updating sql role assignment principal id is not permitted

DevOps Practices and IT Operations

Role Assignment Exists or Role Assignment Update Not Permitted

Azure role-based access control (Azure RBAC)  is the authorization system you use to manage and granting access to Azure resources. You can use Azure Resource Manager templates (JSON or Bicep) to automate the role assignments; for example Assign a user, group or service principal with ‘Contributor’, ‘Reader’ roles. You might encounter folliwing issue when you are trying to make the deployment repetitive:

When defining the template for deployment, the guid value is used for the resource name (example shows below). The template is not idempotent unless the same role name guid is provided. In this case, we just need to obtain a guid value and then assign it as the template resource name, then the issue will be resolved.

Obtain a new GUID value by running following command on PowerShell window:

Copy/paste the GUID value to the template (my example uses Bicep template below):

Note: this particular GUID value is only used for this particular role assignment, if you want to have another role assignment, then a new GUID value needs to be created.

That is all, once you assign the static GUID value, then you can repeat the deployment as many times as you would like to, the issue won’t appear again.

Reference : Assign Azure roles using Azure Resource Manager templates

Browse More ..

"Role Assignment Update Not Permitted" error while Deploying the Orchestrator from Azure Marketplace

How to solve "role assignment update not permitted" error while deploying the orchestrator from azure marketplace.

Follow the below steps to solve this issue-

• Delete Unknown roles assignments in subscription
• Delete Unknown roles assignments in RG added by previous failing deployment
• Delete certificate added by previous failing deployment in https://resources.azure.com/ > subscriptions > resourceGroups > providers/Microsoft.Web/certificates
• Add Standard_D2_v3 to allowed virtual machine SKUs policy

Related Topics

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

How to create second role assignment for an existing role

I receive an error Updating SQL Role Assignment Principal ID is not permitted. You may only update the associated Role Definition. when I'm trying to create new role assignment with existing role.

But I'm not updating role assignment, I'm creating a new one.

How to make it work?

First, already existing and deployed role assignment:

Second role assignment I'm trying to create:

Role definition:

Azure Cosmos DB An Azure NoSQL database service for app development. 1,422 questions Sign in to follow

Your code sections don't work, so pasting just as text.

Hi, @Konstantin Kulikov Welcome to Microsoft Q&A thanks for posting your question.

I understand that you are trying to create a new role assignment with an existing role in Microsoft Azure Cloud, but you have received an error message that says "Updating SQL Role Assignment Principal ID is not permitted.

Looking into the bicep you have share the principalid is different.If you are adding additional role assignments, you need to change only the role definitionid and leave the principal id the same,

Let me know if this fixes your issue. Regards

Hi, thanks for the answer.

But I want to use the same role but in another application.

Shouldn't principalId be changed then?

@Konstantin Kulikov the principal id is the identification of the user, aren't you attempting to add a role to the same principal id?

What users are you talking about?

Once again:

• there is ONE ROLE for ONE DATABASE ;
• there are TWO DIFFERENT APPLICATIONS in the same resource group. I want these TWO DIFFERENT APPLICATIONS to use the SAME ROLE for SAME DATABASE ;
• there are TWO DIFFERENT ROLE ASSIGNEMENTS for each of those applications.

Whom do you call a user?

aren't you attempting to add a role to the same principal id?

What I'm trying to do is written in the first sentence of the initial message:

I'm trying to create new role assignment with existing role

@Konstantin Kulikov I think this is the problem  

resource functionAppContributorRole 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2023-11-15' = {

  parent: cosmosAccount

  name: guid('functionAppContributorRole')

  properties: {

    roleDefinitionId: cosmosContributorRole.Id

    principalId: functionApp.identity.principalId

    scope: cosmosAccount.id

The one highlighted in Bold, its treating it as an update instead of creating a new one you can either not supply it or create a new name.

Search code, repositories, users, issues, pull requests...

Provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

• Notifications

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RoleAssignmentUpdateNotPermitted when installing the azure template #363

hrcerqueira commented Jul 9, 2019

akshaysngupta commented Jul 12, 2019

Sorry, something went wrong.

akshaysngupta commented Aug 21, 2019

arpitjain099 commented Aug 29, 2019

snapfisher commented Feb 14, 2020

DazzaDroid commented Mar 3, 2020

Snapfisher commented mar 3, 2020.

• 👍 1 reaction

DazzaDroid commented Mar 4, 2020 • edited

Snapfisher commented mar 4, 2020 via email.

ThomasDetemmerman commented May 26, 2021 • edited

• 👍 4 reactions

johnib commented Jan 15, 2023

No branches or pull requests