Get-AzSubscription command should display warning or fail if non-default tenant id is given when MSi auth is being used

[jikuja]

Description

This issue happens only whan managed service identity is being used.

If user input tenant id that does not match with the Default Context tenant id command silently ignore usser input and does nothing:

azure-powershell/src/Accounts/Accounts/Subscription/GetAzureRMSubscription.cs

Lines 109 to 121 in b60bd25

	if (DefaultContext.Account.Type.Equals("ManagedService"))
	{
	if (TenantId == null)
	{
	TenantId = DefaultContext.Tenant.Id;
	}
	if (TenantId.Equals(DefaultContext.Tenant.Id))
	{
	var subscriptions = _client.ListSubscriptions(TenantId);
	WriteSubscriptions(subscriptions);
	}
	}

When using other authentication methods -tenantId allows using tenant name. For script portability that should also be supported with managed service authentication.

If usage of the tenant names cannot be used with managed service authentication command should at least warn about unexpected input instead on silently doing nothing.

Issue script & Debug output

N/A

Environment data

PS /home/janne> $PSVersionTable                                           

Name                           Value
----                           -----
PSVersion                      7.4.3
PSEdition                      Core
GitCommitId                    7.4.3
OS                             CBL-Mariner/Linux
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     3.0.1                 Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}
Script     8.1.0                 Az.Compute                          {Add-AzImageDataDisk, Add-AzVhd, Add-AzVMAdditionalUnattendContent, Add-AzVMD…
Script     7.8.0                 Az.Network                          {Add-AzApplicationGatewayAuthenticationCertificate, Add-AzApplicationGatewayB…
Script     7.2.0                 Az.Resources                        {Export-AzResourceGroup, Export-AzTemplateSpec, Get-AzDenyAssignment, Get-AzD…
Script     7.1.0                 Az.Storage                          {Add-AzRmStorageContainerLegalHold, Add-AzStorageAccountManagementPolicyActio…
Script     1.1.3                 Az.Tools.Predictor                  {Disable-AzPredictor, Enable-AzPredictor, Open-AzPredictorSurvey, Send-AzPred…
Script     0.0.0.10              AzureAD.Standard.Preview            {Add-AzureADApplicationOwner, Add-AzureADDeviceRegisteredOwner, Add-AzureADDe…
Script     0.9.3                 AzurePSDrive

Error output

N/A

[isra-fel]

Thanks for reporting!
Todo: double check if there's limitation regarding subscription API when MSI
Warning message sounds reasonable enough.

[jikuja]

The limitation is somewhere on RMProfileClient. The author of 3fc2c44 should know what they fixed.

Subscription list is done by GET https://management.azure.com/subscriptions?api-version=2021-01-01 and the tenant selection is done by injecting tenant-specific authentication tokens provided by the MSAL.

The potential limitation might be in https://github.com/Azure/azure-powershell/blob/ebc6c1dd444c28b26c8598dcac70fe34414114d5/src/Accounts/Authenticators/ManagedServiceIdentityAuthenticator.cs if that or function being called does not resolve tenant host name to GUID.