New-AzRoleAssignment needs allways a ResourceGroup in Scope

[andreaszeisler]

Description

I need to assign a role to an objectId with scope that is not a resource group.

I got the following error, because the scope has no resourcegroup in path:
New-AzRoleAssignment: Scope '/subscriptions/<subid>/providers/Microsoft.DocumentDB/locations/westeurope/restorableDatabaseAccounts/<dbaccountid>' should begin with '/subscriptions/<subid>/resourceGroups'.

Subid and dbaccount id are part of my scope.

I like to assign the role CosmosRestoreOperator. This is a role, that can not assign on a scope with a resource group

I looke at the implementation and there was a verification, that "resourcegroups" is needed in scope path.

Issue script & Debug output

New-AzRoleAssignment -ObjectId xxx -RoleDefinitionId 5432c526-bc82-444a-b7ba-57c5b0b5b34f -Scope "/subscriptions/xxxxx/providers/Microsoft.DocumentDB/locations/westeurope/restorableDatabaseAccounts/xxxxx"

Environment data

Name                           Value
----                           -----
PSVersion                      7.3.4
PSEdition                      Core
GitCommitId                    7.3.4
OS                             Microsoft Windows 10.0.19045
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.12.1                Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}
Script     1.9.1                 Az.CosmosDB                         {Get-AzCosmosDBAccount, Get-AzCosmosDBAccountKey, Get-AzCosmosDBCassandraKeyspace, Get-AzCosmosDBCassandraKeyspaceThroughput…}        
Script     6.3.0                 Az.RecoveryServices                 {Add-AzRecoveryServicesAsrReplicationProtectedItemDisk, Backup-AzRecoveryServicesBackupItem, Copy-AzRecoveryServicesVault, Disable-A… 
Script     6.5.3                 Az.Resources                        {Export-AzResourceGroup, Export-AzTemplateSpec, Get-AzDenyAssignment, Get-AzDeployment…}

Error output

Message        : Scope '/subscriptions/xxxxxxxxxxxxxxx/providers/Microsoft.DocumentDB/locations/westeurope/restorableDatabaseAccounts/xxxxxxxxxxxxxxxxxxxx' should    
                 begin with '/subscriptions/<subid>/resourceGroups'.
StackTrace     :    at Microsoft.Azure.Commands.Resources.Models.Authorization.AuthorizationClient.ValidateScope(String scope, Boolean allowEmpty)
                    at Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : System.ArgumentException
InvocationInfo : {New-AzRoleAssignment}
Line           : New-AzRoleAssignment -ObjectId xxxxxxxxxxxxxxx -RoleDefinitionId 5432c526-bc82-444a-b7ba-57c5b0b5b34f -Scope
                 "/subscriptions/xxxxxxxxxxxxxxxxxxxx/providers/Microsoft.DocumentDB/locations/westeurope/restorableDatabaseAccounts/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Position       : At line:1 char:1
                 + New-AzRoleAssignment -ObjectId xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - …

[isra-fel]

@NoriZC please look into this. Thank you.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @LizMS, @cbrooksmsft.