and role assignments for the service principal.

1. Create Service Principle : which you have already created with contributor permissions,
2. Delete existing role : Now you delete key vault reader and identity not found both from the resources and assign as per below
3. Assign roles :

Once the service principal is created, you can assign multiple roles to it using the az role assignment create command. Specify the service principal's Object ID (--assignee-object-id) and the roles (--role) you want to assign.

az role assignment create --assignee-object-id <spn-object-id> --role "<role1>" --scope <scope1>
az role assignment create --assignee-object-id <spn-object-id> --role "<role2>" --scope <scope2>

By creating the service principal separately and then assigning roles to it, you can better manage permissions, avoid scope limitations, and ensure that the service principal has the necessary permissions to fulfill its roles without encountering errors related to identity resolution.

NOTE: what wrong you did is in first step you used this to create role assignment "az ad sp create-for-rbac --name eShopSecure-SPcliA2ndD --role "Key Vault Reader" --scopes /subscriptions/XXX4725-460d-8e3b-8rtrdfddd/resourcegroups/msDefenderTrialTest/providers/Microsoft.KeyVault/vaults/myKV" instead of you have just use az role assignment create to do role assignment

Please check below doc for ref

https://learn.microsoft.com/en-us/azure/role-based-access-control/overview

https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#best-practices-for-individual-keys-secrets-and-certificates-role-assignments

Kindly accept as it would help , Thanks

Answer 4

Hi Salam ,

So as per discussion the proposed solution is

Issue: Using az ad sp create-for-rbac to create a service principal with a specific role and then attempting to assign additional roles to the same service principal at the same scope could result in an "identity not found" error

Solution:

az ad sp create-for-rbac -n MyApp --role Contributor --scopes /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1 /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup2

1. Assign "Key Vault Reader" and "Key Vault Secrets Officer" roles to the Service Principal at the Key Vault level:

# Assign Key Vault Reader role
# Assign key vault secret officer role

Please accept if this works, Thanks