Skip to content

Get-AzRoleAssignment no longer reports Orphaned Role Assignments in Az.Resources 9.0.1 (regression) #29311

Open
Open
Get-AzRoleAssignment no longer reports Orphaned Role Assignments in Az.Resources 9.0.1 (regression)#29311
Assignees
isra-fel
Labels
ARM - RBACInvestigate 🔍TrackingWe will track status and follow internallyact-identity-squadbugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reported
Milestone
Az 15.6.0 (05/05/2026)
@mgor

Description

@mgor
mgor
opened on Mar 24, 2026

Description

This is a regression of issue #16981 which was fixed in Az.Resources 5.4.0 (PR #17167) but has returned in Az.Resources 9.0.1.

In Az.Resources < 5.1.0, Get-AzRoleAssignment properly marked deleted principals with ObjectType = 'Unknown', enabling cleanup of orphaned role assignments:

Get-AzRoleAssignment | Where-Object { $_.ObjectType -eq 'Unknown' } | Remove-AzRoleAssignment

This behavior was broken in 5.1.0 (Feb 2022) and fixed in 5.4.0 (Mar 2022) via PR #17167.

However, with Az.Resources 9.0.1 (released Jan 2026), orphaned role assignments are no longer marked with ObjectType = 'Unknown'.

Unclear exactly in which version it was introduced again, we jumped from 7.3.0 to 9.0.1. Hypothesis is it was introduced in 9.0.0, due to the AutoRest v4 code generator migration in Az.Resources 9.0.0 (documented in changelog as "Introduced various new features by upgrading code generator") likely regenerated the cmdlet code and lost this fix.

Steps to reproduce

  1. Create a service principal and assign it an Azure role
  2. Delete the service principal from Entra ID (role assignment remains)
  3. Query role assignments with Az.Resources 9.0.1: 
    Get-AzRoleAssignment | Where-Object { $_.ObjectType -eq 'Unknown' }
  4. Actual: No results (orphaned assignment not detected)
  5. Expected: Orphaned assignment returned with ObjectType = 'Unknown'

Issue script & Debug output

$orphans = Get-AzRoleAssignment | Where-Object { $_.ObjectType -eq 'Unknown' }
$orphans.Count() # yields 0, when via protal there are clearly "Unknown" assignments

Environment data

$PSVersionTable                   

Name                           Value
----                           -----
PSVersion                      7.5.5
PSEdition                      Core
GitCommitId                    7.5.5
OS                             Ubuntu 24.04.4 LTS
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

Get-Installedmodule -Name Az.Resources

Version              Name                                Repository           Description
-------              ----                                ----------           -----------
9.0.1                Az.Resources                        PSGallery            Microsoft Azure PowerShell - Azure Resource Manager and Active Directory cmdlets in Windows PowerShell and PowerShell Core.  Manages subscriptions, tenants, resource groups, deployment templates, providers, and resource permissions in Azure Resource Manager.  Provides c…

Error output

N/A

Metadata

Metadata

Assignees

Labels

ARM - RBACInvestigate 🔍TrackingWe will track status and follow internallyact-identity-squadbugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reported

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions