Delete automatically the role assignment when get Identity not found with type Unknown
Would be nice to implement from your side a way to prune automatically as soon a role assignment get "Identity not found" with type "Unkown"
this is happening when there is a System/User identity resource link to a role assignment that gets deleted from the resource group.
This will help when you deploy from ARM template and avoid the following error :
"message": "Tenant ID, application ID, principal ID, and scope are not allowed to be updated."
To fix this I have to manually remove it from the resource Access Control (IAM) and then run a new deployment.
Not sure if there is any advantage to keep an old role assignment without any reference on the list.
Example in the screenshot.
I met the similar issue. To work around it, an unique name can be assigned to the role assignment during the ARM template deployment. It's also noticed in some cases role assignments can be automatically deleted if the resource and the service principle of that role assignment have been deleted. More info is logged at https://sz-yang.blogspot.com/2021/03/azure-arm-deployment-delete-resource.html