Describe the bug
After updating a CoA instance to 4.5.0, workflows fail with:

Microsoft.Rest.Azure.CloudException: The client '' with object id '' has permission to perform action 'Microsoft.Batch/batchAccounts/pools/write' on scope '/subscriptions/x/resourceGroups/x/providers/Microsoft.Batch/batchAccounts/x/pools/x'; however, it does not have permission to perform action 'join/action' on the linked scope(s) '/subscriptions/x/resourceGroups/x/providers/Microsoft.Network/virtualNetworks/x/subnets/batchsubnet' or the linked scope(s) are invalid.

Steps to Reproduce
Update to CoA 4.5.0 from a previous version and run a workflow, and if it fails due to a subnet permission error, this is the likely cause.

Known Workaround
Add a new role assignment to the virtual network - assign the Network Contributor role to the user-assigned managed identity in the Azure Portal, or run this script:

resourceGroup=""; virtualNetwork=""; subscriptionId=""; identity=$(az identity list --resource-group $resourceGroup --query "[?type=='Microsoft.ManagedIdentity/userAssignedIdentities'].[id]" --output tsv); firstIdentity=$(echo $identity | awk '{print $1}'); principalId=$(az identity show --ids $firstIdentity --query 'principalId' --output tsv); [ -z "$firstIdentity" ] || [ -z "$principalId" ] && echo "No User-Assigned Managed Identity found or could not obtain principalId." && exit 1; az role assignment create --assignee-object-id $principalId --assignee-principal-type "ServicePrincipal" --role "Network Contributor" --scope /subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.Network/virtualNetworks/$virtualNetwork && echo "Network Contributor role assigned to Managed Identity with principalId $principalId for Virtual Network $virtualNetwork."