adjust scope for RBAC assignment to resource group

BradleyBartlett · BradleyBartlett · commit 349d21f912dd · 2017-08-21T13:39:11.000-07:00
diff --git a/Registration/RegisterWithAzure.ps1 b/Registration/RegisterWithAzure.ps1
@@ -343,6 +343,13 @@ try
     if (-not $roleAssignments -or (-not $customRoleAssigned))
     {
         $customRoleDefined = Get-AzureRmRoleDefinition -Name $customRoleName
+
+        if ($customRoleDefined)
+        {
+            $customRoleDefined.AssignableScopes.Clear()
+            $customRoleDefined.AssignableScopes.Add("/subscriptions/$($registrationResource.SubscriptionId)/resourceGroups/$($registrationResource.ResourceGroupName)")
+        }
+
         if (-not $customRoleDefined)
         {
             # Create new RBAC role definition
@@ -354,7 +361,7 @@ try
             $role.Actions.Add('Microsoft.AzureStack/registrations/products/listDetails/action')
             $role.Actions.Add('Microsoft.AzureStack/registrations/products/read')            
             $role.AssignableScopes.Clear()
-            $role.AssignableScopes.Add("/subscriptions/$($registrationResource.SubscriptionId)/resourceGroups/$($registrationResource.ResourceGroupName)/providers/Microsoft.AzureStack/registrations/$($RegistrationName)")
+            $role.AssignableScopes.Add("/subscriptions/$($registrationResource.SubscriptionId)/resourceGroups/$($registrationResource.ResourceGroupName)")
             New-AzureRmRoleDefinition -Role $role
         }
         New-AzureRmRoleAssignment -Scope "/subscriptions/$($registrationResource.SubscriptionId)/resourceGroups/$($registrationResource.ResourceGroupName)/providers/Microsoft.AzureStack/registrations/$($RegistrationName)" -RoleDefinitionName $customRoleName -ObjectId $servicePrincipal.ObjectId         
