sql role assignment name must be a guid

Salesforce , Python , SQL , & other ways to put your data where you need it

Need event music 🎸, azure rbac role assignment faq.

03 Feb 2024 🔖 security tutorial 💬 EN

Table of Contents

The 3 components of an azure rbac role assignment, create an azure rbac role assignment, target scopes, source principal identities, combining several azure rbac role assignments to fulfill a task.

Below are a few frequently asked questions about Azure RBAC Role Assignments.

Many thanks to colleagues who helped me a lot with editing the wording when I wrote a similar document for internal training.

What is an Azure RBAC Role Assignment?

An Azure RBAC Role Assignment , not to be confused with an Entra RBAC Role Assignment , grants a given identity (that is, one that exists within Microsoft Entra ID) permission to perform specific types of actions against a specific “scope” of Azure resource(s).

In the model of access control where authentication (“proving a nonhuman is who it says it is”) and authorization (“proving a given, authenticated nonhuman is permitted to do what it is trying to do”) , an Azure RBAC Role Assignment helps solve problems related to authorization . 🔐

Microsoft Entra ID , or “Entra” for short, is the new name for what was known as “Azure Active Directory” or “AAD.”

An Azure RBAC Role Assignment is a named Azure resource whose purpose is to describe a junction of three other Azure or Entra resource IDs:

• An  Azure RBAC “role”   (whether “built-in” and maintained by Microsoft or “custom” and maintained by your company) that authorizes actions such as “write files to Azure Blob Storage.”
• (Often simply set to “/” to represent the entire Entra tenant.)
• Usually, the “principal” with Azure RBAC would represent a non-human.
• Protecting the human’s Azure RBAC Role Assignment with Entra Privileged Identity Management (“PIM”) is an excellent practice in this case.
• Consult with colleagues before requesting resource locks, because  locking resources may impede productivity in unexpected ways .
• Also note that if you are having trouble performing actions you expected to be able to perform, given your existing Azure RBAC Role Assignments, check if existing resource locks might be the obstacle.

See “ Assign Azure roles ” on Microsoft Learn.

In a corporate environment, you might not be allowed to do it yourself. Hopefully, your help desk ticketing system has a ticket type that you can open to request that an Azure RBAC Role Assignment be created/edited/deleted on your behalf.

Best practices

Follow the principle of least privilege when requesting the creation of Azure RBAC Role Assignments when choosing all 3 components (role, target scope, and principal) .

When in doubt, create more role assignments, not broader Role Assignments.

Carefully look through Microsoft’s “built-in”  Azure RBAC roles  to find the least-powerful role that can perform a necessary task. For example:

• “Website Contributor”  instead of the more powerful “Contributor” for deployment automations that need to deploy code onto Azure App Service, Azure Static Web Apps, Azure Functions, etc.
• “Data Factory Contributor”  instead of the more powerful “Contributor” for deployment automations that need to deploy Azure Data Factory configuration from a “lower” nonproduction environment into a “higher” nonproduction or production environment.
• “Storage Blob Data Reader”  instead of the more powerful “Reader” for Azure resources, deployment automations, or humans that need to read files out of Azure Blob Storage resources.
• “Storage Blob Data Contributor”  instead of the more powerful “Contributor” for Azure resources, deployment automations, or humans that need to perform “write” operations against Azure Blob Storage resources.

Once an appropriately capable Azure RBAC role has been selected, it can be assigned to work  against  the following scopes in Azure:

• Preferred when resources are stable.
• As long as capabilities are tightly scoped – e.g. “Website Contributor” – this might provide a good balance between safety and convenience if a resource group encapsulates a single workload where appropriate target Azure resources – such as Azure Functions – are constantly being added and/or removed, and waiting for RBAC role assignment against each new function would critically impede productivity.
• With a slow rate of change, however, individual resource-by-resource assignment may still be preferred for the comfort of knowing explicitly which Azure resources are targets of which Entra identities’ capabilities, rather than guessing based on each RBAC role’s documentation.
• Questions about infosec tradeoffs between the context of “least privilege” and “ease of maintenance” / “governance?” Colleagues helping you design your solution, and staff on your company’s infosec team, are excellent resources for striking the correct balance amongst various infosec concerns.
• By default, avoid this. “Subscription” is likely far too broad for common corporate approaches to grouping Azure resources .

