Unable to edit policy set assignments made with ARM templates

Question

So, this is a pretty strange one. If I create a policy assignment using an ARM template and set it to Policy Set Definition I am unable to edit the assignment in the portal. When I click Edit Assignment I get the error "Cannot read properties of null (reading 'then')". If I create the same exact assignment through PowerShell, I can edit it in the portal. I pulled both configuration using PowerShell and confirmed everything besides the name and the identity are exactly the same for both assignments. It doesn't make sense as to why one works and not the other.

I changed the ARM template to use a Policy Definition and not a Policy Set, and I was able to edit that assignment. As far as I can tell the assignment is still taking and being applied. It is just very strange that I cannot edit the assignment in the portal. I have included the ARM template and the PowerShell that I used below. I have tested deploying to a subscription and a management group and in both cases it is the same issue.

{
    "type": "Microsoft.Authorization/policyAssignments",
    "name": "[variables('policyAssignmentName')]",
    "apiVersion": "2020-09-01",
    "scope": "[variables('scope')]",
    "properties": {
        "displayName": "[variables('policyAssignmentName')]",
        "policyDefinitionId": "[extensionResourceId(variables('scope'), 'Microsoft.Authorization/policysetDefinitions/', variables('setdefinition'))]",
        "parameters": {
            "logAnalytics_1": {
                "value": "[parameters('workspaceresourceid')]"
            }
        },
        "enforcementMode": "Default"
    },
    "identity": {
        "type": "SystemAssigned"
    },
    "location": "[parameters('location')]"
},


$PolicySet = Get-AzPolicySetDefinition -Name '55f3eceb-5573-4f18-9695-226972c6d74a'
$PolicyParameterObject = @{'logAnalytics_1'='/subscriptions/mysub/resourceGroups/myRG/providers/Microsoft.OperationalInsights/workspaces/myWorkspace'}
New-AzPolicyAssignment -Name 'VM Monitor' -PolicySetDefinition $PolicySet -Scope '/providers/Microsoft.Management/managementGroups/myMG' -PolicyParameterObject $PolicyParameterObject -AssignIdentity -Location eastus

Answer 1

@Matthew Dowst I have tested your scenario with one of the built-in policy set "Enable Azure Monitor for VMs" by assigning this to subscription using below ARM template. However, I couldn't reproduce the issue you were facing. Kindly revert if you are still facing the issue.

{  
  "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",  
  "contentVersion": "1.0.0.0",  
  "parameters": {  
    "policyAssignmentName": {  
      "type": "string",  
      "defaultValue": "[guid(parameters('policyDefinitionID'), resourceGroup().name)]",  
      "metadata": {  
        "description": "Specifies the name of the policy assignment, can be used defined or an idempotent name as the defaultValue provides."  
      }  
    },  
    "policyDefinitionID": {  
      "type": "string",  
      "metadata": {  
        "description": "Specifies the ID of the policy definition or policy set definition being assigned."  
      }  
    },  
    "logAnalytics_1": {  
      "type": "string"  
    },  
    "location": {  
      "type": "string"  
    }  
  },  
  "resources": [  
    {  
      "type": "Microsoft.Authorization/policyAssignments",  
      "name": "[parameters('policyAssignmentName')]",  
      "apiVersion": "2019-09-01",  
      "properties": {  
        "scope": "[subscription().id]",  
        "policyDefinitionId": "[parameters('policyDefinitionID')]",  
        "parameters": {  
          "logAnalytics_1": {  
            "value": "[parameters('logAnalytics_1')]"  
          }  
        }  
      },  
      "identity": {  
        "type": "SystemAssigned"  
      },  
      "location": "[parameters('location')]"  
    }  
  ]  
}