Create roleAssignment fails with error "Tenant ID, application ID, principal ID, and scope are not allowed to be updated" RRS feed

  • Question

  • I try to create a roleAssignment for my servicePrincipal in the scope of subscriptions. I use a token which is owned by a Global Admin of the Azure AD, this user is also subscriptions-Owner of the targeted subscriptions. 

    When I call 

    PUT https://management.azure.com/subscriptions/###...###/providers/Microsoft.Authorization/roleAssignments/##..roleId..##?api-version=2015-07-01 

    It works well for the first subscription, the second call gets the following error

      "error": {
        "code": "RoleAssignmentUpdateNotPermitted",
        "message": "Tenant ID, application ID, principal ID, and scope are not allowed to be updated."

    This happens then wit all subscriptions. When I remove the roleAssignment in Azure Management Portal which was created in the first call, it works after a couple seconds (I guess 30 up 60) with a different subscription. 

    I don't understand how to assign the Reader for my servicePrincipal for all Subscriptions a user has "Write" access to?

    Wednesday, December 23, 2015 7:10 AM

All replies

  • Hello,

    We are researching on the query and would get back to you soon on this.
    I apologize for the inconvenience and appreciate your time and patience in this matter.

    Wednesday, December 23, 2015 2:36 PM
  • Hello Neelesh,

    did you find something regarding this. The Azure Management Portal allows me to do this manually so I gues their must be a trick or something I do wrong using the API.


    Wednesday, December 30, 2015 7:02 PM
  • Hi Dirk,

    The error occurs if the ##..roleId..## part in the URL:

    PUT https://management.azure.com/subscriptions/###...###/providers/Microsoft.Authorization/roleAssignments/##..roleId..##?api-version=2015-07-01

    is not unique. Make sure you pass an unique GUID for every new role assignment.



    Wednesday, June 22, 2016 4:29 PM