Skip to content

Get-AzSubscriptionAlias does not show aliases when permissions are granted through a security group #29216

New issue
New issue
Open
Open
Get-AzSubscriptionAlias does not show aliases when permissions are granted through a security group#29216
Labels
bugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reported
@feliasson

Description

@feliasson
feliasson
opened on Feb 27, 2026

Description

When using the Get-AzSubscriptionAlias cmdlet without any additional parameter, I am seeing aliases for only a subset of the subscriptions I have access to. There should be more aliases visible, but the output is incomplete.

The missing subscription aliases have permissions granted through security group membership, where the security group has the Reader role assigned on those subscriptions aliases.

Image

The missing aliases can still be found when using the -AliasName parameter:

PS C:\Users> Get-AzSubscriptionAlias -AliasName CLAC0001234

AcceptOwnershipState         : 
AcceptOwnershipUrl           : 
AliasName                    : CLAC0001234
BillingScope                 : 
CreatedTime                  : 
DisplayName                  : 
Id                           : /providers/Microsoft.Subscription/aliases/CLAC0001234
ManagementGroupId            : 
ProvisioningState            : Succeeded
ResellerId                   : 
ResourceGroupName            : 
SubscriptionId               : <obfuscated>
SubscriptionOwnerId          : 
SystemDataCreatedAt          : 
SystemDataCreatedBy          : 
SystemDataCreatedByType      : 
SystemDataLastModifiedAt     : 
SystemDataLastModifiedBy     : 
SystemDataLastModifiedByType : 
Tag                          : {
                               }
Type                         : Microsoft.Subscription/aliases
Workload                     :

Issue script & Debug output

Too much sensitive data in debug output, repro is explained.

Environment data

Name                           Value
----                           -----
PSVersion                      7.5.4
PSEdition                      Core
GitCommitId                    7.5.4
OS                             Microsoft Windows 10.0.26100
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     5.3.2                 Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}
Script     8.0.0                 Az.Resources                        {Export-AzResourceGroup, Export-AzTemplateSpec, Get-AzDenyAssignment, Get-AzDeployment…}
Script     0.12.0                Az.Subscription                     {Disable-AzSubscription, Enable-AzSubscription, Get-AzSubscriptionAcceptOwnershipStatus, Get-AzSubscriptionAlias…}

Error output

There is no error when running the `Get-AzSubscriptionAlias` cmdlet, but it does not show all the aliases for the subscriptions user have access to, and the ones missing are through security group membership with `Reader` on the subscription aliases.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reported

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions