Update troubleshooting.md

Add RoleAssignmentUpdateNotPermitted symptom

Author: gmori1018

articles/role-based-access-control/troubleshooting.md

@@ -120,6 +120,31 @@ The reason is likely a replication delay. The service principal is created in on
 
 Set the `principalType` property to `ServicePrincipal` when creating the role assignment. You must also set the `apiVersion` of the role assignment to `2018-09-01-preview` or later. For more information, see [Assign Azure roles to a new service principal using the REST API](role-assignments-rest.md#new-service-principal) or [Assign Azure roles to a new service principal using Azure Resource Manager templates](role-assignments-template.md#new-service-principal).
 
+### Symptom - ARM template role assignment returns BadRequest status
+
+When you try to deploy an ARM template that assigns a role to a service principal you get the error:
+
+`Tenant ID, application ID, principal ID, and scope are not allowed to be updated. (code: RoleAssignmentUpdateNotPermitted)`
+
+**Cause**
+
+The role assignment `name` is not unique, and it is viewed as an update.
+
+**Solution**
+Provide an idempotent unique value for the role assignment `name`
+
+```
+{
+    "type": "Microsoft.Authorization/roleAssignments",
+    "apiVersion": "2018-09-01-preview",
+    "name": "[guid(concat(resourceGroup().id, variables('resourceName'))]",
+    "properties": {
+        "roleDefinitionId": "[variables('roleDefinitionId')]",
+        "principalId": "[variables('principalId')]"
+    }
+}
+```
+
 ### Symptom - Role assignments with identity not found
 
 In the list of role assignments for the Azure portal, you notice that the security principal (user, group, service principal, or managed identity) is listed as **Identity not found** with an **Unknown** type.