This is the documentation for the az role assignment create
command: https://docs.microsoft.com/en-us/cli/azure/role/assignment?view=azure-cli-latest#az-role-assignment-create
--score
is an optional parameter. This is what the documentation says about it:
Scope at which the role assignment or definition applies to, e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.
As you can see, it doesn't say what the default value for this parameter is. I can't find it anywhere, so I found myself forced to ask here.
Best Answer
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-cli#step-4-assign-role
Apparently, when the
--scope
parameter is not provided its value depends on whether the--resource-group
parameter is provided or not. If you provide that parameter, then it's like if you specified the resource group scope. Else, the subscription scope is assumed.