How to enable VM identity to grant permissions for RBAC roles

[shahht]

I like to use VM identity to run az login and then run RBAC commands to give permissions

Assign permissions

==================================== spID=$(az resource list -n $BkpVaultName --query [*].identity.principalId --out tsv)

az role assignment create \ --assignee $spID \ --role 'Disk Backup Reader' \ --scope subscriptions/5e1262c6-xxxx-xxxxxxxxx-xxxxxxxxxx/resourceGroups//providers/Microsoft.Compute/disks/

The underlying Active Directory Graph API will be replaced by Microsoft Graph API in a future version of Azure CLI. Please carefully review all breaking changes introduced during this migration: https://docs.microsoft.com/cli/azure/microsoft-graph-migration Failed to query $spID by invoking Graph API. If you don't have permission to query Graph API, please specify --assignee-object-id and --assignee-principal-type. Assuming $spID as an object ID. The client '6a602401-xxxx-xxxxxxxxx-xxxxxxxxxx' with object id '6a602401-xxxx-xxxxxxxxx-xxxxxxxxxx' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/5e1262c6-xxxx-xxxxxxxxx-xxxxxxxxxx/resourceGroups//providers/Microsoft.Compute/disks//providers/Microsoft.Authorization/roleAssignments/c468f8da-xxxxx-xxxxxx-xxxxxxxxxxx' or the scope is invalid. If access was recently granted, please refresh your credentials.

The managed identity is contributor at a subscription level

[yonzhan]

@jiasli for awareness

[shahht]

FYI-the managed identity is contributor at a subscription level