Apply Azure RBAC to a resource using ARM

The key is to drop the scope property, and instead nest the role assignment under the desired resource by using Microsoft.FooResource/BarSubType/providers/roleAssignments as the type, and using the following format for the name: {resourceName}/Microsoft.Authorization/{uniqueRoleAssignmentGuid}. Note that the GUID should be stable but unique to this role assignment, one easy option is guid(subscription().subscriptionId, 'some-sub-identifier-if-you-wish').

Here is a template that shows you how to apply RBAC to a single resource, using a user-assigned managed identity defined in the same template:

{  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",  "contentVersion": "1.0.0.0",  "parameters": {       "storageAccountName": { "type": "string" },      "userAssignedIdentityName": { "type": "string" }  },  "variables": {    "ContributorRoleDefinition": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",  },  "resources": [    {      "type": "Microsoft.ManagedIdentity/userAssignedIdentities",      "name": "[parameters('userAssignedIdentityName')]",      "location": "[resourceGroup().location]",      "apiVersion": "2018-11-30"    },    {      "type": "Microsoft.Storage/storageAccounts",      "name": "[parameters('storageAccountName')]",      "location": "[resourceGroup().location]",      "apiVersion": "2016-12-01",      "sku": { "name": "Standard_LRS" },      "kind": "Storage",      "resources": [          {              "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",              "apiVersion": "2017-05-01",              "name": "[concat(parameters('storageAccountName'), '/Microsoft.Authorization/', guid(subscription().subscriptionId, 'foo'))]",              "properties": {                "roleDefinitionId": "[variables('ContributorRoleDefinition')]",                "principalId": "[reference(parameters('userAssignedIdentityName'), '2018-11-30').principalId]"              },              "dependsOn": [                  "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]",                  "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentityName'))]"              ]         }      ]    }  ]}

Source: https://www.henrybeen.nl/creating-an-authorization-rule-using-an-arm-template/

You apply RBAC rules at the resource level via an ARM and there is example template that applies RBAC rules at Azure VM here:

{    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",    "contentVersion": "1.0.0.0",    "parameters": {        "principalId": {            "type": "string",            "metadata": {                "description": "Principal ID associated with the subscription ID"            }        },        "virtualMachineName": {            "type": "string",            "metadata": {                "description": "Name of the virtual machine"            }        },        "builtInRoleType": {            "type": "string",            "metadata": {                "description": "Built In Role Type for the Virtual Machine"            },            "allowedValues": [                "Owner",                "Contributor",                "Reader",                "Virtual Machine Contributor"            ]        },        "guid": {            "type": "string",            "metadata": {                "description": "A new GUID used to identify the role"            }        },        "location": {            "type": "string",            "defaultValue": "[resourceGroup().location]",            "metadata": {                "description": "Location for all resources."            }        }    },    "variables": {        "Owner": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",        "Contributor": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",        "Reader": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",        "Virtual Machine Contributor": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]",        "resourceName": "[concat(parameters('virtualMachineName'), '/Microsoft.Authorization/', parameters('guid'))]"    },    "resources": [        {            "type": "Microsoft.Compute/virtualMachines/providers/roleAssignments",            "apiVersion": "2017-05-01",            "name": "[variables('resourceName')]",            "properties": {                "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",                "principalId": "[parameters('principalId')]"            }        }    ]}

Hope this will help you.

It is possible to apply RBAC on resource level using ARM.

The example what you referred shows how to apply RBAC on a particular resource group, where the scope is the path of the resource group.

Here, you are trying to assign a role to a particular resource. Changing the scope from resource group to resource (AppInsights) will work.

From the exception, I can see that the path of the resource may not be in the expected format.

The path of AppInsights should be in the following format,

/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/microsoft.insights/components/{insightName}

Hope framing the scope like this helps!