This message was deleted.

To add a roll to an existing user/application/group you can use

Azure.Authorization.Assignment

like below, here I just grabbed the ObjectId from the directory. You can use the

Pulumi.AzureAD

Nuget package to programmatically manage the directory if required:

using Pulumi;
using Azure = Pulumi.Azure;

class ExampleStack : Stack
{
    
    public ExampleStack()
    {
        Azure.Core.ResourceGroup resourceGroup = new Azure.Core.ResourceGroup("rg-example");

        Azure.Storage.Account storageAccount = new Azure.Storage.Account("examplesa", new Azure.Storage.AccountArgs
        {
            ResourceGroupName = resourceGroup.Name,
            AccountReplicationType = "LRS",
            AccountTier = "Standard"
        });

        Azure.Authorization.Assignment role = new Azure.Authorization.Assignment("owner", new Azure.Authorization.AssignmentArgs{
            PrincipalId = "88a0f5ab-bea2-421b-8fb9-c710ac6f8b10", 
            RoleDefinitionName = "owner",
            Scope = storageAccount.Id
        }); 
    }
}

To assign access to a resource, I typically use the

SystemAssigned

identify of the resource. If you're wanting to assign a roll to some newly created resource, there's a

SkipServicePrincipalAadCheck

as I believe sometimes it takes a while for the

PrincipalId

to exist after the resource has been created. See below:

using Pulumi;
using Azure = Pulumi.Azure;

class AnotherExampleStack : Stack
{
    
    public AnotherExampleStack()
    {
        Azure.Core.ResourceGroup resourceGroup = new Azure.Core.ResourceGroup("rg-example");

        Azure.AppService.Plan appServicePlan = new Azure.AppService.Plan("plan-example", new Azure.AppService.PlanArgs
        {
            Location = resourceGroup.Location,
            ResourceGroupName = resourceGroup.Name,
            Sku = new Azure.AppService.Inputs.PlanSkuArgs
            {
                Tier = "Standard",
                Size = "S1",
            },
        });

        Azure.AppService.AppService appService = new Azure.AppService.AppService("exampleAppService", new Azure.AppService.AppServiceArgs
        {
            Location = resourceGroup.Location,
            ResourceGroupName = resourceGroup.Name,
            AppServicePlanId = appServicePlan.Id,
            Identity = new Azure.AppService.Inputs.AppServiceIdentityArgs
            {
                Type = "SystemAssigned"
            }
        });

        Azure.Storage.Account storageAccount = new Azure.Storage.Account("examplesa", new Azure.Storage.AccountArgs
        {
            ResourceGroupName = resourceGroup.Name,
            AccountReplicationType = "LRS",
            AccountTier = "Standard"
        });

        Azure.Authorization.Assignment role = new Azure.Authorization.Assignment("owner", new Azure.Authorization.AssignmentArgs{
            PrincipalId = appService.Identity.Apply(sp => sp.PrincipalId),
            RoleDefinitionName = "owner",
            Scope = storageAccount.Id,
            SkipServicePrincipalAadCheck = true,
        }); 
    }
}

wow - thanks so much this is great! 😃