Problem
When deploying a role assignment using an ARM template, you receive the error below:
{
"status": "Failed",
"error": {
"code": "RoleAssignmentUpdateNotPermitted",
"message": "Tenant ID, application ID, principal ID, and scope are not allowed to be updated."
}
}Solution
Update your role assignment name (aka GUID) to a value that hasn’t been used previously to deploy a role assignment.
Explanation
Recently I was testing out some code and it was re-used from another solution. When I went to deploy the code, in the same subscription, I received the following error: “Tenant ID, application ID, principal ID, and scope are not allowed to be updated.” The code in question contained a role assignment resource with a static GUID for the name. After testing and isolating the code, I realized the issue was the name of the role assignment resource.
Now, like me, you may make the mistake of using the “newGuid” function to name your role assignments. What could go wrong? The name is now unique now, right? Well each time you deploy your ARM template, a new GUID is created for the resource. That doesn’t work. Once you create a role assignment with a specific GUID, any updates or redeployments will require the same name, aka GUID.
In steps the “guid” function. This function uses a hash to create the GUID based on input that is provided. So, for my scenario, I provided the name of my WVD application group, which is unique across my subscription, and that guaranteed my GUID will be unique yet consistent every time I deploy this ARM template. This is the best practice for creating role assignments with ARM templates. Find a value that is unique and won’t be used elsewhere so your deployments will be idempotent.
Jason Masten 
How do you implement the newGuid function I had read the documantation but is not clear for me… https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-functions-string#newguid
LikeLike
Hi Karen, use the “guid” function, not the “newGuid” function. “guid” is idempotent and “newGuid” is not. That’s important so you can redeploy your solution if there is an error or update to the template. If you don’t care about idempotency, per the documentation you can use the “newGuid” function within an expression for the default value of a parameter. Like so:
{
“$schema”: “https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#”,
“contentVersion”: “1.0.0.0”,
“parameters”: {
“guidValue”: {
“type”: “string”,
“defaultValue”: “[newGuid()]”
}
},
“resources”: [
],
“outputs”: {
“guidOutput”: {
“type”: “string”,
“value”: “[parameters(‘guidValue’)]”
}
}
}
LikeLike
Hi Jason, I’ experiencing the same problem after I redeployed my template. the error is :
“details”:[{“code”:”BadRequest”,”message”:”{\r\n \”error\”: {\r\n \”code\”: \”RoleAssignmentUpdateNotPermitted\”,\r\n \”message\”: \”Tenant ID, application ID, principal ID, and scope are not allowed to be updated.\”\r\n }\r\n}”},{“code”:”BadRequest”
I checked my template and I’m using guid function :
{
“type”: “Microsoft.Authorization/roleAssignments”,
“apiVersion”: “2020-04-01-preview”,
“name”: “[guid(‘storageBlobRoleAssignmentName’, parameters(‘storageAccountName’))]”,
“dependsOn”: [
“[variables(‘eventGridDeploymentName’)]”,
“[resourceId(‘Microsoft.Web/sites’, parameters(‘functionAppName’))]”
],
“properties”: {
“roleDefinitionId”: “[variables(‘storageBlobDataContributor’)]”,
“principalId”: “[reference(resourceId(‘Microsoft.Web/sites’, parameters(‘functionAppName’)),’2019-08-01′, ‘full’).identity.principalId]”,
“principalType”: “ServicePrincipal”
},
“scope”: “[concat(‘Microsoft.Storage/storageAccounts’, ‘/’, parameters(‘storageAccountName’))]”
},
any suggestion how to fix this error?
Thank you
LikeLike
Al Chab, that can happen if you have an orphaned role assignment. I would validate the RBAC assignments at that scope. Delete any that that are missing the principal info.
LikeLike
Hi
I have a problem when assigning roles to a subscription.
I have a function that set owner to a subscription.
I In some subscriptions it works and in others I get the following error:
“`
{
“error”: {
“code”: “RoleAssignmentUpdateNotPermitted”,
“message”: “Tenant ID, application ID, principal ID, and scope are not allowed to be updated.”
}
}
“`
I could not find a reason why this is happening.
I using msal library in javascript.
my request is:
“`
headers: {
Authorization: `Bearer ${token}`,
‘Content-Type’: ‘application/json’,
}
url: https://management.azure.com/subscriptions/{subId}/providers/Microsoft.Authorization/roleAssignments/{roleIdOfOwner}?api-version=’2017-05-01′
body: {
properties: {
roleDefinitionId: subscriptions/{subId}/providers/Microsoft.Authorization/roleDefinitions/{roleIdOfOwner},
principalId: {principalId of the user}
}
}
“`
Thanks.
LikeLike
Dan, it looks like you are making a REST API call. Here is the reference for that: https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-rest. In the URL for the REST API call, the GUID for the “roleAssignmentId” should be unique for each assignment per scope, principal, and role. That’s referenced in step 2 in the URL I provided above. If an assignment has been orphaned, the principal has been deleted but not the assignment or scope, then you should clean those up.
LikeLike
This issue puzzled me as I was using a guid, but is was based on the SP so when used again it failed..but your fix helped. Just wanted you to know I appreciate you!! Thank you
LikeLike