Skip to content

Service principals are not returned by az ad group member list #32774

New issue
New issue
Open
Open
Service principals are not returned by az ad group member list#32774
Assignees
jiasliReaNAiveD
Labels
Auto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamGraphaz adOutputSimilar-Issuecustomer-reportedIssues that are reported by GitHub users external to the Azure organization.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
Backlog
@rosskgraham

Description

@rosskgraham
rosskgraham
opened on Feb 11, 2026

Describe the bug

Service principals are not returned by az ad group member list.
az ad group member check returns true for service principal in group.

Entra shows service principal in group.

Image

Related command

az ad group member list

Errors

Service principal '7ac4030b-...' is not in response

az ad group member list --group <group-name? --query "[].id"
[
"f12e13ce-...",
"a33dc0df-...",
"52f2c8cd-...",
"4c6834a6-..."
]

Issue script & Debug output

az ad group member list --group --query "[].id" --debug
cli.knack.cli: Command arguments: ['ad', 'group', 'member', 'list', '--group', '', '--query', '[].id', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x000001CB24A18540>, <function OutputProducer.on_global_arguments at 0x000001CB24FA5940>, <function CLIQuery.on_global_arguments at 0x000001CB24FFF880>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'ad': ['azure.cli.command_modules.role']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: role 0.005 17 62
cli.azure.cli.core: Total (1) 0.005 17 62
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: Total (0) 0.000 0 0
cli.azure.cli.core: Loaded 17 groups, 62 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : ad group member list
cli.azure.cli.core: Command table: ad group member list
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x000001CB276F5580>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users....azure\commands\2026-02-11.11-32-01.ad_group_member_list.50560.log'.
az_command_data_logger: command args: ad group member list --group {} --query {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x000001CB2773AC00>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x000001CB27758F40>, <function register_cache_arguments..add_cache_arguments at 0x000001CB27759120>, <function register_upcoming_breaking_change_info..update_breaking_change_info at 0x000001CB277591C0>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x000001CB24FA59E0>, <function CLIQuery.handle_query_parameter at 0x000001CB24FFF920>, <function register_ids_argument..parse_ids_arguments at 0x000001CB27758FE0>]
cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\...\.azure\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users....azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/...
msal.authority: openid_config("https://login.microsoftonline.com/.../v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/.../oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic', 'self_signed_tls_client_auth'], 'jwks_uri': 'https://login.microsoftonline.com/.../discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/.../oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/.../oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/.../oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/.../kerberos', 'mtls_endpoint_aliases': {'token_endpoint': 'https://mtlsauth.microsoft.com/.../oauth2/v2.0/token'}, 'tls_client_certificate_bound_access_tokens': True, 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? True
cli.azure.cli.core.auth.msal_credentials: UserCredential.acquire_token: scopes=['https://graph.microsoft.com//.default'], claims_challenge=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 3e9fa906-...
cli.azure.cli.core.util: Request URL: 'https://graph.microsoft.com/v1.0/groups?$filter=displayName%20eq%20%27%27'
cli.azure.cli.core.util: Request method: 'GET'
cli.azure.cli.core.util: Request headers:
cli.azure.cli.core.util: 'User-Agent': 'python/3.13.11 (Windows-11-10.0.22631-SP0) AZURECLI/2.83.0 (MSI)'
cli.azure.cli.core.util: 'Accept-Encoding': 'gzip, deflate'
cli.azure.cli.core.util: 'Accept': '/'
cli.azure.cli.core.util: 'Connection': 'keep-alive'
cli.azure.cli.core.util: 'x-ms-client-request-id': '89449545-...'
cli.azure.cli.core.util: 'CommandName': 'ad group member list'
cli.azure.cli.core.util: 'ParameterSetName': '--group --query --debug'
