Scripts/New-AzResourceGroupRoleAssignment.ps1

param (
    [Parameter(Mandatory = $true)][string] $TargetResourceGroupName = $(throw "Target resource group name to which access should be granted is required"),
    [Parameter(Mandatory = $true)][string] $ResourceGroupName = $(throw "Resource group name where the resource is located which should be granted access is required"),
    [Parameter(Mandatory = $true)][string] $ResourceName = $(throw "Name of the resource which should be granted access is required"),
    [Parameter(Mandatory = $true)][string] $RoleDefinitionName = $(throw "Name of the role definition is required")
)

Write-Host "Assigning $RoleDefinitionName-rights to the '$ResourceName' in the resource group '$ResourceGroupName' to gain access to the '$TargetResourceGroupName'"

try {
    $resource = Get-AzResource -ResourceGroupName $ResourceGroupName -Name $ResourceName
    [guid] $resourcePrincipalId = $resource.identity.PrincipalId
    
    New-AzRoleAssignment -ObjectId $resourcePrincipalId -RoleDefinitionName $RoleDefinitionName -ResourceGroupName $TargetResourceGroupName -ErrorAction Stop
    Write-Host "$RoleDefinitionName access granted!"
} catch {
    $ErrorMessage = $_.Exception.Message
    if ($ErrorMessage.Contains("already exists")) {
        Write-Host "Access has already been granted"
    } else {
        Write-Warning "Failed to grant access!"
        Write-Warning $ErrorMessage
    }
}