assignee_object_id

jiasli · jiasli · commit 008851567207 · 2025-03-27T14:31:51.000+08:00
diff --git a/src/azure-cli/azure/cli/command_modules/role/_params.py b/src/azure-cli/azure/cli/command_modules/role/_params.py
@@ -327,10 +327,11 @@ def load_arguments(self, _):
         c.argument('include_inherited', action='store_true', help='include assignments applied on parent scopes')
         c.argument('can_delegate', action='store_true', help='when set, the assignee will be able to create further role assignments to the same role')
         c.argument('assignee', help='represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name')
-        c.argument('assignee_object_id', help="Use this parameter instead of '--assignee' to bypass Graph API invocation in case of insufficient privileges. "
-                   "This parameter only works with object ids for users, groups, service principals, and "
-                   "managed identities. For managed identities use the principal id. For service principals, "
-                   "use the object id and not the app id.")
+        c.argument('assignee_object_id',
+                   help="The assignee's object ID (also known as principal ID). "
+                        "Use this argument instead of '--assignee' to bypass Microsoft Graph invocation in case "
+                        "the logged-in account has no permission or the machine has no network access to query "
+                        "Microsoft Graph.")
         c.argument('ids', nargs='+', help='space-separated role assignment ids')
         c.argument('include_classic_administrators', arg_type=get_three_state_flag(),
                    help='list default role assignments for subscription classic administrators, aka co-admins')
diff --git a/src/azure-cli/azure/cli/command_modules/role/custom.py b/src/azure-cli/azure/cli/command_modules/role/custom.py
@@ -209,7 +209,7 @@ def create_role_assignment(cmd, role, scope,
                                        assignment_name=assignment_name)
     except Exception as ex:  # pylint: disable=broad-except
         if _error_caused_by_role_assignment_exists(ex):  # for idempotent
-            return list_role_assignments(cmd, assignee=assignee, role=role, scope=scope)[0]
+            return list_role_assignments(cmd, assignee_object_id=object_id, role=role, scope=scope)[0]
         raise
 
 
@@ -232,13 +232,17 @@ def _create_role_assignment(cli_ctx, role, assignee, resource_group_name=None, s
                                          condition=condition, condition_version=condition_version)
 
 
-def list_role_assignments(cmd, assignee=None, role=None, resource_group_name=None,
+def list_role_assignments(cmd,
+                          assignee=None, assignee_object_id=None,
+                          role=None, resource_group_name=None,
                           scope=None, include_inherited=False,
                           show_all=False, include_groups=False, include_classic_administrators=False):
-    '''
-    :param include_groups: include extra assignments to the groups of which the user is a
-    member(transitively).
-    '''
+    # include_groups: include extra assignments to the groups of which the user is a member(transitively).
+    if assignee and assignee_object_id:
+        raise CLIError('Usage error: Provide only one of --assignee or --assignee-object-id.')
+    if assignee and not assignee_object_id:
+        assignee_object_id = _resolve_object_id(cmd.cli_ctx, assignee, fallback_to_object_id=True)
+
     if include_classic_administrators:
         logger.warning(CLASSIC_ADMINISTRATOR_WARNING)
 
@@ -256,7 +260,7 @@ def list_role_assignments(cmd, assignee=None, role=None, resource_group_name=Non
                                   definitions_client._config.subscription_id)
 
     assignments = _search_role_assignments(cmd.cli_ctx, assignments_client, definitions_client,
-                                           scope, assignee, role,
+                                           scope, assignee_object_id, role,
                                            include_inherited, include_groups)
 
     results = todict(assignments) if assignments else []
@@ -520,13 +524,20 @@ def _get_displayable_name(graph_object):
     return graph_object['displayName'] or ''
 
 
-def delete_role_assignments(cmd, ids=None, assignee=None, role=None, resource_group_name=None,
+def delete_role_assignments(cmd, ids=None,
+                            assignee=None, assignee_object_id=None,
+                            role=None, resource_group_name=None,
                             scope=None, include_inherited=False,
                             yes=None):  # pylint: disable=unused-argument
     # yes is currently a no-op
-    if not any((ids, assignee, role, resource_group_name, scope)):
+    if not any((ids, assignee, assignee_object_id, role, resource_group_name, scope)):
         raise ArgumentUsageError('Please provide at least one of these arguments: '
-                                 '--ids, --assignee, --role, --resource-group, --scope')
+                                 '--ids, --assignee, --assignee-object-id, --role, --resource-group, --scope')
+
+    if assignee and assignee_object_id:
+        raise CLIError('Usage error: Provide only one of --assignee or --assignee-object-id.')
+    if assignee and not assignee_object_id:
+        assignee_object_id = _resolve_object_id(cmd.cli_ctx, assignee, fallback_to_object_id=True)
 
     factory = _auth_client_factory(cmd.cli_ctx, scope)
     assignments_client = factory.role_assignments
@@ -558,7 +569,7 @@ def delete_role_assignments(cmd, ids=None, assignee=None, role=None, resource_gr
     scope = _build_role_scope(resource_group_name, scope,
                               assignments_client._config.subscription_id)
     assignments = _search_role_assignments(cmd.cli_ctx, assignments_client, definitions_client,
-                                           scope, assignee, role, include_inherited,
+                                           scope, assignee_object_id, role, include_inherited,
                                            include_groups=False)
 
     if assignments:
@@ -569,11 +580,7 @@ def delete_role_assignments(cmd, ids=None, assignee=None, role=None, resource_gr
 
 
 def _search_role_assignments(cli_ctx, assignments_client, definitions_client,
-                             scope, assignee, role, include_inherited, include_groups):
-    assignee_object_id = None
-    if assignee:
-        assignee_object_id = _resolve_object_id(cli_ctx, assignee, fallback_to_object_id=True)
-
+                             scope, assignee_object_id, role, include_inherited, include_groups):
     # https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-rest
     # "atScope()" and "principalId eq '{value}'" query cannot be used together (API limitation).
     # always use "scope" if provided, so we can get assignments beyond subscription e.g. management groups
