Skip to content

CurrentPrincipalId returns home-tenant oid for guest/B2B users, causing incorrect identity in resource tenant #7173

Description

@vhvb1989

Problem

CurrentPrincipalId (in current_principal_id_provider.go) resolves the current user's object ID by:

  1. Calling LookupTenant(subscriptionId) → returns UserAccessTenantId (the user's home tenant)
  2. Calling Graph /me against that tenant → returns the home-tenant oid

For B2B/guest users, the home-tenant oid is different from the guest oid in the resource tenant. All callers that use this principal ID to interact with the resource tenant's ARM APIs receive the wrong identity.

Impact

All callers of CurrentPrincipalId are affected:

Caller File Impact
Preflight role check bicep_provider.go:2220 assignedTo() filter uses wrong oid → false positive warning
loadParameters bicep_provider.go:1800 AZURE_PRINCIPAL_ID in ARM params → role assignments target wrong principal
bicepparam compile bicep_provider.go:1980 Same as above
Terraform provider terraform_provider.go:722 Principal ID in tfvars → wrong identity
Key Vault RBAC cmd/env.go:612 Role assignment on Key Vault targets wrong principal

Root Cause

LookupTenant returns sub.UserAccessTenantId (correct for credential creation) but callers also use the same tenant for identity resolution via Graph /me. For guest users:

  • Home tenant → Graph /me returns home-oid (e.g. 4070b897-...)
  • Resource tenant → Graph /me returns guest-oid (different value)

The UserAccessTenantId vs TenantId distinction (account.Subscription model) is documented as:

  • UserAccessTenantId: tenant under which the user authenticates (home tenant)
  • TenantId: tenant that owns the subscription (resource tenant)

Proposed Fix

CurrentPrincipalId (or GetCurrentPrincipalId) should resolve the oid in the resource tenant context when the principal ID will be used for ARM operations in that tenant. This may require:

  1. Calling Graph /me against sub.TenantId instead of sub.UserAccessTenantId, or
  2. Extracting the oid from an ARM token scoped to the resource tenant, or
  3. Providing both oids and letting callers choose

Care must be taken not to break credential creation flows, which correctly use UserAccessTenantId.

Related

Metadata

Metadata

Assignees

Labels

area/bicepBicep-specific provisioningarea/provisioningBicep/Terraform/ADE provisioningbugSomething isn't working

Type

Fields

No fields configured for Bug.

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions