Error when creating role assignment directly after managed identity #32943
Description
Describe the bug
When a managed identity is just recently created, assigning role assignments to it may fail with an error.
Related command
az webapp identity assign, az role assignment create
Errors
Cannot find user or service principal in graph database for '...'. If the assignee is an appId, make sure the corresponding service principal is created with 'az ad sp create --id...'
Issue script & Debug output
In Windows PowerShell:
$subscriptionId = az account list --query "[?isDefault].id" --output tsv
$managedIdentity = az webapp identity assign --resource-group $ResourceGroupName --name $AppServiceName --debug | ConvertFrom-Json -Depth 100
DEBUG: cli.knack.cli: Command arguments: ['webapp', 'identity', 'assign', '--resource-group', 'gsmol-dm365-core', '--name', 'metashare1812', '--debug']
DEBUG: cli.knack.cli: __init__ debug log:
Cannot enable color.
DEBUG: cli.knack.cli: Event: Cli.PreExecute []
DEBUG: cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0000015A81185300>, <function OutputProducer.on_global_arguments at 0x0000015A8173E8E0>, <function CLIQuery.on_global_arguments at 0x0000015A81780860>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
DEBUG: cli.azure.cli.core: Modules found from index for 'webapp': ['azure.cli.command_modules.appservice', 'azure.cli.command_modules.serviceconnector']
DEBUG: cli.azure.cli.core: Loading command modules...
DEBUG: cli.azure.cli.core: Loaded command modules in parallel:
DEBUG: cli.azure.cli.core: Name Load Time Groups Commands
DEBUG: cli.azure.cli.core: serviceconnector 0.076 20 331
DEBUG: cli.azure.cli.core: appservice 0.369 88 299
DEBUG: cli.azure.cli.core: Total (2) 0.370 108 630
DEBUG: cli.azure.cli.core: Loaded 106 groups, 630 commands.
DEBUG: cli.azure.cli.core: Found a match in the command table.
DEBUG: cli.azure.cli.core: Raw command : webapp identity assign
DEBUG: cli.azure.cli.core: Command table: webapp identity assign
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x0000015A83F21080>]
DEBUG: cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\gsmol\.azure\commands\2026-03-09.18-34-24.webapp_identity_assign.3732.log'.
INFO: az_command_data_logger: command args: webapp identity assign --resource-group {} --name {} --debug
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x0000015A83F6EDE0>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x0000015A83F99120>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x0000015A83F99300>, <function register_upcoming_breaking_change_info.<locals>.update_breaking_change_info at 0x0000015A83F993A0>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x0000015A8173E980>, <function CLIQuery.handle_query_parameter at 0x0000015A81780900>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x0000015A83F991C0>]
DEBUG: cli.azure.cli.core.commands.client_factory: Getting management service client client_type=WebSiteManagementClient
DEBUG: cli.azure.cli.core.auth.persistence: build_persistence: location='C:\\Users\\gsmol\\.azure\\msal_token_cache.bin', encrypt=True
DEBUG: cli.azure.cli.core.auth.binary_cache: load: C:\Users\gsmol\.azure\msal_http_cache.bin
DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
DEBUG: msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274
DEBUG: msal.authority: openid_config("https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic', 'self_signed_tls_client_auth'], 'jwks_uri': 'https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/kerberos', 'mtls_endpoint_aliases': {'token_endpoint': 'https://mtlsauth.microsoft.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/oauth2/v2.0/token'}, 'tls_client_certificate_bound_access_tokens': True, 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
DEBUG: msal.application: Broker enabled? True
DEBUG: cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token_info: scopes=('https://management.core.windows.net//.default',), options={}
DEBUG: cli.azure.cli.core.auth.msal_credentials: UserCredential.acquire_token: scopes=['https://management.core.windows.net//.default'], claims_challenge=None, kwargs={}
DEBUG: msal.application: Cache hit an AT
DEBUG: msal.telemetry: Generate or reuse correlation_id: 8b18ed5e-dd17-449a-ab4e-9e9c9296d887
DEBUG: cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/37b0620f-7e91-4402-ada5-e7f21e8b6354/resourceGroups/gsmol-dm365-core/providers/Microsoft.Web/sites/metashare1812?api-version=2024-11-01'
DEBUG: cli.azure.cli.core.sdk.policies: Request method: 'GET'
DEBUG: cli.azure.cli.core.sdk.policies: Request headers:
DEBUG: cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '37146855-1bde-11f1-bbba-846993532970'
DEBUG: cli.azure.cli.core.sdk.policies: 'CommandName': 'webapp identity assign'
DEBUG: cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--resource-group --name --debug'
DEBUG: cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.84.0 (MSI) azsdk-python-core/1.38.0 Python/3.13.11 (Windows-11-10.0.26100-SP0)'
DEBUG: cli.azure.cli.core.sdk.policies: 'Authorization': '*****'
DEBUG: cli.azure.cli.core.sdk.policies: Request body:
DEBUG: cli.azure.cli.core.sdk.policies: This request has no body
DEBUG: urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
DEBUG: urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/37b0620f-7e91-4402-ada5-e7f21e8b6354/resourceGroups/gsmol-dm365-core/providers/Microsoft.Web/sites/metashare1812?api-version=2024-11-01 HTTP/1.1" 200 8725
DEBUG: cli.azure.cli.core.sdk.policies: Response status: 200
DEBUG: cli.azure.cli.core.sdk.policies: Response headers:
DEBUG: cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
DEBUG: cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Length': '8725'
DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
DEBUG: cli.azure.cli.core.sdk.policies: 'Expires': '-1'
DEBUG: cli.azure.cli.core.sdk.policies: 'ETag': '1DCAFEAF541A3C0'
DEBUG: cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '364b4fd7-14a0-4aff-977a-e1aa8a83c681'
DEBUG: cli.azure.cli.core.sdk.policies: 'X-AspNet-Version': '4.0.30319'
DEBUG: cli.azure.cli.core.sdk.policies: 'X-Powered-By': 'ASP.NET'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-reads': '249'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-global-reads': '3749'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '5ad91afd-e7df-4bbc-9313-57041524f72b'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'SWEDENCENTRAL:20260309T173424Z:5ad91afd-e7df-4bbc-9313-57041524f72b'
DEBUG: cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
DEBUG: cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
DEBUG: cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: B182FBD7E4E44A4FBF05034FAA3C177C Ref B: GVX021062311034 Ref C: 2026-03-09T17:34:24Z'
DEBUG: cli.azure.cli.core.sdk.policies: 'Date': 'Mon, 09 Mar 2026 17:34:24 GMT'
DEBUG: cli.azure.cli.core.sdk.policies: Response content:
DEBUG: cli.azure.cli.core.sdk.policies: {"id":"/subscriptions/37b0620f-7e91-4402-ada5-e7f21e8b6354/resourceGroups/gsmol-dm365-core/providers/Microsoft.Web/sites/metashare1812","name":"metashare1812","type":"Microsoft.Web/sites","kind":"app,linux","location":"Sweden Central","properties":{"name":"metashare1812","state":"Running","hostNames":["metashare1812.azurewebsites.net"],"webSpace":"gsmol-dm365-core-SwedenCentralwebspace-Linux","selfLink":"https://waws-prod-sec-019.api.azurewebsites.windows.net:455/subscriptions/37b0620f-7e91-4402-ada5-e7f21e8b6354/webspaces/gsmol-dm365-core-SwedenCentralwebspace-Linux/sites/metashare1812","repositorySiteName":"metashare1812","owner":null,"usageState":"Normal","enabled":true,"adminEnabled":true,"siteScopedCertificatesEnabled":false,"afdEnabled":false,"enabledHostNames":["metashare1812.azurewebsites.net","metashare1812.scm.azurewebsites.net"],"siteProperties":{"metadata":null,"properties":[{"name":"LinuxFxVersion","value":"DOTNETCORE|8.0"},{"name":"WindowsFxVersion","value":null}],"appSettings":null},"availabilityState":"Normal","sslCertificates":null,"csrs":[],"cers":null,"siteMode":null,"hostNameSslStates":[{"name":"metashare1812.azurewebsites.net","sslState":"Disabled","ipBasedSslResult":null,"virtualIP":null,"virtualIPv6":null,"thumbprint":null,"certificateResourceId":null,"toUpdate":null,"toUpdateIpBasedSsl":null,"ipBasedSslState":"NotConfigured","hostType":"Standard"},{"name":"metashare1812.scm.azurewebsites.net","sslState":"Disabled","ipBasedSslResult":null,"virtualIP":null,"virtualIPv6":null,"thumbprint":null,"certificateResourceId":null,"toUpdate":null,"toUpdateIpBasedSsl":null,"ipBasedSslState":"NotConfigured","hostType":"Repository"}],"hostNamePrivateStates":[],"computeMode":null,"serverFarm":null,"serverFarmId":"/subscriptions/37b0620f-7e91-4402-ada5-e7f21e8b6354/resourceGroups/gsmol-dm365-core/providers/Microsoft.Web/serverfarms/metashare0832","reserved":true,"isXenon":false,"hyperV":false,"sandboxType":null,"lastModifiedTimeUtc":"2026-03-09T17:34:18.62","storageRecoveryDefaultState":"Running","contentAvailabilityState":"Normal","runtimeAvailabilityState":"Normal","dnsConfiguration":{},"containerAllocationSubnet":null,"useContainerLocalhostBindings":null,"outboundVnetRouting":{"allTraffic":false,"applicationTraffic":false,"contentShareTraffic":false,"imagePullTraffic":false,"backupRestoreTraffic":false,"managedIdentityTraffic":false},"legacyServiceEndpointTrafficEvaluation":null,"siteConfig":{"numberOfWorkers":1,"defaultDocuments":null,"netFrameworkVersion":null,"phpVersion":null,"pythonVersion":null,"nodeVersion":null,"powerShellVersion":null,"linuxFxVersion":"DOTNETCORE|8.0","windowsFxVersion":null,"sandboxType":null,"windowsConfiguredStacks":null,"requestTracingEnabled":null,"remoteDebuggingEnabled":null,"remoteDebuggingVersion":null,"httpLoggingEnabled":null,"azureMonitorLogCategories":null,"acrUseManagedIdentityCreds":false,"acrUserManagedIdentityID":null,"logsDirectorySizeLimit":null,"detailedErrorLoggingEnabled":null,"publishingUsername":null,"publishingPassword":null,"appSettings":null,"metadata":null,"connectionStrings":null,"machineKey":null,"handlerMappings":null,"documentRoot":null,"scmType":null,"use32BitWorkerProcess":null,"webSocketsEnabled":null,"alwaysOn":true,"javaVersion":null,"javaContainer":null,"javaContainerVersion":null,"appCommandLine":null,"managedPipelineMode":null,"virtualApplications":null,"winAuthAdminState":null,"winAuthTenantState":null,"customAppPoolIdentityAdminState":null,"customAppPoolIdentityTenantState":null,"runtimeADUser":null,"runtimeADUserPassword":null,"loadBalancing":null,"routingRules":null,"experiments":null,"limits":null,"autoHealEnabled":null,"autoHealRules":null,"tracingOptions":null,"vnetName":null,"vnetRouteAllEnabled":null,"vnetPrivatePortsCount":null,"publicNetworkAccess":null,"cors":null,"push":null,"apiDefinition":null,"apiManagementConfig":null,"autoSwapSlotName":null,"localMySqlEnabled":null,"managedServiceIdentityId":null,"xManagedServiceIdentityId":null,"keyVaultReferenceIdentity":null,"ipSecurityRestrictions":null,"ipSecurityRestrictionsDefaultAction":null,"scmIpSecurityRestrictions":null,"scmIpSecurityRestrictionsDefaultAction":null,"scmIpSecurityRestrictionsUseMain":null,"http20Enabled":true,"minTlsVersion":null,"minTlsCipherSuite":null,"scmMinTlsCipherSuite":null,"supportedTlsCipherSuites":null,"scmSupportedTlsCipherSuites":null,"scmMinTlsVersion":null,"ftpsState":null,"preWarmedInstanceCount":null,"functionAppScaleLimit":0,"elasticWebAppScaleLimit":null,"healthCheckPath":null,"fileChangeAuditEnabled":null,"functionsRuntimeScaleMonitoringEnabled":null,"websiteTimeZone":null,"minimumElasticInstanceCount":1,"azureStorageAccounts":null,"http20ProxyFlag":null,"sitePort":null,"antivirusScanEnabled":null,"storageType":null,"sitePrivateLinkHostEnabled":null,"clusteringEnabled":false,"webJobsEnabled":false},"functionAppConfig":null,"daprConfig":null,"deploymentId":"metashare1812","slotName":null,"trafficManagerHostNames":null,"sku":"Basic","scmSiteAlsoStopped":false,"targetSwapSlot":null,"hostingEnvironment":null,"hostingEnvironmentProfile":null,"clientAffinityEnabled":true,"clientAffinityProxyEnabled":false,"useQueryStringAffinity":false,"blockPathTraversal":false,"clientCertEnabled":false,"clientCertMode":"Required","clientCertExclusionPaths":null,"clientCertExclusionEndPoints":null,"hostNamesDisabled":false,"ipMode":"IPv4","domainVerificationIdentifiers":null,"customDomainVerificationId":"12E8BD9FD0827B643FAB29A70EACFD9B1EEB635CB41CE8C2223A0FF14C0ACC75","kind":"app,linux","managedEnvironmentId":null,"workloadProfileName":null,"resourceConfig":null,"inboundIpAddress":"51.12.31.9","possibleInboundIpAddresses":"51.12.31.9","inboundIpv6Address":"2603:1020:1004:2::504","possibleInboundIpv6Addresses":"2603:1020:1004:2::504","ftpUsername":"metashare1812\\$metashare1812","ftpsHostName":"ftps://waws-prod-sec-019.ftp.azurewebsites.windows.net/site/wwwroot","outboundIpAddresses":"9.223.21.174,9.223.21.185,9.223.61.232,9.223.21.196,9.223.21.213,9.223.21.218,4.225.0.164,4.225.54.2,4.225.0.196,4.225.2.232,4.225.3.98,74.241.163.246,51.12.31.9","possibleOutboundIpAddresses":"9.223.21.174,9.223.21.185,9.223.61.232,9.223.21.196,9.223.21.213,9.223.21.218,4.225.0.164,4.225.54.2,4.225.0.196,4.225.2.232,4.225.3.98,74.241.163.246,4.225.3.159,4.225.4.173,4.225.5.39,4.225.5.47,4.225.5.64,4.225.5.79,4.225.5.225,4.225.6.49,4.225.6.127,4.225.6.193,4.225.7.66,4.225.7.171,4.225.5.36,74.241.164.139,74.241.164.109,4.225.5.62,4.225.52.10,20.240.176.188,51.12.31.9","outboundIpv6Addresses":"2603:1020:1001:26::297,2603:1020:1001:13::346,2603:1020:1001:13::347,2603:1020:1001:12::31b,2603:1020:1001:24::29d,2603:1020:1001:14::265,2603:1020:1001:25::246,2603:1020:1001:12::31a,2603:1020:1001:13::2df,2603:1020:1001:14::1f9,2603:1020:1001:10::658,2603:1020:1001:26::294,2603:1020:1004:2::504,2603:10e1:100:2::330c:1f09","possibleOutboundIpv6Addresses":"2603:1020:1001:26::297,2603:1020:1001:13::346,2603:1020:1001:13::347,2603:1020:1001:12::31b,2603:1020:1001:24::29d,2603:1020:1001:14::265,2603:1020:1001:25::246,2603:1020:1001:12::31a,2603:1020:1001:13::2df,2603:1020:1001:14::1f9,2603:1020:1001:10::658,2603:1020:1001:26::294,2603:1020:1001:26::295,2603:1020:1001:26::296,2603:1020:1001:10::6bb,2603:1020:1001:14::264,2603:1020:1001:25::247,2603:1020:1001:10::6bc,2603:1020:1001:24::29c,2603:1020:1001:11::3ea,2603:1020:1001:13::33b,2603:1020:1001:11::3f3,2603:1020:1001:10::6bd,2603:1020:1001:25::252,2603:1020:1001:26::298,2603:1020:1001:25::253,2603:1020:1001:12::31c,2603:1020:1001:14::266,2603:1020:1001:10::6be,2603:1020:1001:24::29e,2603:1020:1004:2::504,2603:10e1:100:2::330c:1f09","containerSize":0,"dailyMemoryTimeQuota":0,"suspendedTill":null,"siteDisabledReason":0,"functionExecutionUnitsCache":null,"maxNumberOfWorkers":null,"homeStamp":"waws-prod-sec-019","cloningInfo":null,"hostingEnvironmentId":null,"tags":null,"resourceGroup":"gsmol-dm365-core","defaultHostName":"metashare1812.azurewebsites.net","slotSwapStatus":null,"httpsOnly":true,"endToEndEncryptionEnabled":false,"functionsRuntimeAdminIsolationEnabled":false,"redundancyMode":"None","inProgressOperationId":null,"geoDistributions":null,"privateEndpointConnections":[],"publicNetworkAccess":"Enabled","buildVersion":null,"targetBuildVersion":null,"migrationState":null,"eligibleLogCategories":"AppServiceAppLogs,AppServiceConsoleLogs,AppServiceHTTPLogs,AppServicePlatformLogs,ScanLogs,AppServiceAuthenticationLogs,AppServiceAuditLogs,AppServiceIPSecAuditLogs","inFlightFeatures":["SiteContainers"],"storageAccountRequired":false,"virtualNetworkSubnetId":null,"keyVaultReferenceIdentity":"SystemAssigned","autoGeneratedDomainNameLabelScope":null,"privateLinkIdentifiers":null,"sshEnabled":null}}
DEBUG: cli.azure.cli.core.commands.client_factory: Getting management service client client_type=WebSiteManagementClient
DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
DEBUG: msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274
DEBUG: msal.authority: openid_config("https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic', 'self_signed_tls_client_auth'], 'jwks_uri': 'https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/kerberos', 'mtls_endpoint_aliases': {'token_endpoint': 'https://mtlsauth.microsoft.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/oauth2/v2.0/token'}, 'tls_client_certificate_bound_access_tokens': True, 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
DEBUG: msal.application: Broker enabled? True
DEBUG: cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token_info: scopes=('https://management.core.windows.net//.default',), options={}
DEBUG: cli.azure.cli.core.auth.msal_credentials: UserCredential.acquire_token: scopes=['https://management.core.windows.net//.default'], claims_challenge=None, kwargs={}
DEBUG: msal.application: Cache hit an AT
DEBUG: msal.telemetry: Generate or reuse correlation_id: 079f6760-16f5-4c3a-84ba-85617fcbaac5
DEBUG: cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/37b0620f-7e91-4402-ada5-e7f21e8b6354/resourceGroups/gsmol-dm365-core/providers/Microsoft.Web/sites/metashare1812?api-version=2024-11-01'
DEBUG: cli.azure.cli.core.sdk.policies: Request method: 'PUT'
DEBUG: cli.azure.cli.core.sdk.policies: Request headers:
DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Length': '1487'
DEBUG: cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '37146855-1bde-11f1-bbba-846993532970'
DEBUG: cli.azure.cli.core.sdk.policies: 'CommandName': 'webapp identity assign'
DEBUG: cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--resource-group --name --debug'
