Scripts/New-AzResourceGroupRoleAssignment.ps1

param(
    [Parameter(Mandatory = $true)][string] $TargetResourceGroupName = $(throw "Target resource group name to which access should be granted is required"),
    [Parameter(Mandatory = $true)][string] $ResourceGroupName = $(throw "Resource group name where the resource is located which should be granted access is required"),
    [Parameter(Mandatory = $true)][string] $ResourceName = $(throw "Name of the resource which should be granted access is required"),
    [Parameter(Mandatory = $true)][string] $RoleDefinitionName = $(throw "Name of the role definition is required")
)

Write-Verbose "Assigning $RoleDefinitionName-rights to the '$ResourceName' in the resource group '$ResourceGroupName' to gain access to the resource group '$TargetResourceGroupName'..."

try {
    $resource = Get-AzResource -ResourceGroupName $ResourceGroupName -Name $ResourceName
    [guid] $resourcePrincipalId = $resource.identity.PrincipalId
    
    New-AzRoleAssignment -ObjectId $resourcePrincipalId -RoleDefinitionName $RoleDefinitionName -ResourceGroupName $TargetResourceGroupName -ErrorAction Stop
    Write-Host "Granted $RoleDefinitionName-rights to the '$ResourceName' in the resource group '$ResourceGroupName' to gain access to the resource group '$TargetResourceGroupName'" -ForegroundColor Green
} catch {
    $ErrorMessage = $_.Exception.Message
    if ($ErrorMessage.Contains("already exists")) {
        Write-Warning "Access of $RoleDefinition-rights has already been granted to the '$ResourceName' in the resource group '$ResourceGroupName' to gain access to the resource group '$TargetResourceGroupName'"
    } else {
        Write-Warning "Failed to grant access of $RoleDefinition-rights to the '$ResourceName' in the resource group '$ResourceGroupName' to gain access to the resource group '$TargetResourceGroupName'"
        Write-Debug $ErrorMessage
    }
}