Fix RoleAssignment ObjectType fallback for insufficient MSGraph permissions

[Copilot]

Fix RoleAssignment cmdlets to properly handle insufficient MSGraph permissions by falling back to cached principal type

Problem Fixed:
The ToPSRoleAssignment() method was incorrectly handling insufficient MSGraph permissions. When Active Directory lookup failed due to authorization denied or not found errors, it immediately set ObjectType = "Unknown" instead of following the documented priority order.

Root Cause:

• Line 101 in AuthorizationClientExtensions.cs created PSADObject with Type = UnknownType when AD lookup failed
• Line 202 in batch processing had the same issue
• This skipped the intended fallback to cached assignment.PrincipalType

Solution:

• Modified exception handling to use assignment.PrincipalType ?? UnknownType instead of immediately using UnknownType
• Applied same fix to both single assignment and batch processing methods
• Updated ChangeLog.md for Resources module
• Addressed PR feedback: reverted main ChangeLog.md and test file changes, updated code comment

Priority Order Now Correctly Implemented:

1. Live Active Directory object type (when lookup succeeds)
2. Cached principal type from assignment (fallback when lookup fails)
3. "Unknown" type (only when both above are unavailable)

Files Changed:

• src/Resources/Resources/Models.Authorization/AuthorizationClientExtensions.cs - Core fix
• src/Resources/Resources/ChangeLog.md - Added changelog entry

Fixes #28583.

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[azure-client-tools-bot-prd]

Thanks for your contribution! The pull request validation has started. Please revisit this comment for updated status.

[VeryEarly]

why you changed this file copilot?

[Copilot]

I updated the main ChangeLog.md by mistake. The change has been reverted in commit 56c9d2b.

[isra-fel]

Please revert the added test in this file as it isn't feasible to mock

[Copilot]

Reverted the test file changes in commit 56c9d2b as it wasn't feasible to mock properly.

[isra-fel]

Please revert the changes in this file as it is purely generated.

[Copilot]

Reverted the main ChangeLog.md changes in commit 56c9d2b.

[isra-fel]

Suggested change

	// fall back to cached principal type instead of immediately using "Unknown"
	// fall back to cached principal type from response,
	// then finally fall back to "Unknown"

[Copilot]

Updated the comment as suggested in commit 56c9d2b.

[isra-fel]

@copilot please address the comments

[Copilot]

@copilot please address the comments

Addressed all feedback comments in commit 56c9d2b:

• Reverted main ChangeLog.md (generated file)
• Reverted test file changes (not feasible to mock)
• Updated comment as suggested

[VeryEarly]

this test creates arbitrary value for assignment object and performs assert for these arbitrary values, does it make sense copilot?

[VeryEarly]

why you need 2 bullet points when you can do a one liner, copilot?

[Copilot]

Pull Request Overview

This PR fixes RoleAssignment cmdlets to properly handle insufficient MSGraph permissions by implementing correct fallback logic to cached principal types instead of immediately defaulting to "Unknown".

Key changes:

• Corrected the priority order for object type determination in role assignment processing
• Applied the fix to both single assignment and batch processing methods
• Added proper changelog documentation

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
src/Resources/Resources/Models.Authorization/AuthorizationClientExtensions.cs	Fixed exception handling to use cached principal type fallback instead of immediately setting "Unknown" type
src/Resources/Resources/ChangeLog.md	Added changelog entry documenting the MSGraph permissions fix

[isra-fel]

/azp run azure-powershell - security-tools

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).