[Role] BREAKING CHANGE: az ad sp create-for-rbac: Stop defaulting --scopes to subscription

src/azure-cli/azure/cli/command_modules/role/_help.py

@@ -409,9 +409,7 @@
   - name: --scopes
     short-summary: >
         Space-separated list of scopes the service principal's role assignment applies to.
-        Starting from Azure CLI 2.35.0, --scopes argument will become required for creating role assignments.
-        Defaults to the root of the current subscription. e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333,
-        /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or
+        e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup,
         /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
   - name: --role
     short-summary: Role of the service principal.

src/azure-cli/azure/cli/command_modules/role/custom.py

@@ -39,9 +39,6 @@
 
 logger = get_logger(__name__)
 
-SCOPE_WARNING = "Starting from Azure CLI 2.35.0, --scopes argument will become required for creating role " \
-                "assignments. Please explicitly specify --scopes."
-
 # pylint: disable=too-many-lines
 
 
@@ -1404,12 +1401,11 @@ def create_service_principal_for_rbac(
         show_auth_for_sdk=None, skip_assignment=False, keyvault=None):
     import time
 
-    graph_client = _graph_client_factory(cmd.cli_ctx)
-    role_client = _auth_client_factory(cmd.cli_ctx).role_assignments
+    if role and not scopes or not role and scopes:
+        from azure.cli.core.azclierror import ArgumentUsageError
+        raise ArgumentUsageError("Usage error: To create role assignments, specify both --role and --scopes.")
 
-    if role and not scopes:
-        logger.warning(SCOPE_WARNING)
-        scopes = ['/subscriptions/' + role_client.config.subscription_id]
+    graph_client = _graph_client_factory(cmd.cli_ctx)
 
     years = years or 1
     _RETRY_TIMES = 36

src/azure-cli/azure/cli/command_modules/role/tests/hybrid_2018_03_01/test_role.py

@@ -44,41 +44,41 @@ def test_create_for_rbac_with_secret_with_assignment(self, resource_group):
         subscription_id = self.get_subscription_id()
         self.kwargs.update({
             'sub': subscription_id,
-            'scope': '/subscriptions/{}'.format(subscription_id),
+            'scope': f'/subscriptions/{subscription_id}/resourceGroups/{resource_group}',
+            'role': 'Reader',
             'display_name': resource_group
         })
 
         try:
             with mock.patch('azure.cli.command_modules.role.custom._gen_guid', side_effect=self.create_guid):
-                result = self.cmd('ad sp create-for-rbac -n {display_name} --scopes {scope} {scope}/resourceGroups/{rg}',
+                result = self.cmd('ad sp create-for-rbac -n {display_name} '
+                                  '--scopes {scope} --role {role}',
                                   checks=self.check('displayName', '{display_name}')).get_output_in_json()
                 self.kwargs['app_id'] = result['appId']
-                self.cmd('role assignment list --assignee {app_id} --scope {scope}',
-                         checks=self.check("length([])", 1))
                 self.cmd('role assignment list --assignee {app_id} -g {rg}',
-                         checks=self.check("length([])", 1))
+                         checks=[
+                             self.check("length([])", 1),
+                             self.check("[0].properties.roleDefinitionName", '{role}'),
+                             self.check("[0].properties.scope", '{scope}')
+                         ])
                 self.cmd('role assignment delete --assignee {app_id} -g {rg}',
                          checks=self.is_empty())
-                self.cmd('role assignment delete --assignee {app_id}',
-                         checks=self.is_empty())
         finally:
             self.cmd('ad app delete --id {app_id}')
 
 
 class RbacSPCertScenarioTest(RoleScenarioTest):
+
     @ResourceGroupPreparer(name_prefix='cli_create_rbac_sp_with_cert')
-    def test_create_for_rbac_with_cert_with_assignment(self, resource_group):
+    def test_create_for_rbac_with_cert_no_assignment(self, resource_group):
 
-        subscription_id = self.get_subscription_id()
         self.kwargs.update({
-            'sub': subscription_id,
-            'scope': '/subscriptions/{}'.format(subscription_id),
-            'display_name': resource_group
+            'display_name': resource_group,
         })
 
         try:
             with mock.patch('azure.cli.command_modules.role.custom._gen_guid', side_effect=self.create_guid):
-                result = self.cmd('ad sp create-for-rbac -n {display_name} --scopes {scope} {scope}/resourceGroups/{rg} --create-cert',
+                result = self.cmd('ad sp create-for-rbac -n {display_name} --create-cert',
                                   checks=self.check('displayName', '{display_name}')).get_output_in_json()
                 self.kwargs['app_id'] = result['appId']
 
@@ -92,6 +92,7 @@ def test_create_for_rbac_with_cert_with_assignment(self, resource_group):
             self.cmd('ad app delete --id {app_id}',
                      checks=self.is_empty())
 
+
 class RbacSPKeyVaultScenarioTest2(ScenarioTest):
     @ResourceGroupPreparer(name_prefix='cli_test_sp_with_kv_new_cert')
     @KeyVaultPreparer(name_prefix='test-rbac-new-kv')
@@ -112,7 +113,7 @@ def test_create_for_rbac_with_new_kv_cert(self, resource_group, key_vault):
         try:
             with mock.patch('azure.cli.command_modules.role.custom._gen_guid', side_effect=self.create_guid):
                 try:
-                    result = self.cmd('ad sp create-for-rbac --scopes {scope}/resourceGroups/{rg} --create-cert '
+                    result = self.cmd('ad sp create-for-rbac --create-cert '
                                       '--keyvault {kv} --cert {cert} -n {display_name}').get_output_in_json()
                     self.kwargs['app_id'] = result['appId']
                 except KeyVaultErrorException:
@@ -152,7 +153,7 @@ def test_create_for_rbac_with_existing_kv_cert(self, resource_group, key_vault):
             self.cmd('keyvault certificate create --vault-name {kv} -n {cert} -p "{policy}" --validity 24')
             with mock.patch('azure.cli.command_modules.role.custom._gen_guid', side_effect=self.create_guid):
                 result = self.cmd('ad sp create-for-rbac -n {display_name} --keyvault {kv} '
-                                  '--cert {cert} --scopes {scope}/resourceGroups/{rg}').get_output_in_json()
+                                  '--cert {cert}').get_output_in_json()
                 self.kwargs['app_id'] = result['appId']
             self.cmd('ad sp credential reset -n {app_id} --keyvault {kv} --cert {cert}')
         finally:
@@ -166,7 +167,7 @@ def test_create_for_rbac_with_existing_kv_cert(self, resource_group, key_vault):
         try:
             self.cmd('keyvault certificate create --vault-name {kv} -n {cert} -p "{policy}" --validity 6')
             with mock.patch('azure.cli.command_modules.role.custom._gen_guid', side_effect=self.create_guid):
-                result = self.cmd('ad sp create-for-rbac --scopes {scope}/resourceGroups/{rg} --keyvault {kv} '
+                result = self.cmd('ad sp create-for-rbac --keyvault {kv} '
                                   '--cert {cert} -n {display_name2}').get_output_in_json()
                 self.kwargs['app_id2'] = result['appId']
             self.cmd('ad sp credential reset -n {app_id2} --keyvault {kv} --cert {cert}')