Management Group deployment not working with RBAC.

[MattLeach25]

Bicep version
0.4.1318

Describe the bug
We have a template that is creating a management group, and then a module to assign RBAC at the management group level. The management group creation is fine, however when the RBAC module runs with the scope set to the management group that has just been created, it fails with the error - ManagementGroupNotFound - The management group 'EXAMPLEMG' cannot be found.

There is an implicit dependency ensuring that the management group resource is created, before the module is ran assigning the RBAC to the management group. At first we thought this may be a bug with the management group set as the scope for the RBAC module.

However, if we use a management group that already exists, everything works nicely. Therefore it looks to be an issue with the implicit dependency and it doesn't seem to be creating the management group first, before moving onto the RBAC module that should run in sequence afterwards.

To Reproduce
Steps to reproduce the behavior:

We currently have all of our templates and modules stored here > https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Management/managementGroups
When executing the deployment with the following command, the error should appear:

Test-AzManagementGroupDeployment -TemplateParameterFile .\Microsoft.Management\managementGroups.parameters\parameters.json' -TemplateFile '.\Microsoft.Management\managementGroups\deploy.bicep' -Verbose -ManagementGroupId '<>' -Location 'WestEurope'

using the standard parameter file.

Additional details:

We do have other modules that assign RBAC at a management group level and they look identical, and work perfectly fine. However when the combination of creating the management group and then assigning RBAC at the newly created management group takes place, the error appears.

[kilasuit]

May be worth adding a delay in your deployment (inc sign out/sign in if doing locally and not in a pipeline and seperate tasks) before you attempt to deploy to that new MG as I've seen that it needs to refresh what access you/deployment account has after items like MG/Sub deployments occur.

[alex-frankel]

Including @rich-thorn in case he has additional context. Rich is this most likely a replication delay issue or would the authz cache need to be refreshed as well?

[AlexanderSehr]

Splitting the deployment in separate script invocations is definitely a valid workaround - but I guess is nothing more than a 'workaround' for an underlying issue. It seems anyhow that it is only an issue if doing this in one template. It's just a curious case as the same does not break for (for example) subscriptions or resource groups.

When troubleshooting it, I also tried to work around the 'scope' issue by adding an intermediate 'deployment/module', additional explicit dependencies, etc. - but to no avail. The error ManagementGroupNotFound - The management group 'exampleMG' cannot be found stays no matter what.

[AlexanderSehr]

May be worth adding a delay in your deployment (inc sign out/sign in if doing locally and not in a pipeline and seperate tasks) before you attempt to deploy to that new MG as I've seen that it needs to refresh what access you/deployment account has after items like MG/Sub deployments occur.

I'd furher like to add that I added a delay in the template (via a deployment script) just to see what would happen - but it unfortunately doesn't change the fact that already the 'Test-Az*Deployment' command fails with the described error ManagementGroupNotFound - The management group 'exampleMG' cannot be found.