Subscription-scope authorization for Azure Resource Manager API user

Question

Trying to put together an Azure ARM integration, where my code uses the Azure API to retrieve the full list of VMs in the entire subscription.

Went successfully through all the (many!) steps here to get an API user ready with all relevant IDs needed for authentication.

Using the same set of instructions, we were also able to grant this user the Reader role, for listing VMs in specific groups (we did this through the Azure UI). However, we have been unsuccessful in implementing the instructions here for setting up Reader role for this user to the entire subscription (through the CLI).

Running this:

azure role assignment create --objectId app-oid --roleName Reader --scope /subscriptions/subscription-id

Or this:

azure role assignment create --objectId app-oid --roleName Reader --subscription subscription-id --scope /subscriptions/subscription-id

Yields this:

Principals of type Application cannot validly be used in role assignments.

So currently we have no way of programmatically browsing the full set of VMs without adding a specific authorization for each Resource Group. Does anybody know of a way that actually works to assign this permission at the subscription level?

Answer 1

Found the answer in the comment area of the link in the question body: In the new portal, edit the subscription and add the role, just like you would do with a resource group. Still curious as to why the CLI doesn't support this.