Skip to content

az ad group member list returns empty for security groups containing only service principals #33076

Closed
Closed
az ad group member list returns empty for security groups containing only service principals#33076
Assignees
jiasli
Labels
Accountaz login/accountAuto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamGraph(doesn't work with label-triggered comments; use Graph.Microsoft instead) az adOutputPossible-SolutionSimilar-Issueact-identity-squadcustomer-reportedIssues that are reported by GitHub users external to the Azure organization.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that
@daravi

Description

@daravi
daravi
opened on Mar 26, 2026

Describe the bug

az ad group member list returns empty results for a security group whose members are service principals (managed identities), while the Azure portal correctly shows the members when logged in with the same identity and tenant.

Steps to reproduce

  1. Login to the tenant where the security group exists:

    az login --tenant <tenant-id>

  2. Verify the group exists and is accessible:

    az ad group show --group "<group-name>"
# Returns successfully with group metadata (displayName, id, description)

  3. List group members:

    az ad group member list --group "<group-name>" --query "[].{displayName:displayName, id:id}" -o table
# Returns empty - no output

  4. Open Azure portal (portal.azure.com), switch to the same directory, navigate to the same group → Members tab → shows the correct members (service principals)

Expected behavior

az ad group member list should return the same members that the Azure portal shows.

Actual behavior

The CLI returns empty results while the portal shows members correctly. Both use the same user identity and the same tenant.

Additional context

  • The security group only contains service principal members (user-assigned managed identities), not user accounts
  • az ad group show works correctly for this group
  • The account used is a guest account in the target tenant
  • Regular security groups with user members work fine with az ad group member list

Environment

  • OS: Windows 11 Enterprise
  • Shell: bash (Git Bash)
  • Azure CLI: 2.x (latest)

Metadata

Metadata

Assignees

Labels

Accountaz login/accountAuto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamGraph(doesn't work with label-triggered comments; use Graph.Microsoft instead) az adOutputPossible-SolutionSimilar-Issueact-identity-squadcustomer-reportedIssues that are reported by GitHub users external to the Azure organization.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions