Yep - that is true. I have been using that - but making use of the input/output automatic dependency functionality. E.g. I used Output<string> (the principal ID) as an input into the RoleAssignment - which should create that dependency. Even then, Azure sometimes fails. The failure is well documented though - its basically this from what I understand: a new AD group is created in a single region, then gets replicated. While replication is still taking place, the request to perform a RoleAssignment hits a different region which has not yet received the new AD group - boom. So, that's why I was chasing the terrible idea of injecting a silly time span into the whole thing - solely to hopefully allow this replication to occur.