DEBUG: cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.84.0 (MSI) azsdk-python-core/1.38.0 Python/3.13.11 (Windows-11-10.0.26100-SP0)'
DEBUG: cli.azure.cli.core.sdk.policies: 'Authorization': '*****'
DEBUG: cli.azure.cli.core.sdk.policies: Request body:
DEBUG: cli.azure.cli.core.sdk.policies: {"kind": "app,linux", "location": "Sweden Central", "identity": {"type": "SystemAssigned"}, "properties": {"enabled": true, "hostNameSslStates": [{"name": "metashare1812.azurewebsites.net", "sslState": "Disabled", "hostType": "Standard"}, {"name": "metashare1812.scm.azurewebsites.net", "sslState": "Disabled", "hostType": "Repository"}], "serverFarmId": "/subscriptions/37b0620f-7e91-4402-ada5-e7f21e8b6354/resourceGroups/gsmol-dm365-core/providers/Microsoft.Web/serverfarms/metashare0832", "reserved": true, "isXenon": false, "hyperV": false, "dnsConfiguration": {}, "outboundVnetRouting": {"allTraffic": false, "applicationTraffic": false, "contentShareTraffic": false, "imagePullTraffic": false, "backupRestoreTraffic": false}, "siteConfig": {"numberOfWorkers": 1, "linuxFxVersion": "DOTNETCORE|8.0", "acrUseManagedIdentityCreds": false, "alwaysOn": true, "http20Enabled": true, "functionAppScaleLimit": 0, "minimumElasticInstanceCount": 1}, "scmSiteAlsoStopped": false, "clientAffinityEnabled": true, "clientAffinityProxyEnabled": false, "clientCertEnabled": false, "clientCertMode": "Required", "ipMode": "IPv4", "endToEndEncryptionEnabled": false, "hostNamesDisabled": false, "customDomainVerificationId": "12E8BD9FD0827B643FAB29A70EACFD9B1EEB635CB41CE8C2223A0FF14C0ACC75", "containerSize": 0, "dailyMemoryTimeQuota": 0, "httpsOnly": true, "redundancyMode": "None", "publicNetworkAccess": "Enabled", "storageAccountRequired": false, "keyVaultReferenceIdentity": "SystemAssigned"}}
DEBUG: urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
DEBUG: urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/37b0620f-7e91-4402-ada5-e7f21e8b6354/resourceGroups/gsmol-dm365-core/providers/Microsoft.Web/sites/metashare1812?api-version=2024-11-01 HTTP/1.1" 200 9074
DEBUG: cli.azure.cli.core.sdk.policies: Response status: 200
DEBUG: cli.azure.cli.core.sdk.policies: Response headers:
DEBUG: cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
DEBUG: cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Length': '9074'
DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
DEBUG: cli.azure.cli.core.sdk.policies: 'Expires': '-1'
DEBUG: cli.azure.cli.core.sdk.policies: 'ETag': '"1DCAFEAF541A3C0"'
DEBUG: cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '346a678c-d529-4891-b99d-891f5b8ba7ca'
DEBUG: cli.azure.cli.core.sdk.policies: 'X-AspNet-Version': '4.0.30319'
DEBUG: cli.azure.cli.core.sdk.policies: 'X-Powered-By': 'ASP.NET'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-operation-identifier': 'tenantId=67a9601a-bcae-4b5d-bc95-d5eb01f91274,objectId=68fc4506-9507-4396-b16f-989d431daa85/swedencentral/88d79736-7c26-4b37-bd17-ba40fb79719b'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-resource-requests': '799'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': 'dd2dfd03-da17-4fed-87b4-7461ca07f41a'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'SWEDENCENTRAL:20260309T173428Z:dd2dfd03-da17-4fed-87b4-7461ca07f41a'
DEBUG: cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
DEBUG: cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
DEBUG: cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: 6D4B857D13EF40A79F65376E4CA56577 Ref B: GVX211060218025 Ref C: 2026-03-09T17:34:25Z'
DEBUG: cli.azure.cli.core.sdk.policies: 'Date': 'Mon, 09 Mar 2026 17:34:28 GMT'
DEBUG: cli.azure.cli.core.sdk.policies: Response content:
DEBUG: cli.azure.cli.core.sdk.policies: Body is streamable
DEBUG: cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x0000015A83F6E660>, <function _x509_from_base64_to_hex_transform at 0x0000015A83F6E700>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnFilterResult []
DEBUG: cli.knack.cli: Event: Cli.SuccessfulExecute []
DEBUG: cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x0000015A83F21300>]
INFO: az_command_data_logger: exit code: 0
INFO: cli.__main__: Command ran in 5.459 seconds (init: 0.250, invoke: 5.209)
INFO: telemetry.main: Begin splitting cli events and extra events, total events: 1
INFO: telemetry.client: Accumulated 0 events. Flush the clients.
INFO: telemetry.main: Finish splitting cli events and extra events, cli events: 1
INFO: telemetry.save: Save telemetry record of length 3970 in cache file under C:\Users\gsmol\.azure\telemetry\20260309183429855
INFO: telemetry.main: Begin creating telemetry upload process.
INFO: telemetry.process: Creating upload process: "C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry\__init__.pyc C:\Users\gsmol\.azure C:\Users\gsmol\.azure\telemetry\20260309183429855"
INFO: telemetry.process: Return from creating process 18256
INFO: telemetry.main: Finish creating telemetry upload process.
az role assignment create --role "Key Vault Certificate User" --assignee $managedIdentity.principalId --scope "/subscriptions/$subscriptionId/resourcegroups/$ResourceGroupName" --debug
cli.knack.cli: Command arguments: ['role', 'assignment', 'create', '--role', 'Key Vault Certificate User', '--assignee', '38f3d1d5-7f7d-4df8-b2e7-770dc541bf85', '--scope', '/subscriptions/37b0620f-7e91-4402-ada5-e7f21e8b6354/resourcegroups/gsmol-dm365-core', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0000021B08065300>, <function OutputProducer.on_global_arguments at 0x0000021B0821A8E0>, <function CLIQuery.on_global_arguments at 0x0000021B08260860>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'role': ['azure.cli.command_modules.role']
cli.azure.cli.core: Loading command modules...
cli.azure.cli.core: Loaded command modules in parallel:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: role 0.006 17 62
cli.azure.cli.core: Total (1) 0.007 17 62
cli.azure.cli.core: Loaded 17 groups, 62 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : role assignment create
cli.azure.cli.core: Command table: role assignment create
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x0000021B0AD01080>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\gsmol\.azure\commands\2026-03-09.18-34-32.role_assignment_create.20964.log'.
az_command_data_logger: command args: role assignment create --role {} --assignee {} --scope {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x0000021B0AD4ADE0>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x0000021B0AD7D120>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x0000021B0AD7D300>, <function register_upcoming_breaking_change_info.<locals>.update_breaking_change_info at 0x0000021B0AD7D3A0>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x0000021B0821A980>, <function CLIQuery.handle_query_parameter at 0x0000021B08260900>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x0000021B0AD7D1C0>]
cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\\Users\\gsmol\\.azure\\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\gsmol\.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274
msal.authority: openid_config("https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic', 'self_signed_tls_client_auth'], 'jwks_uri': 'https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/kerberos', 'mtls_endpoint_aliases': {'token_endpoint': 'https://mtlsauth.microsoft.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/oauth2/v2.0/token'}, 'tls_client_certificate_bound_access_tokens': True, 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? True
cli.azure.cli.core.auth.msal_credentials: UserCredential.acquire_token: scopes=['https://graph.microsoft.com//.default'], claims_challenge=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 402f9288-28bf-4eba-aa75-6f695c5a06c5
cli.azure.cli.core.util: Request URL: 'https://graph.microsoft.com/v1.0/servicePrincipals?$filter=servicePrincipalNames%2Fany%28c%3Ac%20eq%20%2738f3d1d5-7f7d-4df8-b2e7-770dc541bf85%27%29'
cli.azure.cli.core.util: Request method: 'GET'
cli.azure.cli.core.util: Request headers:
cli.azure.cli.core.util: 'User-Agent': 'python/3.13.11 (Windows-11-10.0.26100-SP0) AZURECLI/2.84.0 (MSI)'
cli.azure.cli.core.util: 'Accept-Encoding': 'gzip, deflate'
cli.azure.cli.core.util: 'Accept': '*/*'
cli.azure.cli.core.util: 'Connection': 'keep-alive'
cli.azure.cli.core.util: 'x-ms-client-request-id': 'f4eb9ce2-7fec-4251-bbca-ee28e686251c'
cli.azure.cli.core.util: 'CommandName': 'role assignment create'
cli.azure.cli.core.util: 'ParameterSetName': '--role --assignee --scope --debug'
cli.azure.cli.core.util: 'Authorization': 'Bearer eyJ0eXAiOiJKV...'
