Skip to content

Allow removal of role assignment condition#29517

Open
rsegers wants to merge 2 commits intoAzure:mainfrom
rsegers:patch-1
Open

Allow removal of role assignment condition#29517
rsegers wants to merge 2 commits intoAzure:mainfrom
rsegers:patch-1

Conversation

@rsegers
Copy link
Copy Markdown

@rsegers rsegers commented May 6, 2026

Description

Currently it is not possible to remove a condition on a role assignment.

Consider an existing role assignment with an condition with the intention to remove the condition:

$role = Get-AzRoleAssignment -ObjectId <guid< -RoleDefinitionName Role Based Access Administrator'
$role.Condition = $null; $role.ConditionVersion = $null
$role | Set-AzRoleAssignment

This yields the following error: Set-AzRoleAssignment: Condition version different than '2.0' is not supported for update operations

Removing the condition is possible when setting both Condition and ConditionVersion to $null or an empty string

Mandatory Checklist

  • SHOULD update ChangeLog.md file(s) appropriately
    • Update src/{{SERVICE}}/{{SERVICE}}/ChangeLog.md.
      • A snippet outlining the change(s) made in the PR should be written under the ## Upcoming Release header in the past tense.
    • Should not change ChangeLog.md if no new release is required, such as fixing test case only.
  • SHOULD regenerate markdown help files if there is cmdlet API change. Instruction
  • SHOULD have proper test coverage for changes in pull request.
  • SHOULD NOT adjust version of module manually in pull request

Copilot AI review requested due to automatic review settings May 6, 2026 11:33
@azure-client-tools-bot-prd
Copy link
Copy Markdown

azure-client-tools-bot-prd Bot commented May 6, 2026

Thanks for your contribution! The pull request validation has started. Please revisit this comment for updated status.

@rsegers
Copy link
Copy Markdown
Author

rsegers commented May 6, 2026

@microsoft-github-policy-service agree

@microsoft-github-policy-service
Copy link
Copy Markdown
Contributor

microsoft-github-policy-service Bot commented May 6, 2026

Thank you for your contribution @rsegers! We will review the pull request and get back to you soon.

Copilot AI reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Az.Resources Set-AzRoleAssignment cmdlet implementation to support removing an existing role assignment condition by allowing both Condition and ConditionVersion to be cleared, matching documented Azure RBAC behavior.

Changes:

  • Allowed clearing both Condition and ConditionVersion without triggering the “cannot downgrade” condition-version validation.
  • Added an Az.Resources changelog entry describing the user-facing behavior change.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/Resources/Resources/RoleAssignments/SetAzureRoleAssignmentCommand.cs Adjusted condition-version downgrade validation to permit condition removal (both condition fields cleared).
src/Resources/Resources/ChangeLog.md Documented the behavior change for Set-AzRoleAssignment under “Upcoming Release”.

Comment thread src/Resources/Resources/RoleAssignments/SetAzureRoleAssignmentCommand.cs
Comment on lines 122 to 130
var oldConditionVersion = string.IsNullOrWhiteSpace(fetchedRole.ConditionVersion)? Version.Parse("0.0") : Version.Parse(fetchedRole.ConditionVersion);
var newConditionVersion = string.IsNullOrWhiteSpace(InputObject.ConditionVersion) ? Version.Parse("0.0") : Version.Parse(InputObject.ConditionVersion);
var emptyCondition = string.IsNullOrWhiteSpace(InputObject.ConditionVersion) && string.IsNullOrWhiteSpace(InputObject.Condition);

// A condition version can change but currently we don't support downgrading to 1.0
// we only verify the change if it's a downgrade
if ((oldConditionVersion > newConditionVersion) && (newConditionVersion.Major < 2))
// we only verify the change if it's a downgrade. Removal of condition is allowed
if ((oldConditionVersion > newConditionVersion) && (newConditionVersion.Major < 2) && !emptyCondition)
{
throw new ArgumentException("Condition version different than '2.0' is not supported for update operations");
Comment thread src/Resources/Resources/ChangeLog.md
Comment on lines 21 to +22
## Upcoming Release
* Allow `Set-AzRoleAssignment` to delete conditions from a role assignment
Copy link
Copy Markdown
Contributor

@YanaXu YanaXu May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rsegers, please update the line based on Copilot's comment.

@YanaXu
Copy link
Copy Markdown
Contributor

YanaXu commented May 7, 2026

/azp run

@azure-pipelines
Copy link
Copy Markdown
Contributor

azure-pipelines Bot commented May 7, 2026

Azure Pipelines successfully started running 3 pipeline(s).

YanaXu
YanaXu requested changes May 7, 2026
View reviewed changes
Comment thread src/Resources/Resources/ChangeLog.md
Comment on lines 21 to +22
## Upcoming Release
* Allow `Set-AzRoleAssignment` to delete conditions from a role assignment
Copy link
Copy Markdown
Contributor

@YanaXu YanaXu May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rsegers, please update the line based on Copilot's comment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@YanaXu YanaXu YanaXu requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

customer-reported

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rsegers @YanaXu