diff --git a/src/Resources/Resources/ChangeLog.md b/src/Resources/Resources/ChangeLog.md
index 1339b1e434b3..a599e47c7187 100644
--- a/src/Resources/Resources/ChangeLog.md
+++ b/src/Resources/Resources/ChangeLog.md
@@ -19,6 +19,7 @@
 -->
 
 ## Upcoming Release
+* Fixed issue where RoleAssignment cmdlets did not properly handle insufficient MSGraph permissions [#28583]
 
 ## Version 8.1.0
 * Added functionality for cmdlet `GetAzureResourceGroup`[#27865]
diff --git a/src/Resources/Resources/Models.Authorization/AuthorizationClientExtensions.cs b/src/Resources/Resources/Models.Authorization/AuthorizationClientExtensions.cs
index d3b941fe528e..137fe53372cc 100644
--- a/src/Resources/Resources/Models.Authorization/AuthorizationClientExtensions.cs
+++ b/src/Resources/Resources/Models.Authorization/AuthorizationClientExtensions.cs
@@ -98,7 +98,9 @@ public static PSRoleAssignment ToPSRoleAssignment(this RoleAssignment assignment
             {
                 if (oe.IsAuthorizationDeniedException() || oe.IsNotFoundException())
                 {
-                    adObject = new PSADObject() { Id = assignment.PrincipalId, Type = UnknownType};
+                    // fall back to cached principal type from response,
+                    // then finally fall back to "Unknown"
+                    adObject = new PSADObject() { Id = assignment.PrincipalId, Type = assignment.PrincipalType ?? UnknownType};
                 }
                 //Swallow exceptions when displaying active directive object
             }
@@ -197,7 +199,7 @@ public static IEnumerable<PSRoleAssignment> ToPSRoleAssignments(this IEnumerable
             foreach (RoleAssignment assignment in assignments)
             {
                 assignment.RoleDefinitionId = assignment.RoleDefinitionId.GuidFromFullyQualifiedId();
-                PSADObject adObject = adObjects.SingleOrDefault(o => o.Id == assignment.PrincipalId) ?? new PSADObject() { Id = assignment.PrincipalId, Type = UnknownType };
+                PSADObject adObject = adObjects.SingleOrDefault(o => o.Id == assignment.PrincipalId) ?? new PSADObject() { Id = assignment.PrincipalId, Type = assignment.PrincipalType ?? UnknownType };
                 PSRoleDefinition roleDefinition = roleDefinitions.SingleOrDefault(r => r.Id == assignment.RoleDefinitionId) ?? new PSRoleDefinition() { Id = assignment.RoleDefinitionId };
                 var psRoleAssignment = new PSRoleAssignment()
                 {