Authorization: Bug fix in Get-AzureRMRoleAassignment to filter list of classic admins if user principal has been provided

Author: namratab

src/ResourceManager/Resources/Commands.Resources/Models.Authorization/AuthorizationClient.cs

@@ -136,17 +136,18 @@ public List<PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions
             List<PSRoleAssignment> result = new List<PSRoleAssignment>();
             ListAssignmentsFilterParameters parameters = new ListAssignmentsFilterParameters();
 
+            PSADObject adObject = null;
             if (options.ADObjectFilter.HasFilter)
             {
+                adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter);
+                if (adObject == null)
+                {
+                    throw new KeyNotFoundException(ProjectResources.PrincipalNotFound);
+                }
+
                 // Filter first by principal
                 if (options.ExpandPrincipalGroups)
                 {
-                    PSADObject adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter);
-                    if (adObject == null)
-                    {
-                        throw new KeyNotFoundException(ProjectResources.PrincipalNotFound);
-                    }
-
                     if (!(adObject is PSADUser))
                     {
                         throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported);
@@ -156,7 +157,7 @@ public List<PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions
                 }
                 else
                 {
-                    parameters.PrincipalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? ActiveDirectoryClient.GetObjectId(options.ADObjectFilter) : Guid.Parse(options.ADObjectFilter.Id);
+                    parameters.PrincipalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? adObject.Id : Guid.Parse(options.ADObjectFilter.Id);
                 }
 
                 result.AddRange(AuthorizationManagementClient.RoleAssignments.List(parameters)
@@ -190,7 +191,22 @@ public List<PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions
             {
                 // Get classic administrator access assignments 
                 List<ClassicAdministrator> classicAdministrators = AuthorizationManagementClient.ClassicAdministrators.List().ClassicAdministrators.ToList(); 
-                List<PSRoleAssignment> classicAdministratorsAssignments = classicAdministrators.Select(a => a.ToPSRoleAssignment(currentSubscription)).ToList(); 
+                List<PSRoleAssignment> classicAdministratorsAssignments = classicAdministrators.Select(a => a.ToPSRoleAssignment(currentSubscription)).ToList();
+
+                // Filter by principal if provided
+                if (options.ADObjectFilter.HasFilter)
+                {
+                    if (!(adObject is PSADUser))
+                    {
+                        throw new InvalidOperationException(ProjectResources.IncludeClassicAdminsNotSupported);
+                    }
+
+                    var userObject = adObject as PSADUser;
+                    classicAdministratorsAssignments = classicAdministratorsAssignments.Where(c =>
+                           c.DisplayName.Equals(userObject.UserPrincipalName, StringComparison.OrdinalIgnoreCase) ||
+                           c.DisplayName.Equals(userObject.Mail, StringComparison.OrdinalIgnoreCase)).ToList();
+                }
+                
                 result.AddRange(classicAdministratorsAssignments);
             }
 

src/ResourceManager/Resources/Commands.Resources/Properties/Resources.Designer.cs

@@ -312,4 +312,7 @@
   <data name="PrincipalNotFound" xml:space="preserve">
     <value>Cannot find principal using the specified options</value>
   </data>
+  <data name="IncludeClassicAdminsNotSupported" xml:space="preserve">
+    <value>IncludeClassicAdministrators is only supported for a User principal</value>
+  </data>
 </root>