Once an appropriately capable RBAC role and narrow target scope has been chosen, the assignment must be attached to a specific Entra identity. Examples include:

• A single Azure resource’s  System-Assigned Managed Identity (“SMI”)
• (Only when SMI is not available, and preferably using Federated Identity Credentials to log into it over OIDC if being used with Azure DevOps Pipelines or GitHub Actions code deployment automations.)
• (Either way, preferably only allowed while privileges are elevated through PIM.)

To adhere to the security principle of least privilege, more than one Azure RBAC Role Assignment may need to be created to fulfill the permissions requirements of a given workload.

For example, a workload’s design may require the creation of:

• A “ Website Contributor ” Azure RBAC Role Assignment allowing the  Entra App Registration representing a code deployment automation  to deploy code onto a  nonproduction Azure App Service  resource.
• A “ Storage Blob Data Contributor ” Azure RBAC Role Assignment allowing the  SMI of a nonproduction Azure App Service  resource to read and write against a  nonproduction Storage Blob’s  files.
• A “ Storage Blob Data Contributor ” Azure RBAC Role Assignment allowing the  Entra group ID representing humans in a certain department  to manually read and write a  nonproduction Storage Blob’s  files.
• 3 more  Azure RBAC Role Assignments  as listed above  but  scoped for production target resources .

• Top of Page

Defining RBAC Role Assignments in ARM Templates

It’s no secret I’m a big fan of Azure Resource Manager (ARM) templates. Getting started with ARM templates is hard, but well worth the effort, and make it significantly easier to have reproduceable, consistent deployments of your Azure resources.

One thing that I had been feeling left out, however, was being able to assign permissions to Azure resources during creation. Azure’s Role-based Access Control (RBAC) mechanism is a powerful way to control who can manage and access your resources, and having to do this through scripting was possible, but cumbersome at times.

A few days ago, I realized that you can actually create RBAC role assignments through ARM templates just like any other resource. This capability is not new by any means, I just had missed it before!

Creating an assignment

To create an assignment, you need the following information:

• The ID of the role you want to assign. This is a long string that contains the subscription id and the role identifier (both GUIDs).
• The object ID of the user/group/service principal you want to grant access to.
• The scope at which you want to assign the role, which is going to be either a subscription, resource group, or resource id.

Here’s an example of creating such an assignment:

Here we grant the members of an Azure Active Directory group the Monitoring Contributor built-in role to the resource group the template is deployed to.

Also interesting here is that you don’t need to specify a location property in the resource.

Some gotchas

There are a couple of things to watch out for when doing this.

The first one is that to assign a role, you need the objectId of the AAD user/group/principal, rather than the name. This is cumbersome because there’s no way to resolve these within the ARM template itself, so you’ll always need to pass these as input parameters.

A more significant issue, however, is the name of the roleAssignment resource, which needs to be a unique GUID.

This is a problem if, for example, you’re assigning role permissions at the resource group or individual resource level, rather than globally at the subscription.

For example, in my case I was creating a template that would be used to deploy multiple copies of the same resources into different resource groups within the same subscription.

If the GUID that defines the role assignment name is hardcoded in the template, then each time I ran the template, the scope of the role assignment would get overwritten with the id of the last resource group it was deployed to. Clearly, this is undesirable.

What we need then, is a way to ensure that each deployment to a different resource group uses a different GUID for the role assignment, but at the same time, ensure that the same one is used when deploying to the same resource group.

Clearly, providing the assignment GUID as a parameter is an easy workaround, but very cumbersome.

A better workaround comes from the guid function! It takes one or more strings that are used to calculate a hash, very much like the uniquestring function; only this one generates a string in GUID format instead.

By using the guid function with the resource group id and some other consistent stuff as input, we can solve our problem in an elegant way:

• Azure (41) ,
• Security (2)

Tomas Restrepo

Software developer located in Colombia.

• ← Previous
• Next →

Jason Masten

A personal brain dump of information technology problems & solutions, azure deployment error “tenant id, application id, principal id, and scope are not allowed to be updated.”.

When deploying a role assignment using an ARM template, you receive the error below:

Update your role assignment name (aka GUID) to a value that hasn’t been used previously to deploy a role assignment.

Explanation

Recently I was testing out some code and it was re-used from another solution. When I went to deploy the code, in the same subscription, I received the following error: “Tenant ID, application ID, principal ID, and scope are not allowed to be updated.” The code in question contained a role assignment resource with a static GUID for the name. After testing and isolating the code, I realized the issue was the name of the role assignment resource.

Now, like me, you may make the mistake of using the “newGuid” function to name your role assignments. What could go wrong? The name is now unique now, right? Well each time you deploy your ARM template, a new GUID is created for the resource. That doesn’t work. Once you create a role assignment with a specific GUID, any updates or redeployments will require the same name, aka GUID.

In steps the “guid” function. This function uses a hash to create the GUID based on input that is provided. So, for my scenario, I provided the name of my WVD application group, which is unique across my subscription, and that guaranteed my GUID will be unique yet consistent every time I deploy this ARM template. This is the best practice for creating role assignments with ARM templates. Find a value that is unique and won’t be used elsewhere so your deployments will be idempotent.

Share this:

7 thoughts on “ azure deployment error “tenant id, application id, principal id, and scope are not allowed to be updated.” ”.

Add Comment

How do you implement the newGuid function I had read the documantation but is not clear for me… https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-functions-string#newguid

Hi Karen, use the “guid” function, not the “newGuid” function. “guid” is idempotent and “newGuid” is not. That’s important so you can redeploy your solution if there is an error or update to the template. If you don’t care about idempotency, per the documentation you can use the “newGuid” function within an expression for the default value of a parameter. Like so: { “$schema”: “https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#”, “contentVersion”: “1.0.0.0”, “parameters”: { “guidValue”: { “type”: “string”, “defaultValue”: “[newGuid()]” } }, “resources”: [ ], “outputs”: { “guidOutput”: { “type”: “string”, “value”: “[parameters(‘guidValue’)]” } } }

Hi Jason, I’ experiencing the same problem after I redeployed my template. the error is : “details”:[{“code”:”BadRequest”,”message”:”{\r\n \”error\”: {\r\n \”code\”: \”RoleAssignmentUpdateNotPermitted\”,\r\n \”message\”: \”Tenant ID, application ID, principal ID, and scope are not allowed to be updated.\”\r\n }\r\n}”},{“code”:”BadRequest”

I checked my template and I’m using guid function : { “type”: “Microsoft.Authorization/roleAssignments”, “apiVersion”: “2020-04-01-preview”, “name”: “[guid(‘storageBlobRoleAssignmentName’, parameters(‘storageAccountName’))]”, “dependsOn”: [ “[variables(‘eventGridDeploymentName’)]”, “[resourceId(‘Microsoft.Web/sites’, parameters(‘functionAppName’))]” ], “properties”: { “roleDefinitionId”: “[variables(‘storageBlobDataContributor’)]”, “principalId”: “[reference(resourceId(‘Microsoft.Web/sites’, parameters(‘functionAppName’)),’2019-08-01′, ‘full’).identity.principalId]”, “principalType”: “ServicePrincipal” }, “scope”: “[concat(‘Microsoft.Storage/storageAccounts’, ‘/’, parameters(‘storageAccountName’))]” },

any suggestion how to fix this error?

Al Chab, that can happen if you have an orphaned role assignment. I would validate the RBAC assignments at that scope. Delete any that that are missing the principal info.

I have a problem when assigning roles to a subscription. I have a function that set owner to a subscription. I In some subscriptions it works and in others I get the following error:

“` { “error”: { “code”: “RoleAssignmentUpdateNotPermitted”, “message”: “Tenant ID, application ID, principal ID, and scope are not allowed to be updated.” } } “`

I could not find a reason why this is happening. I using msal library in javascript.

my request is:

“` headers: { Authorization: `Bearer ${token}`, ‘Content-Type’: ‘application/json’, }

url: https://management.azure.com/subscriptions/ {subId}/providers/Microsoft.Authorization/roleAssignments/{roleIdOfOwner}?api-version=’2017-05-01′

body: { properties: { roleDefinitionId: subscriptions/{subId}/providers/Microsoft.Authorization/roleDefinitions/{roleIdOfOwner}, principalId: {principalId of the user} }

Dan, it looks like you are making a REST API call. Here is the reference for that: https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-rest . In the URL for the REST API call, the GUID for the “roleAssignmentId” should be unique for each assignment per scope, principal, and role. That’s referenced in step 2 in the URL I provided above. If an assignment has been orphaned, the principal has been deleted but not the assignment or scope, then you should clean those up.

