fill-principal-name

Author: jiasli

src/azure-cli/azure/cli/command_modules/role/_help.py

@@ -800,6 +800,8 @@
     text: az role assignment list --role Reader --scope /subscriptions/00000000-0000-0000-0000-000000000000
   - name: List all role assignments of an assignee at the subscription scope.
     text: az role assignment list --assignee 00000000-0000-0000-0000-000000000000 --scope /subscriptions/00000000-0000-0000-0000-000000000000
+  - name: List all role assignments with "Reader" role at the subscription scope, without filling principalName property
+    text: az role assignment list --role Reader --scope /subscriptions/00000000-0000-0000-0000-000000000000 --fill-principal-name false
 """
 
 helps['role assignment list-changelogs'] = """

src/azure-cli/azure/cli/command_modules/role/_params.py

@@ -337,6 +337,14 @@ def load_arguments(self, _):
         c.argument('assignment_name', name_arg_type,
                    help='A GUID for the role assignment. It must be unique and different for each role assignment. If omitted, a new GUID is generated.')
 
+    with self.argument_context('role assignment list') as c:
+        c.argument('fill_principal_name', arg_type=get_three_state_flag(),
+                   help="Query Microsoft Graph to get the assignee's userPrincipalName (for user), "
+                        "servicePrincipalNames (for service principal) or displayName (for group), then fill "
+                        "principalName property with it. "
+                        "If the current logged-in account has no permission or network access to query "
+                        "Microsoft Graph, set this flag to false to avoid warning or error.")
+
     time_help = 'The {} of the query in the format of %Y-%m-%dT%H:%M:%SZ, e.g. 2000-12-31T12:59:59Z. Defaults to {}'
     with self.argument_context('role assignment list-changelogs') as c:
         c.argument('start_time', help=time_help.format('start time', '1 Hour prior to the current time'))

src/azure-cli/azure/cli/command_modules/role/custom.py

@@ -234,7 +234,8 @@ def _create_role_assignment(cli_ctx, role, assignee, resource_group_name=None, s
 
 def list_role_assignments(cmd, assignee=None, role=None, resource_group_name=None,
                           scope=None, include_inherited=False,
-                          show_all=False, include_groups=False, include_classic_administrators=False):
+                          show_all=False, include_groups=False, include_classic_administrators=False,
+                          fill_principal_name=True):
     '''
     :param include_groups: include extra assignments to the groups of which the user is a
     member(transitively).
@@ -281,6 +282,10 @@ def list_role_assignments(cmd, assignee=None, role=None, resource_group_name=Non
             else:
                 i['roleDefinitionName'] = None  # the role definition might have been deleted
 
+    # Opt out of filling principal name
+    if not fill_principal_name:
+        return results
+
     # fill in principal names
     principal_ids = set(worker.get_role_property(i, 'principalId')
                         for i in results if worker.get_role_property(i, 'principalId'))

src/azure-cli/azure/cli/command_modules/role/tests/latest/recordings/test_role_assignment_no_graph.yaml

@@ -689,6 +689,31 @@ def check_changelogs():
             finally:
                 self.cmd('ad user delete --id {upn}')
 
+    @ResourceGroupPreparer(name_prefix='cli_role_assign')
+    @AllowLargeResponse()
+    def test_role_assignment_no_graph(self, resource_group):
+        with mock.patch('azure.cli.command_modules.role.custom._gen_guid', side_effect=self.create_guid):
+            self.kwargs.update({
+                'uami': self.create_random_name('clitest', 15),  # user-assigned managed identity
+                # https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
+                'role_reader_guid': 'acdd72a7-3385-48ef-bd42-f606fba81ae7'
+            })
+            self._prepare_scope_kwargs()
+
+            uami = self.cmd('identity create -g {rg} -n {uami} --location westus').get_output_in_json()
+            self.kwargs['uami_object_id'] = uami['principalId']
+
+            self.cmd('role assignment create '
+                     '--assignee-object-id {uami_object_id} --assignee-principal-type ServicePrincipal '
+                     '--role {role_reader_guid} --scope {rg_id}')
+            # Verify '--fill-principal-name false' skips the Graph query for filling principalName.
+            self.cmd('role assignment list --scope {rg_id} --fill-principal-name false',
+                     checks=[
+                         self.check("length([])", 1),
+                         self.not_exists("[0].principalName")
+                     ])
+            # Manually verify the recording file that no HTTP request to https://graph.microsoft.com is made
+
 
 class RoleAssignmentWithConfigScenarioTest(RoleScenarioTestBase):