cli.azure.cli.core.util: Request body:
cli.azure.cli.core.util: None
urllib3.connectionpool: Starting new HTTPS connection (1): graph.microsoft.com:443
urllib3.connectionpool: https://graph.microsoft.com:443 "GET /v1.0/servicePrincipals?$filter=servicePrincipalNames%2Fany%28c%3Ac%20eq%20%2738f3d1d5-7f7d-4df8-b2e7-770dc541bf85%27%29 HTTP/1.1" 200 None
cli.azure.cli.core.util: Response status: 200
cli.azure.cli.core.util: Response headers:
cli.azure.cli.core.util: 'Cache-Control': 'no-cache'
cli.azure.cli.core.util: 'Transfer-Encoding': 'chunked'
cli.azure.cli.core.util: 'Content-Type': 'application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8'
cli.azure.cli.core.util: 'Content-Encoding': 'gzip'
cli.azure.cli.core.util: 'Vary': 'Accept-Encoding'
cli.azure.cli.core.util: 'Strict-Transport-Security': 'max-age=31536000'
cli.azure.cli.core.util: 'request-id': 'a8a429b6-29fd-4eda-831e-0eeaf71ec446'
cli.azure.cli.core.util: 'client-request-id': 'a8a429b6-29fd-4eda-831e-0eeaf71ec446'
cli.azure.cli.core.util: 'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"Sweden Central","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"GVX0EPF00004C04"}}'
cli.azure.cli.core.util: 'x-ms-resource-unit': '1'
cli.azure.cli.core.util: 'OData-Version': '4.0'
cli.azure.cli.core.util: 'Date': 'Mon, 09 Mar 2026 17:34:30 GMT'
cli.azure.cli.core.util: Response content:
cli.azure.cli.core.util: {"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#servicePrincipals","value":[]}
cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274
msal.authority: openid_config("https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic', 'self_signed_tls_client_auth'], 'jwks_uri': 'https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/kerberos', 'mtls_endpoint_aliases': {'token_endpoint': 'https://mtlsauth.microsoft.com/67a9601a-bcae-4b5d-bc95-d5eb01f91274/oauth2/v2.0/token'}, 'tls_client_certificate_bound_access_tokens': True, 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? True
cli.azure.cli.core.auth.msal_credentials: UserCredential.acquire_token: scopes=['https://graph.microsoft.com//.default'], claims_challenge=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 9d9bd3de-31cc-4f45-a51c-d4a567b71cab
cli.azure.cli.core.util: Request URL: 'https://graph.microsoft.com/v1.0/directoryObjects/getByIds'
cli.azure.cli.core.util: Request method: 'POST'
cli.azure.cli.core.util: Request headers:
cli.azure.cli.core.util: 'User-Agent': 'python/3.13.11 (Windows-11-10.0.26100-SP0) AZURECLI/2.84.0 (MSI)'
cli.azure.cli.core.util: 'Accept-Encoding': 'gzip, deflate'
cli.azure.cli.core.util: 'Accept': '*/*'
cli.azure.cli.core.util: 'Connection': 'keep-alive'
cli.azure.cli.core.util: 'x-ms-client-request-id': 'e6258048-0239-4f3e-8321-5b39faeac53d'
cli.azure.cli.core.util: 'Content-Type': 'application/json'
cli.azure.cli.core.util: 'CommandName': 'role assignment create'
cli.azure.cli.core.util: 'ParameterSetName': '--role --assignee --scope --debug'
cli.azure.cli.core.util: 'Authorization': 'Bearer eyJ0eXAiOiJKV...'
