Fixed the condition of AAD Query. ActiveDirectoryClient.FilterUsers does not support SPN. Here, UPN is correct. #5203
Conversation
…oes not support SPN. Here, UPN is correct.
|
@darshanhs90 Can you look to see if this change is corect? Also, can one of @takekazuomi or @darshanhs90 add a test to protect this scenario from regressions in the near future? |
|
@takekazuomi Can you add a test case for this |
|
@darshanhs90 I think there are other problems with this cmdlet. EmailAddress option does not search email with AAD Query. Search by UPN. In AAD, UPN and Email are not the same. Especially for MSA account UPN does not match email. Then, the EmailAddress option of Get-AzureRMADUser similarly searches for UPN. What do you think about? |
|
@takekazuomi @darshanhs90 Ping on this issue. |
|
@maddieclayton I'm still working for unit test code. Workaround It's not so smart because it depends confused specification. But it works. |
|
from: @seanbamsft "That’s one of the bugs. The other mentioned below is that it removed our query for “/me” when creating vaults (the change on 207). Also, line 253 is wrong as it only checks the primary email address and the previous code also checked OtherMails (this one prevents me from adding myself to access policies by my normal email address)." |
|
@RandalliLama I think this is a problem. |
|
@takekazuomi I agree this is a problem. However, it appears that their might be a work around. It looks like the API returns a list of all the users found that have a match on either UPN or Mail. Can we filter that list to only those that have a match on UPN? |
|
@RandalliLama If I queried by email, the result may be more than one case. Email is not guaranteed uniqueness in the directory. When multiple results are obtained, I think Cmdlet should return an error. The current error is hard to understand. This is better to fix the error message. There is another problem when searching by Email. Currently, Get-AzureRmADUser does not return Email. Therefore, a user is no way to check if the corresponding email is not in the directory. If Get - AzureRmADUser returns Email, the users will be able to solve the problem themselves. In an organization account, UPN is often an email, but it is not mandatory. In MSA, UPN and Email are different. Is this correct in such understanding? |
|
@takekazuomi Your understanding is correct. A users email address and UPN do not need to match. I believe that there can be multiple email addresses. In practice however, one of the users email addresses must match the UPN. Many other systems treat them as interchangeable. We can't count on that though. Your last point about MSA probably explains why someone changed the code to include Mail in the UPN search. MSA guest accounts in AAD do not have a UPN as MSA has no concept of UPN. Thus, the only way to look them up is via Email. However, the cmdlet should not second guess the user in my opinion. If the user asked for a UPN search, then that is exactly what the cmdlet should do. If they want to search by Email then let them be explicit about that and only search for Email. If it is useful and deterministic for them to search both fields at the same time, then give them an explicit option to do that. This is why, for example, the Set-AzureKeyVaultAccessPolicy cmdlet has an EmailAddress parameter, and it uses the GetObjectIdByEmail method to find the user. |
|
@markcowl Can you expand on why you are approving? Is @takekazuomi going to open another PR with the rest of the regression fixes? |
|
@RandalliLama We are approving it because it partially fixes the immediate issue, so it is better than the code that is currently shipping. Since you guys didn't have the resources to fix this, we will have to take up the rest of the fix in the next sprint on our team. |
|
@markcowl If we don't have time to do this correctly, then please just revert the change that broke this in the first place. |
|
I have two problems here. That is a problem with EmailAddress option and missing Unit Test.
|
|
I agree that more discussion is necessary. I don't understand exactly why the changes were made that broke this, and so I am not really able to review this properly. I think we should just revert the change that introduced the regressions and then we can review those changes in more depth before applying them. We should not be regressing existing customers for new functionality without wider agreement between our teams. |
|
@RandalliLama KeyVault Cmdlet still a problem, but I think that this PR just fixed a simple mistake. |
|
@RandalliLama As we have discussed, reverting the netcore change is not possible. The choice now is continuing to ship with the current code, or shipping this obvious partial fix. If you think the current code is preferrable, then that's what we will ship. |
|
Closing in favor of: #5334, which makes the same change as well as other KeyVault changes. |
Description
If there are multiple users in the directory, UserPrincipalName will always result in 'Sequence contains more than one element' error.
See #5201 for the reproduction procedure.
This is caused by querying ActiveDirectoryClient.FilterUsers with 'SPN = upn'. 'UPN = upn' is correct.
This checklist is used to make sure that common guidelines for a pull request are followed. You can find a more complete discussion of PowerShell cmdlet best practices here.
General Guidelines
Testing Guidelines
Cmdlet Signature Guidelines
ShouldProcessand haveSupportShouldProcess=truespecified in the cmdlet attribute. You can find more information onShouldProcesshere.OutputTypeattribute if any output is produced - if the cmdlet produces no output, it should implement aPassThruparameter.Cmdlet Parameter Guidelines