From ab487b8c5e09847e2e199013b3c10afcdeb0aba0 Mon Sep 17 00:00:00 2001
From: Jared Holgate <jaredholgate@microsoft.com>
Date: Thu, 4 Dec 2025 09:29:37 +0000
Subject: [PATCH] fix: resource graph query scope

---
 src/ALZ/Public/Remove-PlatformLandingZone.ps1 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/ALZ/Public/Remove-PlatformLandingZone.ps1 b/src/ALZ/Public/Remove-PlatformLandingZone.ps1
index d083d97..bbb6a79 100644
--- a/src/ALZ/Public/Remove-PlatformLandingZone.ps1
+++ b/src/ALZ/Public/Remove-PlatformLandingZone.ps1
@@ -682,7 +682,7 @@ function Remove-PlatformLandingZone {
 
             # Use Resource Graph to find all role assignments for this custom role definition across all scopes
             $resourceGraphQuery = "authorizationresources | where type == 'microsoft.authorization/roleassignments' | where properties.roleDefinitionId == '/providers/Microsoft.Authorization/RoleDefinitions/$($roleDefinition.name)' | project id, name, properties"
-            $roleAssignments = (az graph query -q $resourceGraphQuery --query "data" -o json) | ConvertFrom-Json
+            $roleAssignments = (az graph query -q $resourceGraphQuery --query "data" --management-groups $ManagementGroupId -o json) | ConvertFrom-Json
 
             if ($roleAssignments -and $roleAssignments.Count -gt 0) {
                 Write-ToConsoleLog "Found $($roleAssignments.Count) role assignment(s) for custom role '$($roleDefinition.roleName)'" -NoNewLine