cli.azure.cli.core.util: 'Authorization': 'Bearer [REDACTED]'
cli.azure.cli.core.util: Request body:
cli.azure.cli.core.util: None
urllib3.connectionpool: Starting new HTTPS connection (1): graph.microsoft.com:443
urllib3.connectionpool: https://graph.microsoft.com:443 "GET /v1.0/groups?$filter=displayName%20eq%20%27%27 HTTP/1.1" 200 None
cli.azure.cli.core.util: Response status: 200
cli.azure.cli.core.util: Response headers:
cli.azure.cli.core.util: 'Cache-Control': 'no-cache'
cli.azure.cli.core.util: 'Transfer-Encoding': 'chunked'
cli.azure.cli.core.util: 'Content-Type': 'application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8'
cli.azure.cli.core.util: 'Content-Encoding': 'gzip'
cli.azure.cli.core.util: 'Vary': 'Accept-Encoding'
cli.azure.cli.core.util: 'Strict-Transport-Security': 'max-age=31536000'
cli.azure.cli.core.util: 'request-id': '8715e2a3-...'
cli.azure.cli.core.util: 'client-request-id': '8715e2a3-...'
cli.azure.cli.core.util: 'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"UK South","Slice":"E","Ring":"5","ScaleUnit":"008","RoleInstance":"LO2PEPF000057C8"}}'
cli.azure.cli.core.util: 'x-ms-resource-unit': '1'
cli.azure.cli.core.util: 'OData-Version': '4.0'
cli.azure.cli.core.util: 'Date': 'Wed, 11 Feb 2026 11:32:02 GMT'
cli.azure.cli.core.util: Response content:
cli.azure.cli.core.util: {"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#groups","value":[{"id":"fa3989f6-...","deletedDateTime":null,"classification":null,"createdDateTime":"2024-06-25T16:02:00Z","creationOptions":[],"description":"Assigns named Role/Permission for named PostgreSql Server Resource, Resource Group and Subscription","displayName":"","expirationDateTime":null,"groupTypes":[],"isAssignableToRole":null,"mail":null,"mailEnabled":false,"mailNickname":"NotMailEnabled","membershipRule":null,"membershipRuleProcessingState":null,"onPremisesDomainName":null,"onPremisesLastSyncDateTime":null,"onPremisesNetBiosName":null,"onPremisesSamAccountName":null,"onPremisesSecurityIdentifier":null,"onPremisesSyncEnabled":null,"preferredDataLocation":null,"preferredLanguage":null,"proxyAddresses":[],"renewedDateTime":"2024-06-25T16:02:00Z","resourceBehaviorOptions":[],"resourceProvisioningOptions":[],"securityEnabled":true,"securityIdentifier":"","theme":null,"uniqueName":null,"visibility":null,"onPremisesProvisioningErrors":[],"serviceProvisioningErrors":[]}]}
cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/...
msal.authority: openid_config("https://login.microsoftonline.com/.../v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/.../oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic', 'self_signed_tls_client_auth'], 'jwks_uri': 'https://login.microsoftonline.com/.../discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/.../oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/.../oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/.../oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/.../kerberos', 'mtls_endpoint_aliases': {'token_endpoint': 'https://mtlsauth.microsoft.com/.../oauth2/v2.0/token'}, 'tls_client_certificate_bound_access_tokens': True, 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? True
cli.azure.cli.core.auth.msal_credentials: UserCredential.acquire_token: scopes=['https://graph.microsoft.com//.default'], claims_challenge=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 6e82a238-...
cli.azure.cli.core.util: Request URL: 'https://graph.microsoft.com/v1.0/groups/.../members'
cli.azure.cli.core.util: Request method: 'GET'
cli.azure.cli.core.util: Request headers:
cli.azure.cli.core.util: 'User-Agent': 'python/3.13.11 (Windows-11-10.0.22631-SP0) AZURECLI/2.83.0 (MSI)'
cli.azure.cli.core.util: 'Accept-Encoding': 'gzip, deflate'
cli.azure.cli.core.util: 'Accept': '/'
cli.azure.cli.core.util: 'Connection': 'keep-alive'
cli.azure.cli.core.util: 'x-ms-client-request-id': '4f8f45c6-...'
cli.azure.cli.core.util: 'CommandName': 'ad group member list'
cli.azure.cli.core.util: 'ParameterSetName': '--group --query --debug'
cli.azure.cli.core.util: 'Authorization': 'Bearer [REDACTED]'
cli.azure.cli.core.util: Request body:
cli.azure.cli.core.util: None
urllib3.connectionpool: Starting new HTTPS connection (1): graph.microsoft.com:443
urllib3.connectionpool: https://graph.microsoft.com:443 "GET /v1.0/groups/.../members HTTP/1.1" 200 None
cli.azure.cli.core.util: Response status: 200
cli.azure.cli.core.util: Response headers:
cli.azure.cli.core.util: 'Cache-Control': 'no-cache'
cli.azure.cli.core.util: 'Transfer-Encoding': 'chunked'
cli.azure.cli.core.util: 'Content-Type': 'application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8'
cli.azure.cli.core.util: 'Content-Encoding': 'gzip'
cli.azure.cli.core.util: 'Vary': 'Accept-Encoding'
cli.azure.cli.core.util: 'Strict-Transport-Security': 'max-age=31536000'
cli.azure.cli.core.util: 'request-id': '3e176ac2-...'
cli.azure.cli.core.util: 'client-request-id': '3e176ac2-...'
cli.azure.cli.core.util: 'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"UK South","Slice":"E","Ring":"5","ScaleUnit":"008","RoleInstance":"LO2PEPF00004AB9"}}'
cli.azure.cli.core.util: 'x-ms-resource-unit': '3'
cli.azure.cli.core.util: 'OData-Version': '4.0'
cli.azure.cli.core.util: 'Date': 'Wed, 11 Feb 2026 11:32:02 GMT'
cli.azure.cli.core.util: Response content:
cli.azure.cli.core.util: {"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#directoryObjects","value":[{"@odata.type":"#microsoft.graph.group","id":"f12e13ce-...","deletedDateTime":null,"classification":null,"createdDateTime":"2020-08-03T10:25:42Z","creationOptions":[],"description":"...","displayName":"...","expirationDateTime":null,"groupTypes":[],"isAssignableToRole":null,"mail":null,"mailEnabled":false,"mailNickname":"...","membershipRule":null,"membershipRuleProcessingState":null,"onPremisesDomainName":"...","onPremisesLastSyncDateTime":"2025-09-22T13:51:51Z","onPremisesNetBiosName":"...","onPremisesSamAccountName":"...","onPremisesSecurityIdentifier":"...","onPremisesSyncEnabled":true,"preferredDataLocation":null,"preferredLanguage":null,"proxyAddresses":[],"renewedDateTime":"2020-08-03T10:25:42Z","resourceBehaviorOptions":[],"resourceProvisioningOptions":[],"securityEnabled":true,"securityIdentifier":"...","theme":null,"uniqueName":null,"visibility":null,"onPremisesProvisioningErrors":[],"serviceProvisioningErrors":[]},{"@odata.type":"#microsoft.graph.user","id":"a33dc0df-...","businessPhones":[],"displayName":"...","givenName":"...","jobTitle":"...","mail":"...","mobilePhone":null,"officeLocation":"...","preferredLanguage":null,"surname":"...","userPrincipalName":"..."},{"@odata.type":"#microsoft.graph.user","id":"52f2c8cd-...","businessPhones":[],"displayName":"...","givenName":"...","jobTitle":"...","mail":null,"mobilePhone":null,"officeLocation":"...","preferredLanguage":null,"surname":"...","userPrincipalName":"..."},{"@odata.type":"#microsoft.graph.user","id":"4c6834a6-...","businessPhones":[],"displayName":"...","givenName":"...","jobTitle":"...","mail":null,"mobilePhone":null,"officeLocation":"...","preferredLanguage":null,"surname":"...","userPrincipalName":"..."}]}
cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x000001CB2773A520>, <function x509_from_base64_to_hex_transform at 0x000001CB2773A5C0>]
cli.knack.cli: Event: CommandInvoker.OnFilterResult [<function CLIQuery.handle_query_parameter..filter_output at 0x000001CB27A19080>]
[
"f12e13ce-...",
"a33dc0df-...",
"52f2c8cd-...",
"4c6834a6-..."
]
cli.knack.cli: Event: Cli.SuccessfulExecute []
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x000001CB276F5800>]
az_command_data_logger: exit code: 0
cli.main: Command ran in 1.551 seconds (init: 0.296, invoke: 1.254)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3917 in cache file under C:\Users....azure\telemetry\20260211113203048
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry_init.pyc C:\Users....azure C:\Users....azure\telemetry\20260211113203048"
telemetry.process: Return from creating process 36784
telemetry.main: Finish creating telemetry upload process.

Expected behavior

All group members are returned by az ad group member list.

Environment Summary

az --version
azure-cli 2.83.0

core 2.83.0
telemetry 1.1.0

Extensions:
azure-devops 1.0.2
rdbms-connect 1.0.7

Dependencies:
msal 1.35.0b1
azure-mgmt-resource 23.3.0

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Config directory 'C:\Users....azure'
Extensions directory 'C:\Users....azure\cliextensions'

Python (Windows) 3.13.11 (tags/v3.13.11:6278944, Dec 5 2025, 16:26:58) [MSC v.1944 64 bit (AMD64)]

Additional context

No response

Metadata

Metadata

Assignees

Labels

Auto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamGraphaz adOutputSimilar-Issuecustomer-reportedIssues that are reported by GitHub users external to the Azure organization.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions