Describe the bug
az containerapp create command, with --yaml parameter, modifies managed identity ID, specified in that config file, by squashing underscores symbols, which leads to this managed identity cannot be found in Azure.
Related command
containerapp create --name bridge-test --resource-group PARTS-DIVIDED-BY-DASHES-RG_PARTS_DIVIDED_BY_UNDERSCORES --yaml /agent/_work/_temp/advanced-settings.yml
Content of /agent/_work/_temp/advanced-settings.yml is following:
identity:
type: UserAssigned
userAssignedIdentities:
? /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/NAME-PARTS-DIVIDED-BY-DASHES-RG_NAME_PARTS_DIVIDED_BY_UNDERSCORES/providers/Microsoft.ManagedIdentity/userAssignedIdentities/SOME-Managed-Identity
: {}
location: westeurope
properties:
configuration:
secrets:
- identity: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/NAME-PARTS-DIVIDED-BY-DASHES-RG_NAME_PARTS_DIVIDED_BY_UNDERSCORES/providers/Microsoft.ManagedIdentity/userAssignedIdentities/SOME-Managed-Identity
keyVaultUrl: https://some-kv.vault.azure.net/secrets/secret1
name: secret1
- identity: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/NAME-PARTS-DIVIDED-BY-DASHES-RG_NAME_PARTS_DIVIDED_BY_UNDERSCORES/providers/Microsoft.ManagedIdentity/userAssignedIdentities/SOME-Managed-Identity
keyVaultUrl: https://some-kv.vault.azure.net/secrets/secret2
name: secret2
environmentId: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/NAME-PARTS-DIVIDED-BY-DASHES-RG_NAME_PARTS_DIVIDED_BY_UNDERSCORES/providers/Microsoft.App/managedEnvironments/Some-Managed-Environment
template:
containers:
- env:
- name: ENV_VAR1
value: value1
- name: ENV_VAR2
value: value2
image: some-acr.azurecr.io/app:0.0.1-rc.1
name: bridge-test
resources:
cpu: !!float 0.5
memory: 1GiErrors
Error output looks this way in ADO pipeline with debug mode activated for az cli:
2026-04-29T11:34:22.7634003Z INFO: cli.azure.cli.core.util: {"error":{"code":"LinkedAuthorizationFailed","message":"The client ... with object id 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' has permission to perform action 'Microsoft.App/containerApps/write' on scope '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/NAME-PARTS-DIVIDED-BY-DASHES-RG_NAME_PARTS_DIVIDED_BY_UNDERSCORES/providers/Microsoft.App/containerApps/bridge-test'; however, it does not have permission to perform action(s) 'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action' on the linked scope(s) '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/NAME-PARTS-DIVIDED-BY-DASHES-RGNamePartsDividedByUnderscores/Providers/Microsoft.Managedidentity/Userassignedidentities/Some-Managed-Identity' (respectively) or the linked scope(s) are invalid."}}NAME-PARTS-DIVIDED-BY-DASHES-RG_NAME_PARTS_DIVIDED_BY_UNDERSCORES becomes NAME-PARTS-DIVIDED-BY-DASHES-RGNamePartsDividedByUnderscores
Issue script & Debug output
In the same debug output I see following request body (formatted by me for convinience):
2026-04-29T11:34:22.6037723Z INFO: cli.azure.cli.core.util: ...
{
"tags": null,
"location": "westeurope",
"extendedLocation": null,
"identity": {
"principalId": null,
"tenantId": null,
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/NAME-PARTS-DIVIDED-BY-DASHES-RGNamePartsDividedByUnderscores/Providers/Microsoft.Managedidentity/Userassignedidentities/SOME-Managed-Identity": {}
}
},
"managedBy": null,
"kind": null,
"properties": {
"environmentId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/NAME-PARTS-DIVIDED-BY-DASHES-RG_NAME_PARTS_DIVIDED_BY_UNDERSCORES/providers/Microsoft.App/managedEnvironments/HFRSGXPTSTSPOKE01PHARMA40SABACCAE",
"configuration": {
"secrets": [
{
"name": "secret1",
"value": null,
"identity": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/NAME-PARTS-DIVIDED-BY-DASHES-RG_NAME_PARTS_DIVIDED_BY_UNDERSCORES/providers/Microsoft.ManagedIdentity/userAssignedIdentities/SOME-Managed-Identity",
"keyVaultUrl": "https://some-kv.vault.azure.net/secrets/secret1"
},
{
"name": "secret2",
"value": null,
"identity": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/NAME-PARTS-DIVIDED-BY-DASHES-RG_NAME_PARTS_DIVIDED_BY_UNDERSCORES/providers/Microsoft.ManagedIdentity/userAssignedIdentities/SOME-Managed-Identity",
"keyVaultUrl": "https://some-kv.vault.azure.net/secrets/secret2"
}
],
"activeRevisionsMode": null,
"ingress": null,
"registries": null,
"dapr": null,
"runtime": null,
"maxInactiveRevisions": null,
"service": null,
"identitySettings": null
},
"template": {
"revisionSuffix": null,
"terminationGracePeriodSeconds": null,
"initContainers": null,
"containers": [
{
"image": "some-acr.azurecr.io/app:0.0.1-rc.1",
"name": "bridge-test",
"command": null,
"args": null,
"env": [
{
"name": "ENV_VAR1",
"value": "value1",
"secretRef": null
},
{
"name": "ENV_VAR2",
"value": "value2",
"secretRef": null
} ],
"resources": {
"cpu": 0.5,
"memory": "1Gi",
"ephemeralStorage": null
},
"volumeMounts": null,
"probes": null
}
],
"scale": null,
"volumes": null,
"serviceBinds": null
},
"workloadProfileName": null,
"latestReadyRevisionName": null,
"eventStreamEndpoint": null
}
}Expected behavior
The issue only happens with managed identity ID in identity mapping and does not affect on managed identity IDs of secrets mapping.
If change managed identity id by replacing all underscore symbols with dashes, then this issue is not appeared.
Environment Summary
2026-04-29T12:28:13.4076533Z Azure-cli Azure-cli-core Azure-cli-telemetry
2026-04-29T12:28:13.4077230Z ----------- ---------------- ---------------------
2026-04-29T12:28:13.4077629Z 2.71.0 2.71.0 1.1.0
2026-04-29T11:34:12.8514251Z Azure-cli Azure-cli-core Azure-cli-telemetry
2026-04-29T11:34:12.8514914Z ----------- ---------------- ---------------------
2026-04-29T11:34:12.8515273Z 2.85.0 2.85.0 1.1.0
az cli was updated with help of dep package:
2026-04-29T11:33:14.8180399Z Unpacking azure-cli (2.85.0-1~jammy) over (2.71.0-1~jammy) ...
Additional context
No response
Describe the bug
az containerapp createcommand, with --yaml parameter, modifies managed identity ID, specified in that config file, by squashing underscores symbols, which leads to this managed identity cannot be found in Azure.Related command
containerapp create --name bridge-test --resource-group PARTS-DIVIDED-BY-DASHES-RG_PARTS_DIVIDED_BY_UNDERSCORES --yaml /agent/_work/_temp/advanced-settings.ymlContent of /agent/_work/_temp/advanced-settings.yml is following:
Errors
Error output looks this way in ADO pipeline with debug mode activated for
az cli:2026-04-29T11:34:22.7634003Z INFO: cli.azure.cli.core.util: {"error":{"code":"LinkedAuthorizationFailed","message":"The client ... with object id 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' has permission to perform action 'Microsoft.App/containerApps/write' on scope '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/NAME-PARTS-DIVIDED-BY-DASHES-RG_NAME_PARTS_DIVIDED_BY_UNDERSCORES/providers/Microsoft.App/containerApps/bridge-test'; however, it does not have permission to perform action(s) 'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action' on the linked scope(s) '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/NAME-PARTS-DIVIDED-BY-DASHES-RGNamePartsDividedByUnderscores/Providers/Microsoft.Managedidentity/Userassignedidentities/Some-Managed-Identity' (respectively) or the linked scope(s) are invalid."}}NAME-PARTS-DIVIDED-BY-DASHES-RG_NAME_PARTS_DIVIDED_BY_UNDERSCORESbecomesNAME-PARTS-DIVIDED-BY-DASHES-RGNamePartsDividedByUnderscoresIssue script & Debug output
In the same debug output I see following request body (formatted by me for convinience):
{ "tags": null, "location": "westeurope", "extendedLocation": null, "identity": { "principalId": null, "tenantId": null, "type": "UserAssigned", "userAssignedIdentities": { "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/NAME-PARTS-DIVIDED-BY-DASHES-RGNamePartsDividedByUnderscores/Providers/Microsoft.Managedidentity/Userassignedidentities/SOME-Managed-Identity": {} } }, "managedBy": null, "kind": null, "properties": { "environmentId": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/NAME-PARTS-DIVIDED-BY-DASHES-RG_NAME_PARTS_DIVIDED_BY_UNDERSCORES/providers/Microsoft.App/managedEnvironments/HFRSGXPTSTSPOKE01PHARMA40SABACCAE", "configuration": { "secrets": [ { "name": "secret1", "value": null, "identity": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/NAME-PARTS-DIVIDED-BY-DASHES-RG_NAME_PARTS_DIVIDED_BY_UNDERSCORES/providers/Microsoft.ManagedIdentity/userAssignedIdentities/SOME-Managed-Identity", "keyVaultUrl": "https://some-kv.vault.azure.net/secrets/secret1" }, { "name": "secret2", "value": null, "identity": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/NAME-PARTS-DIVIDED-BY-DASHES-RG_NAME_PARTS_DIVIDED_BY_UNDERSCORES/providers/Microsoft.ManagedIdentity/userAssignedIdentities/SOME-Managed-Identity", "keyVaultUrl": "https://some-kv.vault.azure.net/secrets/secret2" } ], "activeRevisionsMode": null, "ingress": null, "registries": null, "dapr": null, "runtime": null, "maxInactiveRevisions": null, "service": null, "identitySettings": null }, "template": { "revisionSuffix": null, "terminationGracePeriodSeconds": null, "initContainers": null, "containers": [ { "image": "some-acr.azurecr.io/app:0.0.1-rc.1", "name": "bridge-test", "command": null, "args": null, "env": [ { "name": "ENV_VAR1", "value": "value1", "secretRef": null }, { "name": "ENV_VAR2", "value": "value2", "secretRef": null } ], "resources": { "cpu": 0.5, "memory": "1Gi", "ephemeralStorage": null }, "volumeMounts": null, "probes": null } ], "scale": null, "volumes": null, "serviceBinds": null }, "workloadProfileName": null, "latestReadyRevisionName": null, "eventStreamEndpoint": null } }Expected behavior
The issue only happens with managed identity ID in
identitymapping and does not affect on managed identity IDs ofsecretsmapping.If change managed identity id by replacing all underscore symbols with dashes, then this issue is not appeared.
Environment Summary
az cliwas updated with help of dep package:Additional context
No response