RBAC assignment on AD group failing
See original GitHub issue
az feedback
auto-generates most of the information requested below, as of CLI version 2.0.62
Describe the bug When an AD group is created and a role is assigned quickly afterwards, the role assignment fails. The command returns the message
Check that you have the correct principal ID. If you are creating this principal and then immediately assigning a role, this error might be related to a replication delay. In this case, set the role assignment principalType property to a value, such as ServicePrincipal, User, or Group. See https://aka.ms/docs-principaltype
However, setting the principalType does not help. For example:
az role assignment create --role Reader --assignee-object-id <guid of AD group> --assignee-principal-type Group --resource-group rg-prod-services --subscription <subscription name>
results in:
WARNING: The underlying Active Directory Graph API will be replaced by Microsoft Graph API in a future version of Azure CLI. Please carefully review all breaking changes introduced during this migration: https://docs.microsoft.com/cli/azure/microsoft-graph-migration
Principal <guid of AD group> does not exist in the directory <GUID of directory>. Check that you have the correct principal ID. If you are creating this principal and then immediately assigning a role, this error might be related to a replication delay. In this case, set the role assignment principalType property to a value, such as ServicePrincipal, User, or Group. See https://aka.ms/docs-principaltype
If the command to assign a role is repeated a few minutes after the AD group has been created it works without issue.
To Reproduce Create an AD group and then try to assign a role to it quickly afterwards.
Expected behavior Ideally, the role assignment command should not fail.
Environment summary
$ az --version
WARNING: You have 2 updates available. Consider updating your CLI installation with 'az upgrade'
Please let us know how we are doing: https://aka.ms/azureclihats
and let us know if you're interested in trying out our newest features: https://aka.ms/CLIUXstudy
azure-cli 2.34.1 *
core 2.34.1 *
telemetry 1.0.6
Extensions:
account 0.2.2
azure-devops 0.23.0
db-up 0.2.6
Dependencies:
msal 1.16.0
azure-mgmt-resource 20.0.0
Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\....user...\.azure\cliextensions'
Python (Windows) 3.8.9 (tags/v3.8.9:a743f81, Apr 6 2021, 13:22:56) [MSC v.1928 32 bit (Intel)]
Legal docs and information: aka.ms/AzureCliLegal
Using Bash on Windows.
Issue Analytics
- State:
- Created a year ago
- Reactions:3
- Comments:5 (1 by maintainers)
Top Results From Across the Web
Troubleshoot Azure RBAC | Microsoft Learn
If you try to deploy the role assignment again and use the same role assignment name, the deployment fails.
Read more >The Problem with RBAC - Blog - PlainID
One of these problems occurs when a user has too many roles assigned to them and then changes jobs or responsibilities within the...
Read more >Do not move RBAC Role Groups out of the Exchange Security ...
I won't go into details how it works, for the purpose of this issue you only need to know that the RBAC roles...
Read more >azurerm_role_assignment | Resources | hashicorp/azurerm
Assigns a given Principal (User or Group) to a given Role. ... value to true to skip the Azure Active Directory check which...
Read more >Azure Role Assignment to AAD group fails with Terraform
Assign the role the role "owner" of the subscription to the ... which can manage resources, but not Role Based Access Control (RBAC)....
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Any update on this? I can confirm I’m having the same issue when
--assignee-principal-type
is set toGroup
, on the latest version of Azure CLI.I’m getting this while running Pulumi, which uses Azure CLI under the hood. It seems to attempt to assign the group immediately after it’s created, meaning this issue happens on the first deployment of the group and role assignment, consistently. Waiting a few seconds and running a second time, it will succeed with the role assignment. Pulumi has no handle that is capable of solving this, so for now our CD is broken.
It seems almost identical to this symptom listed in the Azure RBAC troubleshooting, only for groups instead of service principles.
Repeating the test with the latest version of the Azure CLI (2.36.0), the issue is still present.