az ad group member list returns empty for security groups containing only service principals #33076
Description
Describe the bug
az ad group member list returns empty results for a security group whose members are service principals (managed identities), while the Azure portal correctly shows the members when logged in with the same identity and tenant.
Steps to reproduce
-
Login to the tenant where the security group exists:
az login --tenant <tenant-id>
-
Verify the group exists and is accessible:
az ad group show --group "<group-name>" # Returns successfully with group metadata (displayName, id, description)
-
List group members:
az ad group member list --group "<group-name>" --query "[].{displayName:displayName, id:id}" -o table # Returns empty - no output
-
Open Azure portal (portal.azure.com), switch to the same directory, navigate to the same group → Members tab → shows the correct members (service principals)
Expected behavior
az ad group member list should return the same members that the Azure portal shows.
Actual behavior
The CLI returns empty results while the portal shows members correctly. Both use the same user identity and the same tenant.
Additional context
- The security group only contains service principal members (user-assigned managed identities), not user accounts
az ad group showworks correctly for this group- The account used is a guest account in the target tenant
- Regular security groups with user members work fine with
az ad group member list
Environment
- OS: Windows 11 Enterprise
- Shell: bash (Git Bash)
- Azure CLI: 2.x (latest)
Metadata
Metadata
Assignees
Labels
az login/accountAuto assign by botThe command of the issue is owned by Azure CLI team(doesn't work with label-triggered comments; use Graph.Microsoft instead) az adIssues that are reported by GitHub users external to the Azure organization.The issue doesn't require a change to the product in order to be resolved. Most issues start as that