Merge pull request #204073 from rolyon/rolyon-rbac-rest-api-version-2022-04-01-arm

prmerger-automator[bot] · web-flow · commit b8e3f7668673 · 2022-10-19T00:33:32.000Z
[Azure RBAC] REST API version 2022-04-01 for ARM
diff --git a/articles/role-based-access-control/conditions-role-assignments-template.md b/articles/role-based-access-control/conditions-role-assignments-template.md
@@ -8,7 +8,7 @@ ms.service: role-based-access-control
 ms.subservice: conditions
 ms.topic: how-to
 ms.workload: identity
-ms.date: 06/29/2021
+ms.date: 10/19/2022
 ms.author: rolyon
 ---
 
@@ -23,7 +23,13 @@ An [Azure role assignment condition](conditions-overview.md) is an additional ch
 
 ## Prerequisites
 
-For information about the prerequisites to add role assignment conditions, see [Conditions prerequisites](conditions-prerequisites.md).
+You must use the following versions:
+
+- `2020-03-01-preview` or later
+- `2020-04-01-preview` or later if you want to utilize the `description` property for role assignments
+- `2022-04-01` is the first stable version
+
+For more information about the prerequisites to add role assignment conditions, see [Conditions prerequisites](conditions-prerequisites.md).
 
 ## Add a condition
 
@@ -66,7 +72,7 @@ To use the template, you must specify the following input:
         {
             "name": "[parameters('roleAssignmentGuid')]",
             "type": "Microsoft.Authorization/roleAssignments",
-            "apiVersion": "2020-04-01-preview", // API version to call the role assignment PUT.
+            "apiVersion": "2022-04-01", // API version to call the role assignment PUT.
             "properties": {
                 "roleDefinitionId": "[variables('StorageBlobDataReader')]",
                 "principalId": "[parameters('principalId')]",
diff --git a/articles/role-based-access-control/custom-roles-template.md b/articles/role-based-access-control/custom-roles-template.md
@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: role-based-access-control
 ms.topic: how-to
 ms.workload: identity
-ms.date: 12/16/2020
+ms.date: 10/19/2022
 ms.author: rolyon 
 ms.custom: devx-track-azurepowershell
 
@@ -33,6 +33,12 @@ To create a custom role, you must have:
 
 - Permissions to create custom roles, such as [Owner](built-in-roles.md#owner) or [User Access Administrator](built-in-roles.md#user-access-administrator).
 
+You must use the following version:
+
+- `2018-07-01` or later
+
+For more information, see [API versions of Azure RBAC REST APIs](/rest/api/authorization/versions).
+
 ## Review the template
 
 The template used in this article is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/create-role-def). The template has four parameters and a resources section. The four parameters are:
@@ -173,7 +179,7 @@ Here are the changes you would need to make to the previous Quickstart template
       "resources": [
         {
           "type": "Microsoft.Authorization/roleDefinitions",
-          "apiVersion": "2018-07-01",
+          "apiVersion": "2022-04-01",
           "name": "[parameters('roleDefName')]",
           "properties": {
             ...
diff --git a/articles/role-based-access-control/role-assignments-template.md b/articles/role-based-access-control/role-assignments-template.md
@@ -8,7 +8,7 @@ manager: amycolannino
 ms.service: role-based-access-control
 ms.topic: how-to
 ms.workload: identity
-ms.date: 09/07/2022
+ms.date: 10/19/2022
 ms.author: rolyon 
 ms.custom: devx-track-azurepowershell, devx-track-azurecli 
 ms.devlang: azurecli
@@ -26,6 +26,14 @@ ms.devlang: azurecli
 
 [!INCLUDE [Azure role assignment prerequisites](../../includes/role-based-access-control/prerequisites-role-assignments.md)]
 
+You must use the following versions:
+
+- `2018-09-01-preview` or later to assign an Azure role to a new service principal
+- `2020-04-01-preview` or later to assign an Azure role at resource scope
+- `2022-04-01` is the first stable version
+
+For more information, see [API versions of Azure RBAC REST APIs](/rest/api/authorization/versions).
+
 ## Get object IDs
 
 To assign a role, you need to specify the ID of the user, group, or application you want to assign the role to. The ID has the format: `11111111-1111-1111-1111-111111111111`. You can get the ID using the Azure portal, Azure PowerShell, or Azure CLI.
@@ -100,7 +108,7 @@ To use the template, you must do the following:
     "resources": [
         {
             "type": "Microsoft.Authorization/roleAssignments",
-            "apiVersion": "2018-09-01-preview",
+            "apiVersion": "2022-04-01",
             "name": "[guid(resourceGroup().id)]",
             "properties": {
                 "roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
@@ -175,7 +183,7 @@ To use the template, you must specify the following inputs:
     "resources": [
         {
             "type": "Microsoft.Authorization/roleAssignments",
-            "apiVersion": "2018-09-01-preview",
+            "apiVersion": "2022-04-01",
             "name": "[parameters('roleNameGuid')]",
             "properties": {
                 "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
@@ -277,7 +285,7 @@ To use the template, you must specify the following inputs:
         },
         {
             "type": "Microsoft.Authorization/roleAssignments",
-            "apiVersion": "2020-04-01-preview",
+            "apiVersion": "2022-04-01",
             "name": "[parameters('roleNameGuid')]",
             "scope": "[concat('Microsoft.Storage/storageAccounts', '/', variables('storageName'))]",
             "dependsOn": [
@@ -310,7 +318,7 @@ The following shows an example of the Contributor role assignment to a user for
 
 If you create a new service principal and immediately try to assign a role to that service principal, that role assignment can fail in some cases. For example, if you create a new managed identity and then try to assign a role to that service principal in the same Azure Resource Manager template, the role assignment might fail. The reason for this failure is likely a replication delay. The service principal is created in one region; however, the role assignment might occur in a different region that hasn't replicated the service principal yet.
 
-To address this scenario, you should set the `principalType` property to `ServicePrincipal` when creating the role assignment. You must also set the `apiVersion` of the role assignment to `2018-09-01-preview` or later.
+To address this scenario, you should set the `principalType` property to `ServicePrincipal` when creating the role assignment. You must also set the `apiVersion` of the role assignment to `2018-09-01-preview` or later. `2022-04-01` is the first stable version.
 
 The following template demonstrates:
 
@@ -346,7 +354,7 @@ To use the template, you must specify the following inputs:
         },
         {
             "type": "Microsoft.Authorization/roleAssignments",
-            "apiVersion": "2018-09-01-preview",
+            "apiVersion": "2022-04-01",
             "name": "[variables('bootstrapRoleAssignmentId')]",
             "dependsOn": [
                 "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('identityName'))]"
