az cli does not show right results

[tervoju]

[Enter feedback here]

I have given a contributor role to a sp with az cli command to a resource group and it gives me ok feedback, so that seems to work.

az role assignment create --role contributor --subscription XXX --assignee-object-id  YYY --assignee-principal-type ServicePrincipal --scope /subscriptions/XXX/resourceGroups/ZZZ

{
  "condition": null,
  "conditionVersion": null,
  "createdBy": null,
  "createdOn": "2023-12-15T06:12:46.154892+00:00",
  "delegatedManagedIdentityResourceId": null,
  "description": null,
  "id": "/subscriptions/XXX/resourceGroups/ZZZ/providers/Microsoft.Authorization/roleAssignments/AAA",
  "name": "BBB,
  "principalId": "YYY",
  "principalType": "ServicePrincipal",
  "resourceGroup": "rg-edge-brightly-iot-demo-dev",
  "roleDefinitionId": "/subscriptions/XXX/providers/Microsoft.Authorization/roleDefinitions/CCC",
  "scope": "/subscriptions/XXX/resourceGroups/ZZZ",
  "type": "Microsoft.Authorization/roleAssignments",
  "updatedBy": "3009843f-679e-487d-a7fe-a0f57afd798f",
  "updatedOn": "2023-12-15T06:12:46.375892+00:00"
}

command

az role assignment list --assignee XXXXXX

gives []

if I go to azure portal, I can see that that the sp has the contributor role in that resource group

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 6b48ab37-55ef-00e1-e17a-5cf544bcfb89
• Version Independent ID: c462be7d-f10e-2df4-17ff-e490e92210e7
• Content: List Azure role assignments using Azure CLI - Azure RBAC
• Content Source: articles/role-based-access-control/role-assignments-list-cli.md
• Service: role-based-access-control
• GitHub Login: @rolyon
• Microsoft Alias: rolyon

[SaibabaBalapur-MSFT]

@tervoju Thanks for your feedback! We will investigate and update as appropriate.

[ManoharLakkoju-MSFT]

Hi @tervoju It seems like you have successfully assigned the "contributor" role to the service principal in the specified resource group using the Azure CLI command. However, the az role assignment list command is not returning any results for the specified assignee. This could be because the service principal has not yet propagated to the Azure Active Directory (AAD) Graph API, which is used by the Azure CLI to retrieve role assignments.

You can try running the az ad sp show command to check if the service principal has been created and propagated to AAD. If the service principal is listed, then it has been successfully created and propagated to AAD.

If the service principal is listed, you can try running the az role assignment list command again after a few minutes to see if the role assignment has propagated to the AAD Graph API.

If the service principal is not listed, you may need to wait a few minutes for the service principal to be created and propagated to AAD before running the az role assignment list command.

[ManoharLakkoju-MSFT]

@tervoju We are going to close this thread as resolved but if there are any further questions regarding the documentation, please tag me in your reply and we will be happy to continue the conversation