MicrosoftDocs
diff --git a/‎articles/role-based-access-control/media/role-assignments-template/role-assignment-template-msi.png
36.9 KB b/‎articles/role-based-access-control/media/role-assignments-template/role-assignment-template-msi.png
36.9 KB
diff --git a/‎articles/role-based-access-control/role-assignments-cli.md
Lines changed: 16 additions & 0 deletions b/‎articles/role-based-access-control/role-assignments-cli.md
Lines changed: 16 additions & 0 deletions
@@ -366,6 +366,22 @@ The following example assigns the *Billing Reader* role to to the *alain\@exampl
 az role assignment create --role "Billing Reader" --assignee [email protected] --scope /providers/Microsoft.Management/managementGroups/marketing-group
 ```
 
+### Create a role assignment for a new service principal
+
+If you create a new service principal and immediately try to assign a role to that service principal, that role assignment can fail in some cases. For example, if you use a script to create a new managed identity and then try to assign a role to that service principal, the role assignment might fail. The reason for this failure is likely a replication delay. The service principal is created in one region; however, the role assignment might occur in a different region that hasn't replicated the service principal yet. To address this scenario, you should specify the principal type when creating the role assignment.
+
+To create a role assignment, use [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create), specify a value for `--assignee-object-id`, and then set `--assignee-principal-type` to `ServicePrincipal`.
+
+```azurecli
+az role assignment create --role <role_name_or_id> --assignee-object-id <assignee_object_id> --assignee-principal-type <assignee_principal_type> --resource-group <resource_group> --scope </subscriptions/subscription_id>
+```
+
+The following example assigns the *Virtual Machine Contributor* role to the *msi-test* managed identity at the *pharma-sales* resource group scope:
+
+```azurecli
+az role assignment create --role "Virtual Machine Contributor" --assignee-object-id 33333333-3333-3333-3333-333333333333 --assignee-principal-type ServicePrincipal --resource-group pharma-sales
+```
+
 ## Remove access
 
 In RBAC, to remove access, you remove a role assignment by using [az role assignment delete](/cli/azure/role/assignment#az-role-assignment-delete):