Fix the Assignable Scopes on the "StartVMonConnect-AVD" Role Definition

[jamasten]

Problem

The AVD Accelerator solution creates the "StartVMonConnect-AVD" role definition for the Start VM On Connect feature. This role definition is deployed with a single assignable scope for one subscription. When deploying the solution to another subscription within the same tenant, the deployment fails since the role already exists at a different assignable scope and updates are not permitted.

Background Info

Though assignable scopes can be set to Management Groups, that feature is in preview and cannot be set to tenant root management group. Only built-in roles are allowed at the root.

References:

• Custom Role Limits
• Assignable Scopes

Suggestions

Here are some ideas to solve the issue:

• Use a deployment script to check if the role definition already exists. If it does, update the assignable scopes with the new subscription's resource ID using the Set-AzRoleDefinition cmdlet. If it doesn't, deploy the role definition. The role definition resource should have a condition that checks the output from the deployment script to determine whether the role definition should be deployed or not.
• Create a role definition for each assignable scope to avoid conflicts: roleName: 'StartVmOnConnect_${subscription().subscriptionId}'