Skip to content

[Bug]: Get-AzRoleAssignment cmdlet does not handle properly different principal GUID formats #28640

New issue
New issue
Open
#28639
Open
[Bug]: Get-AzRoleAssignment cmdlet does not handle properly different principal GUID formats#28640
#28639
Labels
bugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reported
@atomassi

Description

@atomassi
atomassi
opened on Oct 4, 2025

Description

The Get-AzRoleAssignment lists Azure RBAC role assignments at the specified scope.
Based on the parameters it performs in a different way. Table below

PowerShell Command Resulting REST API Call
Get-AzRoleAssignment -ObjectId "<objectId>" https://management.azure.com//subscriptions/<sub>/providers/Microsoft.Authorization/roleAssignments?$filter=principalId eq '<objectId>'&api-version=2020-08-01-preview
Get-AzRoleAssignment -ObjectId "<objectId>" -Scope "/subscriptions/<sub>" -AtScope https://management.azure.com//subscriptions/<sub>/providers/Microsoft.Authorization/roleAssignments?$filter=atScope()&api-version=2020-08-01-preview
Get-AzRoleAssignment -ObjectId "87eb1e89-2d6f-4e29-a257-c4d01d0f2957" -Scope "/" -AtScope https://management.azure.com///providers/Microsoft.Authorization/roleAssignments?$filter=atScope()&api-version=2020-08-01-preview
  • In the first case filtering for the principal is made server side by Microsoft.Authorization. Any GUID format will be accepted and filtering will be correctly applied.
  • In the second and third cases, it's made client side.

The issue is that client side principal is compared as string, so this will result in different results based on the principal format

  • Get-AzRoleAssignment -ObjectId "87eb1e89-2d6f-4e29-a257-c4d01d0f2957" would return the same result as Get-AzRoleAssignment -ObjectId "87eb1e892d6f4e29a257c4d01d0f2957"
  • Get-AzRoleAssignment -ObjectId "87eb1e89-2d6f-4e29-a257-c4d01d0f2957" -Scope "/" -AtScope would not return the same result as Get-AzRoleAssignment -ObjectId "87eb1e892d6f4e29a257c4d01d0f2957" -Scope "/" -AtScope

Issue script & Debug output

PS /Users/atomassi> (Get-AzRoleAssignment -ObjectId "22a682236f8c44878855fe015f65164c" -Scope "/").Count             
0
PS /Users/atomassi> (Get-AzRoleAssignment -ObjectId "22a68223-6f8c-4487-8855-fe015f65164c" -Scope "/").Count
1
PS /Users/atomassi> (Get-AzRoleAssignment -ObjectId "22a68223-6f8c-4487-8855-fe015f65164c").Count           
1
PS /Users/atomassi> (Get-AzRoleAssignment -ObjectId "22a682236f8c44878855fe015f65164c").Count    
1

Environment data

Name                           Value
----                           -----
PSVersion                      7.5.3
PSEdition                      Core
GitCommitId                    7.5.3
OS                             Darwin 24.6.0 Darwin Kernel Version 24.6.0: Mon Aug 11 21:16:30 PDT 2025; root:xnu-11417.140.69.701.11~1/RELEASE_ARM64_T8132
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     5.3.0                 Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}
Script     8.1.0                 Az.Resources                        {Export-AzResourceGroup, Export-AzTemplateSpec, Get-AzDenyAssignment, Get-AzDeployment…}

Error output

Metadata
Metadata
Assignees
No one assigned
    Labels
    bugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reported
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions