Description
Remove-AzDenyAssignment throws when invoked against a deny assignment that does not exist. The underlying REST API returns 204 No Content (idempotent delete), so the cmdlet should return silently.
The error message also exposes a double-slash bug in the scope string used in the error text:
No deny assignment named '<guid>' found at scope '//subscriptions/<sub>'.
^^ note the double slash
Repro
Tested against the Debug build from PR #29340 (Az.Resources 9.0.3).
Import-Module C:\src\azure-powershell\artifacts\Debug\Az.Resources\Az.Resources.psd1 -Force
Connect-AzAccount -Tenant <tenant> -Subscription <sub>
$bogusId = [guid]::NewGuid().ToString()
Remove-AzDenyAssignment -DenyAssignmentName $bogusId -Scope "/subscriptions/<sub>"
# -> Confirm prompt appears (see Bug A)
# -> After Y: "No deny assignment named '<guid>' found at scope '//subscriptions/<sub>'."
Confirm REST is idempotent:
$token = (Get-AzAccessToken).Token
Invoke-WebRequest -Method DELETE `
-Uri "https://management.azure.com/subscriptions/<sub>/providers/Microsoft.Authorization/denyAssignments/$bogusId?api-version=2024-07-01-preview" `
-Headers @{ Authorization = "Bearer $token" } `
-SkipHttpErrorCheck | Select-Object StatusCode
# -> 204Expected
Cmdlet returns silently when the DA does not exist (matching REST 204 idempotent behavior, and matching e.g. Remove-AzRoleAssignment behavior). Optionally: emit a verbose/warning message but do not throw.
Actual
Cmdlet throws a terminating error claiming the DA was not found, even though delete-of-missing is contractually a no-op. The error text also has a duplicate / in the scope string indicating a path-construction bug.
Impact
- Cleanup scripts and idempotent automation cannot use
Remove-AzDenyAssignment without a try/catch
- Inconsistent with REST contract and with
Remove-AzRoleAssignment
- Double-slash in error message indicates deeper scope-handling issue (may also affect other code paths)
Related
Description
Remove-AzDenyAssignmentthrows when invoked against a deny assignment that does not exist. The underlying REST API returns 204 No Content (idempotent delete), so the cmdlet should return silently.The error message also exposes a double-slash bug in the scope string used in the error text:
Repro
Tested against the Debug build from PR #29340 (
Az.Resources9.0.3).Confirm REST is idempotent:
Expected
Cmdlet returns silently when the DA does not exist (matching REST 204 idempotent behavior, and matching e.g.
Remove-AzRoleAssignmentbehavior). Optionally: emit a verbose/warning message but do not throw.Actual
Cmdlet throws a terminating error claiming the DA was not found, even though delete-of-missing is contractually a no-op. The error text also has a duplicate
/in the scope string indicating a path-construction bug.Impact
Remove-AzDenyAssignmentwithout a try/catchRemove-AzRoleAssignmentRelated
*-AzDenyAssignmentcmdlets-Confirm:$falseignored;List\1` overload error after confirm