az disk update (multitenant)

[sirLolkovic]

Describe the bug

The issue arises when I create a VM in Tenant 1 using an IMAGE from Tenant 2.
Afterward, I cannot update the VM's DISK via Azure CLI due to a permission error. It seems that az disk update does not support the aux-tenant parameter.

I have permissions in both tenants.

In the Azure portal (GUI), the update works (though I am not certain if the GUI and API enforce the same permissions).

I attempted the same operation via the REST API via BASH, and the request succeeded without issues.
The token was obtained through Azure CLI using the following command (meaning the same permissions were applied):

az account get-access-token --query accessToken -o tsv

REST API: (via bash - curl)
version: 2024-03-02 and 2023-04-02 (both ok)
POST https://management.azure.com/subscriptions/{{ subscription_id }}/resourceGroups/{{ rg }}/providers/Microsoft.Compute/disks/{{ disk_name }}?api-version={{ api_version }}
DATA: '{"properties": {"networkAccessPolicy": "DenyAll"}}'

BUT!!!
REST API: (via python)
version: 2024-03-02 (2023-04-02 i dont tested)
import requests
from azure.identity import DefaultAzureCredential
same url (via BASH)
same error via azure cli

Most likely the problem will be in the permissions resolution

Related command

az disk update --resource-group $rg --name $name_disk --network-access-policy DenyAll

Errors

(LinkedAuthorizationFailed) The client has permission to perform action 'Microsoft.Compute/galleries/images/versions/read' on scope '/subscriptions/xxx/resourceGroups/eca-test-weu-provisioning/providers/Microsoft.Compute/disks/eca-test-weu-provisioning-automat-01-disk', however the current tenant 'yyyy' is not authorized to access linked subscription 'zzz'.
Code: LinkedAuthorizationFailed
Message: The client has permission to perform action 'Microsoft.Compute/galleries/images/versions/read' on scope '/subscriptions/xxx/resourceGroups/eca-test-weu-provisioning/providers/Microsoft.Compute/disks/eca-test-weu-provisioning-automat-01-disk', however the current tenant 'yyyy' is not authorized to access linked subscription 'zzz'.

Issue script & Debug output

cli.knack.cli: Command arguments: ['disk', 'update', '--resource-group', 'eca-test-weu-provisioning', '--name', 'eca-test-weu-provisioning-automat-01-disk', '--network-access-policy', 'DenyAll', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f90e4d977e0>, <function OutputProducer.on_global_arguments at 0x7f90e4aea660>, <function CLIQuery.on_global_arguments at 0x7f90e4b2fba0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'disk': ['azure.cli.command_modules.vm']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: vm 0.300 58 235
cli.azure.cli.core: Total (1) 0.300 58 235
cli.azure.cli.core: Loaded 58 groups, 235 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : disk update
cli.azure.cli.core: Command table: disk update
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f90e3d22c00>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/aaa/.azure/commands/2024-11-27.14-17-43.disk_update.18448.log'.
az_command_data_logger: command args: disk update --resource-group {} --name {} --network-access-policy {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x7f90e3d5fec0>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x7f90e3d9a2a0>, <function register_cache_arguments..add_cache_arguments at 0x7f90e3d9a3e0>, <function register_upcoming_breaking_change_info..update_breaking_change_info at 0x7f90e3d9a480>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7f90e4aea700>, <function CLIQuery.handle_query_parameter at 0x7f90e4b2fc40>, <function register_ids_argument..parse_ids_arguments at 0x7f90e3d9a340>]
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ComputeManagementClient
cli.azure.cli.core.auth.persistence: build_persistence: location='/home/aaa/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /home/aaa/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/yyy
msal.authority: openid_config("https://login.microsoftonline.com/yyy/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/yyy/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/yyy/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/yyy/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/yyy/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/yyy/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/yyy/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/yyy/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
cli.azure.cli.core.auth.msal_credentials: UserCredential.get_token: scopes=('https://management.core.windows.net//.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: f622fe7b-91c3-42e0-913a-f37f957b456d
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/xxx/resourceGroups/eca-test-weu-provisioning/providers/Microsoft.Compute/disks/eca-test-weu-provisioning-automat-01-disk?api-version=2023-04-02'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': 'fbfecf30-acc1-11ef-afb4-005056af2483'
cli.azure.cli.core.sdk.policies: 'CommandName': 'disk update'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--resource-group --name --network-access-policy --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.67.0 (DEB) azsdk-python-core/1.31.0 Python/3.12.7 (Linux-6.1.0-28-amd64-x86_64-with-glibc2.36)'
cli.azure.cli.core.sdk.policies: 'Authorization': ''
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/xxx/resourceGroups/eca-test-weu-provisioning/providers/Microsoft.Compute/disks/eca-test-weu-provisioning-automat-01-disk?api-version=2023-04-02 HTTP/1.1" 200 1902
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '1902'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-resource': 'Microsoft.Compute/LowCostGet3Min;14998,Microsoft.Compute/LowCostGet30Min;119998'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'x-ms-served-by': 'c6163d06-a1d5-4fe9-8ab1-ca6d52896fb6_133561516682177909'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '95b7f61a-1b92-48cd-8226-0c12fbcc94af'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-reads': '249'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-global-reads': '3749'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '5fc40ebe-8035-4061-97f4-3c6af13268d6'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'UKWEST:20241127T131743Z:5fc40ebe-8035-4061-97f4-3c6af13268d6'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: 673AAC26E8D5442794FBA0B3F4BEDD52 Ref B: VIEEDGE1314 Ref C: 2024-11-27T13:17:43Z'
cli.azure.cli.core.sdk.policies: 'Date': 'Wed, 27 Nov 2024 13:17:43 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {
"name": "eca-test-weu-provisioning-automat-01-disk",
"id": "/subscriptions/xxx/resourceGroups/eca-test-weu-provisioning/providers/Microsoft.Compute/disks/eca-test-weu-provisioning-automat-01-disk",
"type": "Microsoft.Compute/disks",
"location": "westeurope",
"tags": {
"created": "2024-10-24T06:01:59Z",
"version": "1.0.6"
},
"managedBy": "/subscriptions/xxx/resourceGroups/eca-test-weu-provisioning/providers/Microsoft.Compute/virtualMachines/eca-test-weu-provisioning-automat-01-vm",
"sku": {
"name": "Premium_LRS",
"tier": "Premium"
},
"properties": {
"osType": "Linux",
"hyperVGeneration": "V2",
"supportedCapabilities": {
"architecture": "x64"
},
"creationData": {
"createOption": "FromImage",
"imageReference": {
"id": "/subscriptions/zzz/resourceGroups/ep-images/providers/Microsoft.Compute/galleries/ep_test_image_gallery/images/ep-test-global-automat-u22/versions/1.0.6"
},
"galleryImageReference": {
"id": "/subscriptions/zzz/resourceGroups/ep-images/providers/Microsoft.Compute/galleries/ep_test_image_gallery/images/ep-test-global-automat-u22/versions/1.0.6"
}
},
"diskSizeGB": 30,
"diskIOPSReadWrite": 120,
"diskMBpsReadWrite": 25,
"encryption": {
"type": "EncryptionAtRestWithPlatformKey"
},
"networkAccessPolicy": "DenyAll",
"publicNetworkAccess": "Enabled",
"timeCreated": "2024-10-24T06:02:05.8904982+00:00",
"provisioningState": "Succeeded",
"diskState": "Attached",
"LastOwnershipUpdateTime": "2024-10-24T06:02:05.8904982+00:00",
"diskSizeBytes": 32213303296,
"uniqueId": "644a9afe-1aec-4851-a980-3098ac4e8b45",
"tier": "P4"
}
}
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ComputeManagementClient
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/yyy
msal.authority: openid_config("https://login.microsoftonline.com/yyy/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/yyy/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/yyy/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/yyy/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/yyy/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/yyy/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/yyy/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/yyy/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ComputeManagementClient
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/yyy
msal.authority: openid_config("https://login.microsoftonline.com/yyy/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/yyy/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/yyy/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/yyy/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/yyy/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/yyy/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/yyy/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/yyy/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
cli.azure.cli.core.auth.msal_credentials: UserCredential.get_token: scopes=('https://management.core.windows.net//.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: a7f61c6c-f775-41f8-a874-808d322574f1
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/xxx/resourceGroups/eca-test-weu-provisioning/providers/Microsoft.Compute/disks/eca-test-weu-provisioning-automat-01-disk?api-version=2023-04-02'
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies: 'Content-Length': '928'
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': 'fbfecf30-acc1-11ef-afb4-005056af2483'
cli.azure.cli.core.sdk.policies: 'CommandName': 'disk update'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--resource-group --name --network-access-policy --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.67.0 (DEB) azsdk-python-core/1.31.0 Python/3.12.7 (Linux-6.1.0-28-amd64-x86_64-with-glibc2.36)'
cli.azure.cli.core.sdk.policies: 'Authorization': ''
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"location": "westeurope", "tags": {"created": "2024-10-24T06:01:59Z", "version": "1.0.6"}, "sku": {"name": "Premium_LRS"}, "properties": {"osType": "Linux", "hyperVGeneration": "V2", "supportedCapabilities": {"architecture": "x64"}, "creationData": {"createOption": "FromImage", "imageReference": {"id": "/subscriptions/zzz/resourceGroups/ep-images/providers/Microsoft.Compute/galleries/ep_test_image_gallery/images/ep-test-global-automat-u22/versions/1.0.6"}, "galleryImageReference": {"id": "/subscriptions/zzz/resourceGroups/ep-images/providers/Microsoft.Compute/galleries/ep_test_image_gallery/images/ep-test-global-automat-u22/versions/1.0.6"}}, "diskSizeGB": 30, "diskIOPSReadWrite": 120, "diskMBpsReadWrite": 25, "encryption": {"type": "EncryptionAtRestWithPlatformKey"}, "networkAccessPolicy": "DenyAll", "tier": "P4", "publicNetworkAccess": "Enabled"}}
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/xxx/resourceGroups/eca-test-weu-provisioning/providers/Microsoft.Compute/disks/eca-test-weu-provisioning-automat-01-disk?api-version=2023-04-02 HTTP/1.1" 403 488
cli.azure.cli.core.sdk.policies: Response status: 403
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '488'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'x-ms-failure-cause': 'gateway'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '73118cb5-38c5-4e62-a627-0ba6e02995ad'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '73118cb5-38c5-4e62-a627-0ba6e02995ad'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'FRANCECENTRAL:20241127T131743Z:73118cb5-38c5-4e62-a627-0ba6e02995ad'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: E90C47D64DC3453F97DC3A50655BBF87 Ref B: VIEEDGE1916 Ref C: 2024-11-27T13:17:43Z'
cli.azure.cli.core.sdk.policies: 'Date': 'Wed, 27 Nov 2024 13:17:43 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: Body is streamable
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "/opt/az/lib/python3.12/site-packages/knack/cli.py", line 233, in invoke
cmd_result = self.invocation.execute(args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 666, in execute
raise ex
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 733, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 703, in _run_job
result = cmd_copy(params)
^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 336, in call
return self.handler(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/command_operation.py", line 242, in handler
result = cached_put(self.cmd, setter, setterargs[self.setter_arg_name],
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 455, in cached_put
return _put_operation()
^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 449, in _put_operation
result = operation(**kwargs)
^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/core/tracing/decorator.py", line 94, in wrapper_use_tracer
return func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/mgmt/compute/v2023_04_02/operations/_operations.py", line 1427, in begin_create_or_update
raw_result = self._create_or_update_initial(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/mgmt/compute/v2023_04_02/operations/_operations.py", line 1333, in _create_or_update_initial
raise HttpResponseError(response=response, error_format=ARMErrorFormat)
azure.core.exceptions.HttpResponseError: (LinkedAuthorizationFailed) The client has permission to perform action 'Microsoft.Compute/galleries/images/versions/read' on scope '/subscriptions/xxx/resourceGroups/eca-test-weu-provisioning/providers/Microsoft.Compute/disks/eca-test-weu-provisioning-automat-01-disk', however the current tenant 'yyy' is not authorized to access linked subscription 'zzz'.
Code: LinkedAuthorizationFailed
Message: The client has permission to perform action 'Microsoft.Compute/galleries/images/versions/read' on scope '/subscriptions/xxx/resourceGroups/eca-test-weu-provisioning/providers/Microsoft.Compute/disks/eca-test-weu-provisioning-automat-01-disk', however the current tenant 'yyy' is not authorized to access linked subscription 'zzz'.

cli.azure.cli.core.azclierror: (LinkedAuthorizationFailed) The client has permission to perform action 'Microsoft.Compute/galleries/images/versions/read' on scope '/subscriptions/xxx/resourceGroups/eca-test-weu-provisioning/providers/Microsoft.Compute/disks/eca-test-weu-provisioning-automat-01-disk', however the current tenant 'yyy' is not authorized to access linked subscription 'zzz'.
Code: LinkedAuthorizationFailed
Message: The client has permission to perform action 'Microsoft.Compute/galleries/images/versions/read' on scope '/subscriptions/xxx/resourceGroups/eca-test-weu-provisioning/providers/Microsoft.Compute/disks/eca-test-weu-provisioning-automat-01-disk', however the current tenant 'yyy' is not authorized to access linked subscription 'zzz'.
az_command_data_logger: (LinkedAuthorizationFailed) The client has permission to perform action 'Microsoft.Compute/galleries/images/versions/read' on scope '/subscriptions/xxx/resourceGroups/eca-test-weu-provisioning/providers/Microsoft.Compute/disks/eca-test-weu-provisioning-automat-01-disk', however the current tenant 'yyy' is not authorized to access linked subscription 'zzz'.
Code: LinkedAuthorizationFailed
Message: The client has permission to perform action 'Microsoft.Compute/galleries/images/versions/read' on scope '/subscriptions/xxx/resourceGroups/eca-test-weu-provisioning/providers/Microsoft.Compute/disks/eca-test-weu-provisioning-automat-01-disk', however the current tenant 'yyy' is not authorized to access linked subscription 'zzz'.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f90e3d22e80>]
az_command_data_logger: exit code: 1
cli.main: Command ran in 1.439 seconds (init: 0.267, invoke: 1.172)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4828 in cache file under /home/aaa/.azure/telemetry/20241127141744101
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/opt/az/bin/python3 /opt/az/lib/python3.12/site-packages/azure/cli/telemetry/init.py /home/aaa/.azure /home/aaa/.azure/telemetry/20241127141744101"
telemetry.process: Return from creating process 18466
telemetry.main: Finish creating telemetry upload process.

Expected behavior

to make it work :)

Environment Summary

azure-cli 2.67.0

core 2.67.0
telemetry 1.1.0

Dependencies:
msal 1.31.0
azure-mgmt-resource 23.1.1

Python location '/opt/az/bin/python3'
Extensions directory '/home/xxx/.azure/cliextensions'

Python (Linux) 3.12.7 (main, Nov 13 2024, 04:08:36) [GCC 12.2.0]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.