How to grant RBAC for an Azure resource group via C# code?

Question

I am trying to grant a permissions (RBAC, role-based access control) to Azure resource groups using C# code. I.e., I want to grant permissions to the resource group itself not just the individual resources under it (storage accounts, app services and whatnot). This is easy to do in the Azure portal (GUI), but I struggle with it in code.

I have tried to do it with a Bicep template. My template is below. This works fine for other resource types, such as app services and storage accounts, but when I do the below and then try to convert my Bicep template to ARM using bicep build from the command line, the Bicep linter rejects it:

Error BCP135: Scope "resourceGroup" is not valid for this resource type. Permitted scopes: "subscription".

Are there errors in my Bicep code that I cannot spot? Alternatively, can I grant these permissions from C# code without using Bicep/ARM templates?

Thanks in advance!

Bicep code:

param aadObjectId string
param resourceName string
param roleDefinitionGuid string
param roleNameGuid string = newGuid()

resource target_resource 'Microsoft.Resources/resourceGroups@2021-01-01' existing = {
  name: resourceName
}

resource roleDefinition_resource 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' existing = {
  name: roleDefinitionGuid
}

resource roleNameGuid_group 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
  scope: target_resource
  #disable-next-line use-stable-resource-identifiers
  name: roleNameGuid
  properties: {
    roleDefinitionId: roleDefinition_resource.id
    principalId: aadObjectId
  }
  dependsOn: []
}

I was intending to deploy the template using roughly this C# code:

ArmClient armClient;
var subscription = armClient.GetSubscriptionResourceByEnvironment(Environment);
var resourceGroup = await subscription.GetResourceGroupAsync(resourceGroupName.Value, ct);
var armDeployments = resourceGroup.Value.GetArmDeployments();
var armOperation = await armDeployments.CreateOrUpdateAsync(
    waitUntil: WaitUntil.Completed,
    deploymentName: deploymentName,
    content: armDeploymentContent, // This is generated from the ARM (JSON) file.
    cancellationToken: ct);

Answer 1

Alternatively, can I grant these permissions from C# code without using Bicep/ARM templates?

You can use the code below to assign roles to a resource group using C# without using Bicep/ARM templates.

Code:

using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.Authorization;
using Azure.ResourceManager.Authorization.Models;

TokenCredential cred = new DefaultAzureCredential();
ArmClient client = new ArmClient(cred);

string scope = "/subscriptions/<subscription-Id>/resourceGroups/venkatesan-rg";
string roleAssignmentName = "acdd7xxxx81ae7";
ResourceIdentifier roleAssignmentResourceId = RoleAssignmentResource.CreateResourceIdentifier(scope, roleAssignmentName);
RoleAssignmentResource roleAssignment = client.GetRoleAssignmentResource(roleAssignmentResourceId);

RoleAssignmentCreateOrUpdateContent content = new RoleAssignmentCreateOrUpdateContent(new ResourceIdentifier("/subscriptions/xxxxx/providers/Microsoft.Authorization/roleDefinitions/<roledefinitionid>"), Guid.Parse("user-object-id"))
{
    PrincipalType = RoleManagementPrincipalType.User,
};
ArmOperation<RoleAssignmentResource> lro = await roleAssignment.UpdateAsync(WaitUntil.Completed, content);
RoleAssignmentResource result = lro.Value;
RoleAssignmentData resourceData = result.Data;
Console.WriteLine($"Succeeded on id: {resourceData.Id}");

Output:

Succeeded on id: /subscriptions/1xxx/resourceGroups/venkatesan-rg/providers/Microsoft.Authorization/roleAssignments/acdd72a7-3385-48ef-bd42-f606fba81ae7

Note: To assign roles to a user or service principal, you need the UserAdministrator role.

Portal:

Reference:

Role Assignments - Create - REST API (Azure Authorization) | Microsoft Learn