Hi. I created a Kubernetes Cluster and I want to assign the role "AcrPull" to it.
I tried similar codes with yours but encountered some problems.

IRoleAssignment roleAssignment2 = authenticated.RoleAssignments
                    .Define("Roles")
                    .ForObjectId(theCluster.Id)
                    .WithBuiltInRole(BuiltInRole.Contributor)
                    .WithScope(azureRegistry.Id)
                    .Create();

1. There's no role named AcrPull in the field of BuiltInRole. But I found this role is listed in the official document of RBAC BuiltInRole.

2. I tried with role contributor, but got
   The client 'xx' with object id 'yy' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/d6622a0d-933b-4924-b2ff-ea141456872b/resourceGroups/myGroup/providers/Microsoft.ContainerRegistry/registries/MyRegistires/providers/Microsoft.Authorization/roleAssignments/Roles'.

Could you help me with the problems? Thank you very much!

This is a great sample covering the key scenarios. However, there is no explanation as to what specific permissions a service principal needs to be granted in AAD to be able to add users, modify role assignment. All attempts to get this sample to work with a custom SP were hopeless. I'm getting a cryptic CloudException back without any details whatsoever. Would appreciate your advise.

Selected subscription: xxxxx Creating an Active Directory user Test 76e11025a212d11af... Microsoft.Rest.Azure.CloudException: Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown. at Microsoft.Azure.Management.Graph.RBAC.Fluent.DomainsOperations.<ListWithHttpMessagesAsync>d__5.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Azure.Management.Graph.RBAC.Fluent.DomainsOperationsExtensions.<ListAsync>d__0.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Azure.Management.Graph.RBAC.Fluent.ActiveDirectoryUserImpl.<CreateResourceAsync>d__23.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Azure.Management.ResourceManager.Fluent.Core.ResourceActions.Creatable4.<Microsoft-Azure-Management-ResourceManager-Fluent-Core-ResourceActions-IResourceCreator-CreateResourceAsync>d__15.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.Management.ResourceManager.Fluent.Core.DAG.CreatorTaskItem1.<ExecuteAsync>d__6.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Azure.Management.ResourceManager.Fluent.Core.DAG.TaskGroupBase1.d__14.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.Management.ResourceManager.Fluent.Core.Extensions.Synchronize[TResult](Func1 function) at ManageUsersGroupsAndRoles.Program.RunSample(IAuthenticated authenticated) at ManageUsersGroupsAndRoles.Program.Main(String[] args)

Hello,

The link to the instructions for creating a azureauth file is broken. I believe it should point to the following article : https://docs.microsoft.com/en-us/dotnet/azure/dotnet-sdk-azure-authenticate?view=azure-dotnet.

Kind regards