az role assignment list - does not return existing role assignment

[atomassi]

Describe the bug

az role assignment list does not return an existing role assignment that is correctly returned by Az PowerShell (Get-AzRoleAssignment).

Role was created long time ago and exists. Example output (correct since it exists) if I try to create it again.

az role assignment create --assignee "d7b9e171-ff4e-4deb-9f77-0aa53c66f826" --role "acdd72a7-3385-48ef-bd42-f606fba81ae7" --scope "/"

The command failed with an unexpected error. Here is the traceback:
list index out of range
Traceback (most recent call last):
...
azure.core.exceptions.ResourceExistsError: (RoleAssignmentExists) The role assignment already exists.
Code: RoleAssignmentExists
Message: The role assignment already exists.

Retrieve with Az PowerShell

Get-AzRoleAssignment -ObjectId d7b9e171-ff4e-4deb-9f77-0aa53c66f826 -RoleDefinitionId acdd72a7-3385-48ef-bd42-f606fba81ae7 -Scope /  

RoleAssignmentName : 514acb72-31be-47bd-afb2-8556887a5e0e
RoleAssignmentId   : /providers/Microsoft.Authorization/roleAssignments/514acb72-31be-47bd-afb2-8556887a5e0e
Scope              : /
DisplayName        : Test User
SignInName         : <removed>
RoleDefinitionName : Reader
RoleDefinitionId   : acdd72a7-3385-48ef-bd42-f606fba81ae7
ObjectId           : d7b9e171-ff4e-4deb-9f77-0aa53c66f826
ObjectType         : User
CanDelegate        : False
Description        : 
ConditionVersion   : 
Condition          : 

Retrieve with Azure CLI

az role assignment list --assignee d7b9e171-ff4e-4deb-9f77-0aa53c66f826  --role acdd72a7-3385-48ef-bd42-f606fba81ae7  --scope /      
[]

Related command

az role assignment list --assignee d7b9e171-ff4e-4deb-9f77-0aa53c66f826 --role acdd72a7-3385-48ef-bd42-f606fba81ae7 --scope /

Errors

no error, the expected result is not returned

Issue script & Debug output

DEBUG: urllib3.connectionpool: https://management.azure.com:443 "GET /providers/Microsoft.Authorization/roleAssignments?$filter=atScope()&api-version=2022-04-01 HTTP/1.1" 200 255403
DEBUG: cli.azure.cli.core.sdk.policies: Response status: 200

this is what is called and the entity is part of the result. the result has > 300 entities, so not pasting them here.

DEBUG: cli.azure.cli.core.sdk.policies: {"value": } <---- this API result contains the role that should be returned - omitted here
DEBUG: cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x104177d80>, <function _x509_from_base64_to_hex_transform at 0x104177e20>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnFilterResult []
DEBUG: cli.knack.cli: Event: Cli.SuccessfulExecute []
DEBUG: cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x10413ede0>]
INFO: az_command_data_logger: exit code: 0
INFO: cli.main: Command ran in 0.788 seconds (init: 0.095, invoke: 0.693)
INFO: telemetry.main: Begin splitting cli events and extra events, total events: 1
INFO: telemetry.client: Accumulated 0 events. Flush the clients.
INFO: telemetry.main: Finish splitting cli events and extra events, cli events: 1
INFO: telemetry.save: Save telemetry record of length 3953 in cache file under /Users/atomassi/.azure/telemetry/20251212150918582
INFO: telemetry.main: Begin creating telemetry upload process.
INFO: telemetry.process: Creating upload process: "/opt/homebrew/Cellar/azure-cli/2.77.0/libexec/bin/python /opt/homebrew/Cellar/azure-cli/2.77.0/libexec/lib/python3.13/site-packages/azure/cli/telemetry/init.py /Users/atomassi/.azure /Users/atomassi/.azure/telemetry/20251212150918582"
INFO: telemetry.process: Return from creating process 202
INFO: telemetry.main: Finish creating telemetry upload pro

Expected behavior

Result returned as for Az PowerShell

Environment Summary

azure-cli 2.77.0 *

core 2.77.0 *
telemetry 1.1.0

Extensions:
application-insights 1.2.3

Dependencies:
msal 1.34.0b1
azure-mgmt-resource 23.3.0

Python location '/opt/homebrew/Cellar/azure-cli/2.77.0/libexec/bin/python'
Config directory '/Users/atomassi/.azure'
Extensions directory '/Users/atomassi/.azure/cliextensions'

Python (Darwin) 3.13.7 (main, Aug 14 2025, 11:12:11) [Clang 17.0.0 (clang-1700.0.13.3)]

Legal docs and information: aka.ms/AzureCliLegal

Additional context

No response

[azure-client-tools-bot-prd]

Hi @atomassi,

2.77.0 is not the latest Azure CLI(2.81.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

[yonzhan]

Thank you for opening this issue, we will look into it.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• Role assigned to scope not returned unless scope is specified #14302

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

You need to specify --all to list all the assignments under the current subscription. This behavior is by design that CLI will build a subscription level scope if there is no scope specified.

Reference:

• Role assigned to scope not returned unless scope is specified #14302 (comment)

Solution 2:

I have confirmed that using the --all switch returns the role. I strongly suggest that we make --all the default to avoid these types of situations. If we have tests in place, then we can try to make --all the default and see what breaks and then determine if it is worth it to make the change.

Reference:

• Role assigned to scope not returned unless scope is specified #14302 (comment)

Solution 3:

az role assignment list by default only lists role assignments exactly at the subscription level. To retrieve all role assignments, including those at different levels, use the --all parameter.

Reference:

• Role assigned to scope not returned unless scope is specified #14302 (comment)

Powered by issue-sentinel