`az role assignment delete` fails if the assignee principal no longer exists

[jiasli]

Describe the bug

Customer is Trying to remove RBAC role assignments for users/groups/service principals that no longer exist using azure cli and he is receiving the below error message (this was working in the past but stopped working a week ago):

Command used:

az role assignment delete --role 'Monitoring Reader' --Assignee xxx --Scope xxx

Error message they are getting:

ERROR: Cannot find user or service principal in graph database for xxx'. If the assignee is an appId, make sure the corresponding service principal is created with 'az ad sp create --id xxx'`

[jiasli]

Before deleting the role assignment, CLI will call _resolve_object_id_and_type to resolve the assignee to objectId:

If assignee is neither an appId or objectId, CLI raises error:

azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py

Lines 1809 to 1812 in 3c34079

	if not result:
	raise CLIError("Cannot find user or service principal in graph database for '{assignee}'. "
	"If the assignee is an appId, make sure the corresponding service principal is created "
	"with 'az ad sp create --id {assignee}'.".format(assignee=assignee))

This behavior has been there since 2016-07-27 (#553) and the error message was later polished by #12617.

I am not sure if changing this behavior is a good idea, as it also affects

• az role assignment create
• az role assignment list

as _resolve_object_id_and_type is also called by these commands: non-existing objectId results in failure. Changing this behavior will certainly be a breaking change.

Workaround

Please use --ids argument to delete the role assignment if assignee doesn't exist anymore, such as:

az role assignment delete --ids /subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/acctestRG-ibt-24/providers/Microsoft.Authorization/roleAssignments/f2774385-1f67-4db6-ae57-6c15d8d69357

[ShachafGoldstein]

Facing this issue as well.

az role assignment create has the option for --assignee-object-id, why not have that option for delete?

[lucashby]

Facing this issue as well.

az role assignment create has the option for --assignee-object-id, why not have that option for delete?

This is exactly what should happen even according to the error message when attempting to use --assignee. The error message is telling me to use something that doesn't exist.

When I attempt with --assignee I get:

az : WARNING: Failed to query xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx by invoking Graph API. If you don't have permission to query Graph API, please specify
--assignee-object-id and --assignee-principal-type.

When I switch to the 2 arguments it just told me to use, I get:

az : ERROR: unrecognized arguments: --assignee-object-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --assignee-principal-type User

Now we are in an endless loop of error.

Please fix and add support to the delete operation for --assignee-object-id and --assignee-principal-type same as the "create" operation has.

[jiasli]

az role assignment delete now supports --assignee-object-id (#30469).