Skip to content

New-AzRoleAssignment doesn't return error other than status code #19605

Closed
#29466
Closed
New-AzRoleAssignment doesn't return error other than status code#19605
#29466
Assignees
MaddyMicrosoft
Labels
Resource AuthorizationAzRole* in Az.ResourcesService AttentionThis issue is responsible by Azure service team.act-identity-squadbugThis issue requires a change to an existing behavior in the product in order to be resolved.good first issueIssues suited for folks who want to help for the first time.
Milestone
Az 15.6.0 (05/05/2026)
@abatishchev

Description

@abatishchev
abatishchev
opened on Sep 23, 2022

Description

  1. Grant the permissions on an Azure subscription to a certain user, group, or service principal
  2. Run a command to grant the permissions again
New-AzRoleAssignment -ObjectId $id -RoleDefinitionName $role  -Scope "/subscriptions/$sub"
  1. Observe an error:

New-AzRoleAssignment: Operation returned an invalid status code 'Conflict'

  1. Adding -Verbose doesn't change anything.
  2. Only adding -Debug does!

Issue script & Debug output

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
PUT

Absolute Uri:
https://management.azure.com/subscriptions/<sub id>/providers/Microsoft.Authorization/roleAssignments/<role id>?api-version=2020-08-01-preview

Headers:
x-ms-client-request-id        : e86e7fae-d39b-4f01-a34d-7034834acb4d
Accept-Language               : en-US

Body:
{
  "properties": {
    "roleDefinitionId": "/subscriptions/<sub id/providers/Microsoft.Authorization/roleDefinitions/<role id><role id>",
    "principalId": "<object id>",
    "principalType": "Group"
  }
}


DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Conflict

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
x-ms-request-id               : 1e6c584a-9bc6-4450-92a5-b88e91b30091
X-Content-Type-Options        : nosniff
Strict-Transport-Security     : max-age=31536000; includeSubDomains
Set-Cookie                    : x-ms-gateway-slice=Production; path=/; secure; samesite=none; httponly
x-ms-ratelimit-remaining-subscription-writes: 1199
x-ms-correlation-request-id   : 54fa9c95-427f-4e62-8325-679b79241b0d
x-ms-routing-request-id       : WESTUS:20220923T191844Z:54fa9c95-427f-4e62-8325-679b79241b0d
Date                          : Fri, 23 Sep 2022 19:18:44 GMT

Body:
{
  "error": {
    "code": "RoleAssignmentExists",
    "message": "The role assignment already exists."
  }
}

Environment data

Name                           Value
----                           -----
PSVersion                      7.2.3
PSEdition                      Core
GitCommitId                    7.2.3
OS                             Microsoft Windows 10.0.19043
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version Name
---------- ------- ----
    Script 6.0.1   Az.Resources

Error output

HistoryId: 37

ErrorCategory     : CloseError: (:) [New-AzRoleAssignment], ErrorResponseException
ErrorDetail       :
InvocationInfo    : {New-AzRoleAssignment}
Line              : New-AzRoleAssignment -ObjectId "<object id>" -RoleDefinitionName "<role name>"  -Scope "/subscriptions/<sub id>"
Position          : At line:1 char:1
BoundParameters   : {}
UnboundParameters :
HistoryId         : 37

Resolve-AzError: Collection was modified; enumeration operation may not execute.

Metadata

Metadata

Assignees

Labels

Resource AuthorizationAzRole* in Az.ResourcesService AttentionThis issue is responsible by Azure service team.act-identity-squadbugThis issue requires a change to an existing behavior in the product in order to be resolved.good first issueIssues suited for folks who want to help for the first time.

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions