- 
                Notifications
    You must be signed in to change notification settings 
- Fork 4.1k
Closed
Labels
bugThis issue requires a change to an existing behavior in the product in order to be resolved.This issue requires a change to an existing behavior in the product in order to be resolved.customer-reported
Milestone
Description
Description
The Get-AzRoleAssignment lists Azure RBAC role assignments at the specified scope.
Based on the parameters it performs in a different way. Table below
| PowerShell Command | Resulting REST API Call | 
|---|---|
| Get-AzRoleAssignment -ObjectId "<objectId>" | https://management.azure.com//subscriptions/<sub>/providers/Microsoft.Authorization/roleAssignments?$filter=principalId eq '<objectId>'&api-version=2020-08-01-preview | 
| Get-AzRoleAssignment -ObjectId "<objectId>" -Scope "/subscriptions/<sub>" -AtScope | https://management.azure.com//subscriptions/<sub>/providers/Microsoft.Authorization/roleAssignments?$filter=atScope()&api-version=2020-08-01-preview | 
| Get-AzRoleAssignment -ObjectId "87eb1e89-2d6f-4e29-a257-c4d01d0f2957" -Scope "/" -AtScope | https://management.azure.com///providers/Microsoft.Authorization/roleAssignments?$filter=atScope()&api-version=2020-08-01-preview | 
- In the first case filtering for the principal is made server side by Microsoft.Authorization. Any GUID format will be accepted and filtering will be correctly applied.
- In the second and third cases, it's made client side.
The issue is that client side principal is compared as string, so this will result in different results based on the principal format
- Get-AzRoleAssignment -ObjectId "87eb1e89-2d6f-4e29-a257-c4d01d0f2957"would return the same result as- Get-AzRoleAssignment -ObjectId "87eb1e892d6f4e29a257c4d01d0f2957"
- Get-AzRoleAssignment -ObjectId "87eb1e89-2d6f-4e29-a257-c4d01d0f2957" -Scope "/" -AtScopewould not return the same result as- Get-AzRoleAssignment -ObjectId "87eb1e892d6f4e29a257c4d01d0f2957" -Scope "/" -AtScope
Issue script & Debug output
PS /Users/atomassi> (Get-AzRoleAssignment -ObjectId "22a682236f8c44878855fe015f65164c" -Scope "/").Count             
0
PS /Users/atomassi> (Get-AzRoleAssignment -ObjectId "22a68223-6f8c-4487-8855-fe015f65164c" -Scope "/").Count
1
PS /Users/atomassi> (Get-AzRoleAssignment -ObjectId "22a68223-6f8c-4487-8855-fe015f65164c").Count           
1
PS /Users/atomassi> (Get-AzRoleAssignment -ObjectId "22a682236f8c44878855fe015f65164c").Count    
1Environment data
Name                           Value
----                           -----
PSVersion                      7.5.3
PSEdition                      Core
GitCommitId                    7.5.3
OS                             Darwin 24.6.0 Darwin Kernel Version 24.6.0: Mon Aug 11 21:16:30 PDT 2025; root:xnu-11417.140.69.701.11~1/RELEASE_ARM64_T8132
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0Module versions
ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     5.3.0                 Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}
Script     8.1.0                 Az.Resources                        {Export-AzResourceGroup, Export-AzTemplateSpec, Get-AzDenyAssignment, Get-AzDeployment…}Error output
Metadata
Metadata
Assignees
Labels
bugThis issue requires a change to an existing behavior in the product in order to be resolved.This issue requires a change to an existing behavior in the product in order to be resolved.customer-reported