az role assignment create unexpectedly calls graph API when objectid/principaltype set if assignment already exists

[matthchr]

Describe the bug

When az role assignment create is run and the assignment already exists, when using --assignee-object-id and --assignee-principal-type, the CLI attempts to make calls to the graph API, even though it shouldn't, because the --assignee-object-id and --assignee-principal-type are already set.

My intent with setting those fields is to avoid calls to the graph API so that my cmds can run in an unmanaged context (such as CI).

Related command

az role assignment create --assignee-object-id $(AZURE_OBJECT_ID) --assignee-principal-type "ServicePrincipal" --scope /subscriptions/$(AZURE_SUBSCRIPTION_ID)/resourceGroups/$(AZURE_RESOURCE_GROUP) --role "Network Contributor"

Errors

cli.azure.cli.core.azclierror: AADSTS530003: Your device is required to be managed to access this resource. Trace ID: 926a533c-482e-4aab-bf59-2164d70f5500 Correlation ID: a5131f3c-e0a0-492c-aa86-cc86cc0bcc86 Timestamp: 2025-05-29 19:37:58Z
az_command_data_logger: AADSTS530003: Your device is required to be managed to access this resource. Trace ID: 926a533c-482e-4aab-bf59-2164d70f5500 Correlation ID: a5131f3c-e0a0-492c-aa86-cc86cc0bcc86 Timestamp: 2025-05-29 19:37:58Z

Issue script & Debug output

cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"error":{"code":"RoleAssignmentExists","message":"The role assignment already exists."}}
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=AuthorizationManagementClient
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000
... (lots of logs here listing role assignments via GET /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myrg/providers/Microsoft.Authorization/roleAssignments?$filter=atScope()&api-version=2022-04-01 HTTP/1.1")

sal.application: Refresh failed. invalid_grant: AADSTS530003: Your device is required to be managed to access this resource. Trace ID: 926a533c-482e-4aab-bf59-2164d70f5500 Correlation ID: a5131f3c-e0a0-492c-aa86-cc86cc0bcc86 Timestamp: 2025-05-29 19:37:58Z
urllib3.connectionpool: https://login.microsoftonline.com:443 "GET /common/discovery/instance?api-version=1.1&authorization_endpoint=https://login.microsoftonline.com/common/oauth2/authorize HTTP/1.1" 200 945
cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/custom.py", line 186, in create_role_assignment
    return _create_role_assignment(cmd.cli_ctx, role, object_id, scope=scope, resolve_assignee=False,
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/custom.py", line 210, in _create_role_assignment
    return worker.create_role_assignment(assignments_client, assignment_name, role_id, object_id, scope,
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/_multi_api_adaptor.py", line 57, in create_role_assignment
    return client.create(scope, assignment_name, parameters)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/azure/core/tracing/decorator.py", line 76, in wrapper_use_tracer
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/azure/mgmt/authorization/v2022_04_01/operations/_role_assignments_operations.py", line 902, in create
    map_error(status_code=response.status_code, response=response, error_map=error_map)
  File "/opt/az/lib/python3.11/site-packages/azure/core/exceptions.py", line 112, in map_error
    raise error
azure.core.exceptions.ResourceExistsError: (RoleAssignmentExists) The role assignment already exists.
Code: RoleAssignmentExists
Message: The role assignment already exists.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/az/lib/python3.11/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 666, in execute
    raise ex
  File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 733, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 703, in _run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/__init__.py", line 336, in __call__
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/custom.py", line 192, in create_role_assignment
    return list_role_assignments(cmd, assignee=assignee, role=role, scope=scope)[0]
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/custom.py", line 270, in list_role_assignments
    principals = _get_object_stubs(graph_client, principal_ids)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/custom.py", line 1585, in _get_object_stubs
    result.extend(list(graph_client.directory_object_get_by_ids(body)))
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 229, in directory_object_get_by_ids
    result = self._send("POST", "/directoryObjects/getByIds", body=body)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 52, in _send
    r = send_raw_request(self._cli_ctx, method, url, resource=self._resource, uri_parameters=param,
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/azure/cli/core/util.py", line 983, in send_raw_request
    token_info, _, _ = profile.get_raw_token(resource)
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/azure/cli/core/_profile.py", line 415, in get_raw_token
    sdk_token = credential.get_token(*scopes)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.11/site-packages/azure/cli/core/auth/msal_authentication.py", line 74, in get_token
    check_result(result, scopes=scopes, claims=claims)
  File "/opt/az/lib/python3.11/site-packages/azure/cli/core/auth/util.py", line 139, in check_result
    aad_error_handler(result, **kwargs)
  File "/opt/az/lib/python3.11/site-packages/azure/cli/core/auth/util.py", line 43, in aad_error_handler
    raise AuthenticationError(error_description, msal_error=error, recommendation=login_message)
azure.cli.core.azclierror.AuthenticationError: AADSTS530003: Your device is required to be managed to access this resource. Trace ID: 926a533c-482e-4aab-bf59-2164d70f5500 Correlation ID: a5131f3c-e0a0-492c-aa86-cc86cc0bcc86 Timestamp: 2025-05-29 19:37:58

Expected behavior

The CLI should refrain from attempting to call the graph API if the user is specifying --assignee-object-id, as the whole point of that field is specifically to avoid calls to the graph API.

See the description of that field in the docs:

    --assignee-object-id          : The assignee's object ID (also known as principal ID). Use this
                                    argument instead of '--assignee' to bypass Microsoft Graph query
                                    in case the logged-in account has no permission or the machine
                                    has no network access to query Microsoft Graph.

Environment Summary

azure-cli 2.73.0

core 2.73.0
telemetry 1.1.0

Extensions:
aks-preview 13.0.0b8
k8s-extension 1.6.4

Dependencies:
msal 1.32.3
azure-mgmt-resource 23.3.0

Python (Linux) 3.12.8 (main, May 13 2025, 11:04:48) [GCC 11.4.0]

Your CLI is up-to-date.

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[matthchr]

Note that this issue can be reliably reproduced from any unmanaged device (codespaces, etc) by just running the same role assignment create command 2x in a row. The first will succeed and the second will fail.

[jiasli]

az role assignment create internally calls Role Assignments - Create REST API which is not idempotent. The idempotency of az role assignment create is actually implemented on Azure CLI side by making a Role Assignments - List For Scope call:

azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py

Line 204 in a4c9d4d

return list_role_assignments(cmd, assignee_object_id=object_id, role=role, scope=scope)[0]

Even though #30469 added --assignee-object-id to az role assignment list for bypassing Graph call for input argument, and #30693 added --fill-principal-name to az role assignment list for bypassing Graph call for output properties, this parameter is not used by az role assignment create.

I will create a PR in this sprint to bypass the Graph call for az role assignment create.