cli.azure.cli.core.util: 'Content-Length': '132'
cli.azure.cli.core.util: Request body:
cli.azure.cli.core.util: {"ids": ["38f3d1d5-7f7d-4df8-b2e7-770dc541bf85"], "types": ["user", "group", "servicePrincipal", "directoryObjectPartnerReference"]}
urllib3.connectionpool: Starting new HTTPS connection (1): graph.microsoft.com:443
urllib3.connectionpool: https://graph.microsoft.com:443 "POST /v1.0/directoryObjects/getByIds HTTP/1.1" 200 None
cli.azure.cli.core.util: Response status: 200
cli.azure.cli.core.util: Response headers:
cli.azure.cli.core.util: 'Cache-Control': 'no-cache'
cli.azure.cli.core.util: 'Transfer-Encoding': 'chunked'
cli.azure.cli.core.util: 'Content-Type': 'application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8'
cli.azure.cli.core.util: 'Content-Encoding': 'gzip'
cli.azure.cli.core.util: 'Location': 'https://graph.microsoft.com'
cli.azure.cli.core.util: 'Vary': 'Accept-Encoding'
cli.azure.cli.core.util: 'Strict-Transport-Security': 'max-age=31536000'
cli.azure.cli.core.util: 'request-id': '4c88f153-ebcc-4baf-a058-78f15e34f0ab'
cli.azure.cli.core.util: 'client-request-id': '4c88f153-ebcc-4baf-a058-78f15e34f0ab'
cli.azure.cli.core.util: 'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"Sweden Central","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"GVX0EPF0002F052"}}'
cli.azure.cli.core.util: 'x-ms-resource-unit': '3'
cli.azure.cli.core.util: 'OData-Version': '4.0'
cli.azure.cli.core.util: 'Date': 'Mon, 09 Mar 2026 17:34:31 GMT'
cli.azure.cli.core.util: Response content:
cli.azure.cli.core.util: {"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#directoryObjects","value":[]}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 682, in execute
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 812, in _run_jobs_serially
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 781, in _run_job
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 336, in __call__
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 120, in handler
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 185, in create_role_assignment
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 1540, in _resolve_object_id_and_type
knack.util.CLIError: Cannot find user or service principal in graph database for '38f3d1d5-7f7d-4df8-b2e7-770dc541bf85'. If the assignee is an appId, make sure the corresponding service principal is created with 'az ad sp create --id 38f3d1d5-7f7d-4df8-b2e7-770dc541bf85'.
cli.azure.cli.core.azclierror: Cannot find user or service principal in graph database for '38f3d1d5-7f7d-4df8-b2e7-770dc541bf85'. If the assignee is an appId, make sure the corresponding service principal is created with 'az ad sp create --id 38f3d1d5-7f7d-4df8-b2e7-770dc541bf85'.
az_command_data_logger: Cannot find user or service principal in graph database for '38f3d1d5-7f7d-4df8-b2e7-770dc541bf85'. If the assignee is an appId, make sure the corresponding service principal is created with 'az ad sp create --id 38f3d1d5-7f7d-4df8-b2e7-770dc541bf85'.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x0000021B0AD01300>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 1.176 seconds (init: 0.265, invoke: 0.911)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4242 in cache file under C:\Users\gsmol\.azure\telemetry\20260309183433143
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry\__init__.pyc C:\Users\gsmol\.azure C:\Users\gsmol\.azure\telemetry\20260309183433143"
telemetry.process: Return from creating process 22872
telemetry.main: Finish creating telemetry upload process.
Expected behavior
If a command that creates a service principals completes without errors, I expect the next command to be able to use it.
Environment Summary
azure-cli 2.84.0
core 2.84.0
telemetry 1.1.0
Dependencies:
msal 1.35.0b1
azure-mgmt-resource 24.0.0
Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Config directory 'C:\Users\gsmol.azure'
Extensions directory 'C:\Users\gsmol.azure\cliextensions'
Python (Windows) 3.13.11 (tags/v3.13.11:6278944, Dec 5 2025, 16:26:58) [MSC v.1944 64 bit (AMD64)]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
Additional context
You can work around the issue by continously retrying. See example below.
However, I don't belive this is something that authors of deployment scripts should have to manage themselves. A couple of possible solutions:
- Commands that create service principals should internally wait until they are created
- Commands that requires service principals should internally retry for some time before failing if error indicates that service principal is not in database
- Service side async pattern support where it tells the client where the current status of the service principal provisioning can be found ('Location' and 'Retry-after' headers) can optimize 1 and 2
az webapp deploy has a similar feature where it polls until the app is confirmed to be running. This is good for any post deploy scripts that may want to interact with the app.
$subscriptionId = az account list --query "[?isDefault].id" --output tsv
$managedIdentity = az webapp identity assign --resource-group $ResourceGroupName --name $AppServiceName | ConvertFrom-Json -Depth 100
$roleAssignment = $null
while ($null -eq $roleAssignment) {
Start-Sleep -Seconds 5
$roleAssignment = az role assignment create --role "Key Vault Certificate User" --assignee $managedIdentity.principalId --scope "/subscriptions/$subscriptionId/resourcegroups/$ResourceGroupName"
}
Metadata
Metadata
Labels
az resource/group/lock/tag/deployment/policy/managementapp/account management-groupAuto assign by bot(doesn't work with label-triggered comments; use Graph.Microsoft instead) az adaz roleThis issue is responsible by Azure service team.az webappThis issue requires a change to an existing behavior in the product in order to be resolved.Issues that are reported by GitHub users external to the Azure organization.