This issue puzzled me as I was using a guid, but is was based on the SP so when used again it failed..but your fix helped. Just wanted you to know I appreciate you!! Thank you

Leave a comment Cancel reply

• Already have a WordPress.com account? Log in now.
• Subscribe Subscribed
• Copy shortlink
• Report this content
• View post in Reader
• Manage subscriptions
• Collapse this bar

Navigation Menu

Search code, repositories, users, issues, pull requests..., provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

• Notifications You must be signed in to change notification settings

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New-AzRoleAssignment "InvalidPrincipalId" "The Principal ID 'User' is not valid. Principal ID must be a GUID." #16627

brwilkinson commented Dec 13, 2021 • edited Loading

Successfully merging a pull request may close this issue.

• Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
• Advertising & Talent Reach devs & technologists worldwide about your product, service or employer brand
• OverflowAI GenAI features for Teams
• OverflowAPI Train & fine-tune LLMs
• Labs The future of collective knowledge sharing
• About the company Visit the blog

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Get early access and see previews of new features.

Incremental redeployment of an ARM Template with Role Assignments throws an error

If I use Azure Pipelines to do an 'Incremental' 'Resource Group' scoped deployment of an ARM template containing Role Assignments, it seems I can't rerun/redeploy the pipeline without receiving an error on the Role Assignment resource:

This looks like an obvious issue that must have a common workaround? I'm I expected to break-out the Role Assignments into a separate template, and perhaps delete and re-create the role assignments on each deployment?

• azure-pipelines
• azure-resource-manager
• azure-rm-template
• azure-service-principal

2 Answers 2

Just as you said, this is an obvious issue. For the same scope or resource, you can only assign the same role to a service principal once.

So, there is existing role assignment with the same name that you are trying to create through this template and it ends up giving the error for " RoleAssignmentUpdateNotPermitted ".

To resolve this issue, we need ensure that each deployment to a different resource group uses a different GUID for the role assignment, but at the same time, ensure that the same one is used when deploying to the same resource group.

We could use the guid function! It takes one or more strings that are used to calculate a hash, very much like the uniquestring function; only this one generates a string in GUID format instead:

You could refer the document Defining RBAC Role Assignments in ARM Templates for some more details.

• 2 Thank you Leo. Just to clarify, in my case I'm deploying the identical arm template to the same resource group. The GUID is hard-coded (for testing) so the name is the same, the role is the same, the resource is the same, etc. And I still get get the above error. Are you saying I should not? –  JohnKoz Commented Feb 15, 2021 at 23:33
• @JohnKoz, Yes, According to the documentation, for the same scope or resource, you can only assign the same role to a service principal once. –  Leo Liu Commented Feb 16, 2021 at 1:44
• 1 Thanks Leo. So how would I re-run an existing pipeline without error? The "incremental" deployment mode has ignored ARM Resources if no changes were made. A CI/CD pipeline may run often without change. Should I add a step to my pipeline to delete all role assignments, so that the pipeline can re-create them? If this is the case, the "incremental" nature of a roleAssignment ARM template seems broken? –  JohnKoz Commented Feb 16, 2021 at 22:56
• FYI, i've done some additional testing and i'm not getting errors now, suggesting it may be possible. Not sure what to believe now, but I'll continue forward. I'll mark this as an answer for the helpfulness (think you). –  JohnKoz Commented Feb 17, 2021 at 12:59
• I am getting this same error now for Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments I even use the same exact settings from the ARM template and still happens. –  tank104 Commented Sep 21, 2021 at 1:30

You have asked about incremental updates, this troubleshooting article helps some of the way: https://learn.microsoft.com/en-us/azure/role-based-access-control/troubleshooting?tabs=bicep#symptom---arm-template-role-assignment-returns-badrequest-status

But how I understand it, if you are re-creating the role assignment again with the same GUID, it will try and replace the one that is there. This is generally what we want in an incremental update. However, if any of the other 3 parameters (Tenant ID, application ID, principal ID) have changed and you use the same GUID - it will be seen as an update and you will recieve this error.

Tenant ID, application ID, principal ID, and scope are not allowed to be updated. (code: RoleAssignmentUpdateNotPermitted)

As the error states - these properties cannot be changed.

So what if we want a different assignement, e.g. if the PrincipleID has changed for this deployment? Well then we can use a new GUID, it won't be seen as a change and a new roleAssignment will be made. (The previous one would have to be removed by another means).

If however you use a new GUID and the other 3 properties do remain the same, it will be seen as a duplicate role assignment and also throw an error!

So this is why, we should use the GUID() function to create a guid ID that is based off the other 3 parameters. This way in an incremental update, if we are re-deploying the EXACT same roleAssignment, we use the same GUID. And if we are deploying something different (e.g. the PrincipleID has changed) then we would get a new GUID and it would be seen as a new roleAssignment rather than an update.

In the Azure doc above, the example they give is this:

Your Answer

Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more

Sign up or log in

Post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Not the answer you're looking for? Browse other questions tagged azure-pipelines azure-resource-manager azure-rm-template azure-rbac azure-service-principal or ask your own question .

• The Overflow Blog
• The evolution of full stack engineers
• One of the best ways to get value for AI coding tools: generating tests
• Featured on Meta
• Bringing clarity to status tag usage on meta sites
• Join Stack Overflow’s CEO and me for the first Stack IRL Community Event in...
• Feedback requested: How do you use tag hover descriptions for curating and do...
• Staging Ground Reviewer Motivation
• What does a new user need in a homepage experience on Stack Overflow?

Hot Network Questions

• Inertia Action on Kummer Sheaves
• Is the white man at the other side of the Joliba river a historically identifiable person?
• Why does ATSAM3X8E have two separate registers for setting and clearing bits?
• Is quantum computation effectiveness dependent on EPR non-locality?
• Do images have propositional content?
• How much does a ma'ah cost in £/$ in today's world?
• Unstable plans when two first index columns have NULL values in all rows
• Remove spaces from the 3rd line onwards in a file on linux
• Why public key is taken in private key in Kyber KEM?
• Sitecore headless on local environment experience editor facing issue
• How to create rounded arrows to highlight inflection points in a TikZ graph?
• Has anyone returned from space in a different vehicle from the one they went up in? And if so who was the first?
• How much technological progress could a group of modern people make in a century?
• Looking for the name of a possibly fictional science fiction TV show
• Advice how to prevent sin
• Wrong explanation for why "electron can't exist in the nucleus"?
• Is it possible for one wing to stall due to icing while the other wing doesn't ice?
• How cheap would rocket fuel have to be to make Mars colonization feasible (according to Musk)?
• Circuit that turns two LEDs off/on depending on switch
• What do these expressions mean in NASA's Steve Stitch's brief Starliner undocking statement?
• What is vi command package?
• Does Poincare recurrence show that Gibbs entropy is not strictly increasing?
• Could they free up a docking port on ISS by undocking the emergency vehicle and letting it float next to the station for a little while
• Paying a fine when I don't trust the recipient

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Error when deploying Arm template via console "role definition ID is not in proper GUID format"

I'm trying to deploy an Arm Template that creates a Sysadmin Role with an admin-all policy in my subscription that is linked to a specific Active Directory Group. When I run the template through deployments in the AZ portal, the template is successfully validated, but when I hit the create button to deploy the template it fails.

Here is the error code It's kicking when the deployment fails:

Here is the code section that is failing in the template:

I'm assuming that this is the code string that is causing the error, but not sure what is wrong or how to fix it?

Azure Role-based access control An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs. 785 questions Sign in to follow Follow

Microsoft Entra ID A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory. 21,298 questions Sign in to follow Follow

@Azure Newb

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer . This will help us and also improve searchability for others in the community who might be researching similar information.

Try "name": "guid()” instead, this way it’ll be a valid GUID and it will also be unique every time you run the deployment.

Hi @Azure Newb ,

The error you're encountering is due to the role definition ID not being in the proper GUID format. In your ARM template, you're using the following line to generate the role definition ID:

"name": "[concat('SystemAdministratorRole-', uniqueString(resourceGroup().id))]",

To fix this issue, you should generate a proper GUID for the role assignment name. You can use the guid() function to create a deterministic GUID based on the scope, principal ID, and role ID. Here's an example from :

Replace the name field in your ARM template with the example above, and make sure to set the appropriate variables for principalId , roleDefinitionId , and principalType . This should resolve the error you're encountering.

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.