Why Can't I See Roles Assigned to an App Registration in Azure?
I created an Azure App Registration using the following command:
az ad sp create-for-rbac --name "my-app"
I assigned a role to it using:
az role assignment create --assignee <APP_ID> --role "Reader" --scope /subscriptions/<SUBSCRIPTION_ID>
I also deleted some roles using:
az role assignment delete --assignee <APP_ID> --role "Reader" --scope /subscriptions/<SUBSCRIPTION_ID>
However, when I try to list the roles assigned to the app registration using any of the following:
- Application ID:
az role assignment list --assignee <APP_ID> - Object ID:
az role assignment list --assignee <OBJECT_ID> - App Name:
az role assignment list --assignee "my-app"
None of them return any results.
What I've Tried:
- Confirmed that the Application ID, Object ID, and app name are correct and match the app registration details.
Questions:
- How can I reliably view the roles assigned to my app registration?
- Are there any other commands or troubleshooting steps to debug this issue?
Any guidance would be greatly appreciated!
Registered an application using below CLI command:
az ad sp create-for-rbac --name "<application-name>"
Note: Ensure you should have active Subscription and sufficient permission like (Owner or User Access Administrator) role assigned on the scope(i.e Subscription Level) where you want to assign the role.
Assigned Reader role to application at the scope of Subscription Level:
az role assignment create --assignee <APP_ID> --role "Reader" --scope /subscriptions/<SUBSCRIPTION_ID>
After assigning the Reader role to application, I've verified this same from Azure Portal under Access Control (IAM) tab of Subscription as well.
After verifying from above, I try to list the roles assigned to application using below Azure CLI command:
az role assignment list --assignee <Application-id or Object-Id of application>
UPDATE:
To list the all role assignment under your subscription:
az role assignment list --all
If still issue persist, reassign the Reader role to registered application and run the CLI command for listing the roles assigned to application
Reference:
- "Schema" property not found in Postgres Connector
- Downloading file from Azure blob storage via Memory Stream
- Reading env variable from template.yaml
- HTTP Error 500.30 - ASP.NET Core app failed to start - Azure
- Azure DevOps Pipelines: TerraformTaskV4: init with different subscription and Workflow Identity Federation
- Enabling HTTPS for a Azure blob static website
- How to search across many Azure Devops Git project and find all files which contain specific text AND which filename contains "Resource"
- Hosting SPA with Static Website option on Azure Blob Storage (clean URLs and Deep links)
- Using Managed Identity to Access Azure OpenAI Service
- Azure data factory not loading
- Transfer encrypted dataprotection keys from a windows vm to azure keyvault
- Refresh powerBI data with additional column
- Azure Application Insights AKS - How to Create 1 custom alert rule which will trigger multiple alerts, but with different names (per pod name)?
- gRPC and REST side by side in Azure App Service, Linux Container
- Connecting to a SignalR WSS stream but not getting the response i am looking for
- SignalR prevent user from opening multiple sessions in different tabs
- Application Insights -_logger.LogInformation
- CosmosDB is not allowing serverless capabalities to NoSQL, it says I must use CapacityMode
- Azure Webapp / Website Swap : HTTP Ping Error
- Microsoft Graph API - Update phoneMethods is no longer working
- Use Azure Key Vault secret in Header section of Web Activity
- Azure Storage blob getting the io.netty.channel.StacklessClosedChannelException while generating /downloading the from SasUrl
- How do I save and later load Azure AnalyzeResult object in python?
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Azure ADF - HTTP : Table from list
- Self hosted azure devops build agent not getting tool from $PATH
- Azure devops pipeline stages template nesting
- Azure APIM is returning the incorrect HTTP response error when call is missing mandatory querystring parameter
- Azure DevOps build pipeline logid for a specific task - dynamically
- PS script to fetch the list non-compliance resource list with respect to policy from multiple subscriptions